Incident Response: Lessons Government Can Learn from IndustryRapid7's Woolwine on How Public Sector Can Regain its Edge
Government agencies used to be the top attack target, as well as the top source of threat intelligence. How did the private sector turn the tables, and what can government do to improve? Rapid7's Wade Woolwine offers insight.
"The attack groups are no longer solely interested in government secrets," says Woolwine, manager of Rapid7 Global Services. "They are also interested in targeting private enterprises, typically for the purposes of industrial espionage."
One of the biggest security gaps exposed by recent high-profile breaches: Government's inability to detect attackers maneuvering through their networks and extracting critical data.
"When [the attackers] are able to access some of the most sensitive data that either the government or private sector is holding," Woolwine says, "there is certainly some need to better control who has access to that information and restrict it on a need-to-know basis."
In an interview about threat intelligence and response, Woolwine discusses:
- Government's biggest security gaps;
- How the private sector can help government bolster its security talent pool;
- How public and private sector organizations alike must respond to emerging threats.
Woolwine is responsible for assisting Rapid7 customers with threat detection and incident response programs. Prior to joining Rapid7, Wade worked for Mandiant where he was responsible for endpoint investigations, incident management, and incident response.
The New Dynamic
TOM FIELD: Wade, it used to be that government agencies were the number-one target for external hackers, as well as the number-one investigator and source of threat intelligence. How has that dynamic changed?
WADE WOOLWINE: Well, certainly that's changed a lot, especially in the last decade or so, where the attack groups are no longer solely interested in government secrets. They are also interested in targeting private enterprises typically for the purposes of industrial espionage, but even within that category we've seen some of these attack groups go a little bit broader and a little bit wider in their desire and in their pursuit to breach environments. It is not uncommon nowadays for private investigative organizations such as Rapid7 to be called in to deal with some of these investigations where the attack groups have typically targeted government entities, but have decided to spread their wings into private enterprise.
Now the interesting piece is that when you consider the threat intelligence, I would still consider the government being amongst the premier sources for threat intelligence, simply because of their involvement in law enforcement. There's been a lot of interest from government in pursuing some of these crimes and these perpetrators. So they still do have some of the best threat intelligence out there. But I would say from a target perspective and an investigative perspective, the private sector has certainly caught up, if not exceeded the government in those arenas.
Which Security Gaps Are Now Exposed?
FIELD: In light of recent government security incidents - and we've had a couple of high-profile ones - which security gaps do you feel have been exposed?
WOOLWINE: I'd say primarily around being able to detect malicious actors on the network. But even within that subcategory of security there are so many other implications that come into how you're able to detect these attackers. It's really a broad suite of various security controls that have failed in all essence when you consider that the majority of these incidents begin with a spear-phishing email. That really falls under user education when you consider that once the attackers are in an environment, they are basically free to move around as they see fit. There is some concept of administrative controls and just general user account sanitation that isn't taking place there. And then when they are able to access some of the most sensitive data that either the government or the private sector is holding, there is certainly some need to better control who has access to that information and restrict it on a need-to-know basis instead of the traditional approach of, "Well, if you are trusted within the walls, then you can access this data."
Where Industry Holds an Edge
FIELD: We talked a few minutes ago about the changing roles of the private and the public sectors. Where would you say the private sector now actually has an edge?
WOOLWINE: I think now that the attackers are really impacting the private sector and we're able to get some of these incident response firms such as Rapid7 involved, we're able to better collaborate with fewer blocks and walls than the government is able to. So the free exchange of information amongst incident responders in the private sector is certainly greater, and then also with our ability to be a little bit more transparent with respect to sharing this information broadly, we're able to communicate a little bit more effectively with one another and devise better methodologies for both detecting and responding to these kinds of breaches.
Historically, the government - rightfully so - is very restrictive with how they share this information and who they share it with, which of course really limits their ability to collaborate and come up with new solutions that would help drive up those walls to keep the attackers out.
How Government Can Learn from Industry
FIELD: So now that the roles have sort of changed a bit, where do you see that government agencies can best leverage strategies and solutions that are now developed in a private sector?
WOOLWINE: Some of the technology that is born out of the collaboration that I was just talking about - things like technology that enables user behavioral analytics or some of the threat intelligence around attacker behavior versus attacker tools could really be beneficial for the government. But at its core, it's very difficult to monitor a network that in of itself is very insecure. As we've seen with recent breaches, it really doesn't take much for the attackers to get in and stay resident for long periods of time. But it's not solely attributed to the ability to detect; it can also be attributed to the poor network design or the poor implementation of access control or the poor management of vulnerabilities or even the poor management of user accounts.
