Security-focused cloud services provider FireHost recently named Jeff Schilling as chief security officer. Schilling, a retired U.S. Army colonel, previously worked as director of the Department of Defense's (DoD) global Security Operations Center for Joint Task Force Global Network Operations and later as the director of the Army's global Security Operations Center for U.S. Army Cyber Command. After retiring from the Army in 2012, Schilling became director of the Global Incident Response practice for Dell SecureWorks. On the occasion of his move to FireHost, he spoke to SearchNetworking about how he applies the cyberdefense lessons he learned in the Army to protect enterprise data.
How are security threats evolving today? What are enterprises facing right now?
Jeff Schilling: The tools and techniques that threat actors are using really haven't changed that much in five or six years. Where they have gotten surprisingly good is in their business processes and how they execute. [In] some of these major retail breaches, what was so brilliant about how threat actors did what they did wasn't necessarily the tools and tradecraft they used. It was how they operationally penetrated the network and then used the network infrastructure to spread their malware across the whole environment and take it over. That's where I've seen the huge jump in operational activity.
Once they get that initial foothold -- especially the advanced ones such as nation state actors or criminal actors -- they are no longer using malware and tradecraft. They're just escalating privileges to the point where they are just logging on. We've literally seen them log on, change policies internal to a network, turn RDP [Remote Desk Protocol] on so they can go in and do what they need to do to compromise a VPN account.
Instead of an outsider or remote access threat, they're actually an insider now, and that becomes very difficult to detect. Can you imagine if one of your smartest system admins who knew your environment better than you did was the threat actor inside your organization? They still get in through the traditional methods -- an infected email or website. [But] these threat actors have evolved. … Once they get credentials they pretty much own the network.
I had one customer at SecureWorks who complained that some of the technology and tools they bought, which were really good, didn't detect threat actors. I tried to explain that's because threat actors had already moved up the kill chain and were no longer using tradecraft. They were just logging onto his network. So he needed to turn around and look for different types of activity, as opposed to using the technology we would normally use to see that first exploitation event in the kill chain.
How should we evolve our approach to cyberdefense to counter the operational sophistication of threat actors?
Schilling: You protect, detect, respond and recover. And apply people, process and technology to each of those. I saw a guy riding down the road with a bike helmet on and he didn't have it strapped on. I was thinking that guy is not real smart. As soon as he hits something, that helmet will go flying and he will bust his head.
That's a great analogy -- at least with all customers I was able to observe and work with during my SecureWorks experience and my time in Army -- for the way that a lot of security programs are put in place. They have security technology, but haven't really strapped it on and figured out: What's [the] best way for me to leverage that technology in my environment and make sure I have people that are trained to get [the] most out of the tools I have? And do I have the processes to escalate the things that are a problem to the highest level of visibility to make sure I can react?
You're not going be able to protect yourself 100% because people are always going to get exploited. But being able to narrow the time between detect and respond is where that true level of excellence comes in. And a lot of that is applying good technical tools.
You said tradecraft hasn't changed much in the last five years. What will change?
Schilling: I think you are going to see threat actors move further down the OSI model. The further down you can go in the OSI model in your collection capabilities, the more you can collect and sift through what's important.
I think we're going to see people, especially in criminal organizations, trying to get physical access to system data because we're [going to get] much better at stopping remote access. We're going [to] see close-access operations, breaking the physical security of IT infrastructure or turning to an insider to help them get the initial foothold and hooks that they need. So I think one of my roles in FireHost is not only doing information security, but also physical security.
How do you defend against physical layer attacks?
Schilling: [With] a lot of the security tools we would use to look for those advanced persistent threats, if you look at that data in a different way, you might be able to detect that insider threat. [Look for] the things that are above the normal baseline of activity, such as a system administrator logging on at midnight remotely. Why would [he] be doing that?
It seems there are an infinite number of baselines you need to follow.
Schilling: A lot of people in the security line of business don't really [consider] human action and human thought in how threat actors are going after their networks. I'm instituting inside of FireHost... a guy dedicated to doing what I call 'friendly network forces.' This guy has insider knowledge of how the network of FireHost is put together. And I ask him, if he is a bad actor, where would he go and how would he make us have the worst day possible? It sounds a little bit like pen testing, but it's pen testing with knowledge. That's his [job], constantly evaluating our environment, looking for where the threat actor would go. Where are the most vulnerable things, where is our most important data and most important customers?
The concept of friendly network forces is something we evolved in the DoD. I think you'll see a lot of CISOs go with that concept.
What are these "friendly network forces" people equipped with?
Schilling: It depends on what I'm asking of them. I may give him a role next week where I'll tell him, 'Hey, if you are a remote user trying to get a foothold on our infrastructure, how would you do it?' A normal pen tester that you hire, they don't have insider knowledge, so they may have to bounce around. They may have some success, and that's why you do external pen tests still. But if you have a guy who really understands the infrastructure and knows where the weaknesses are, you want him [to] go address those weak points and figure out how effective your security controls are in detecting and addressing those types of attacks.