Security is really a castle. It needs to be built on strong foundations, and all of the components that come into building a security program - components like user access management, vulnerability management, threat prevention, threat detection and threat response - those all play off of each other, and they all feed off of each other, and if one of the bricks in that castle is not solid, the rest may crumble around it.
So it's very important to recognize that when we're talking about stopping these attackers, we're not just talking about strengthening the ability to detect or strengthening the ability to respond. It's really strengthening the computing environment altogether, the network, the endpoints, and certainly the users.
FIELD: Now for years we've talked about the global security talent shortage, but government agencies are particularly constrained because of financial restraints. How do you see that they can work with the private sector to be able to enhance their talent?
WOOLWINE: That's a very difficult question. Certainly, whether we're talking private sector or public sector, talent acquisition is difficult. It doesn't just all boil down to the amount of money that you can pay the people. It's really about being able to find those people and resources that have an in-depth understanding of these advanced attackers, these targeted attack groups. So there needs to be a lot of education that happens both in the public and the private sector so that resources that have a base understanding of technology can be built upon to make them prime responders, prime detectors and prime people that will be able to build stronger and better security programs going forward.
There are a lot of initiatives around threat intelligence sharing between the public and private sector that are being discussed these days, but I don't think that's enough. Threat indicators are not the end-all/be-all of detection simply because these attackers know as well as we do all of the discussions that are going on around threat indicators. So they are using different pieces of malware, different command and control channels when they are perpetrating these breaches, such as the threat indicators are no longer valid.
So I do see those efforts yielding some positive results, but I think later collaboration, tearing down some of those confidentiality walls between the government and the talent that is out in the private sector is absolutely critical in order to push back some of these attackers. I know from my perspective, and certainly from the Rapid7 side, we happily collaborate with law enforcement and government on these investigations. For us, it's absolutely critical that we be transparent with the folks that are ultimately going to be responsible for bringing these guys to justice and making them pay for the illegal acts that they perpetrated.
Best Sources for Threat Intel
FIELD: Wade, let's look ahead a bit to 2016. In terms of threat intelligence, what do you see as the best sources for sharing and receiving intelligence?
WOOLWINE: There are lots of organizations within the private sector, and certainly within the government there are lots of different silos where threat intelligence is generated, and I have not yet seen any common platform that might be used for everyone to collaborate. However, some of the legislation that is making its way through Congress today may potentially pave the way for organizations such as Rapid7 to be able to collaborate closer with the government, to be able to collaborate closer with law enforcement, such that we do have the ability of sharing some of this threat intelligence.
I'm certain the government has lots of indicators that are not known out in the public sector, but vice-versa I also know that there are a lot of indicators that the public sector is going to have that the government may not have access to. So looking into 2016, I still see a very rocky road for how we're going to be able to more effectively collaborate on threat intelligence sharing, but I think that the work being done by Congress today is certainly paving the way for us to be able to have a more meaningful discussion and better collaboration about how we might achieve those goals.
Preparing for Emerging Threats
FIELD: As you look ahead, how do you see private and public sector organizations alike having to reshape their security programs to tackle the emerging threats?
WOOLWINE: Well, I've certainly talked a little about the threat intelligence being a little bit more difficult or a little less effective at detecting some of these targeted attacks. And I certainly see this being a problem going forward. Too many organizations are entirely too dependent on this threat intelligence, and the reason being is because it is a fairly cheap endeavor to identify threats that are already known by the community. But, again, the attackers know what is going on in the security industry. They know that there is a huge push for threat intelligence, and as a result their own methodologies are changing.
What I typically recommend that our customers do in order to prepare and appropriately react to the shift is to make sure that they're investing in being able to search for the unknown threats in their environment. And by that I mean implementing some form of user-behavioral analysis where they can set a baseline for what normal user activity looks like, and then when there is a deviation from that baseline, they have a security professional or a person with an understanding of the environment go investigate that particular event. We refer to those as investigative leads. The goal is not to have a hard one-to-one match - "this is evil" - but it's really to generate a number of anomalies that could potentially result in a security event or the discovery of a breach, but could also just be regular run of the mill business level activity.
By the same token, I also recommend that customers become a little bit more familiar with what their network topology looks like. Typically, we rely on technologies like Net Flow, which is really just a graph of how the network traffic is flowing through the network. And there again, we're able to look for deviations from the norm and investigate those.
And last but not least, a keen understanding of what the attackers do is going to enable both private and public sector to generate investigative leads based on log data. As an example, and this is an example that I give quite a bit, if a threat detection analyst detects that an unnamed schedule task has been created across the network, for me that is always an indication that something should be investigated there. And again, I refer to investigative leads quite often, but that is just one example of an indicator of compromise that may or may not be legitimate but is definitely worth investigating.