- Welcome to the CYBER5, where security experts and leaders answer five burning questions on one hot topic in actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host, Landon Winkelvoss, co-founder of Nisos, a Managed Intelligence company. In this episode, I talk with Vice President of Information Security for Centene, Charlotte, North Carolina operations, Rick Doten. We discuss how to integrate intelligence analysis into security operations across many disciplines which culminates into his methodology, think locally and globally. We talked about models of collaboration, integration, and orchestration, mainly focused on the types of data that matter in security operations, what can be crowdsourced versus what needs to be acquired locally. We discussed which parts of the cyber kill chain this process is easiest and most difficult to get right in some applicable use cases. Stay with us. Rick, welcome to the show sir, would you mind sharing a little bit about your background for our listeners please? - Hello everybody, my name is Rick Doten. I'm the VP of Information Security at Centene Corporation and act as the CISO for Carolina Complete Health which is the North Carolina Medicaid Health Plan for Centene. I've spent my entire life in the cybersecurity industry since 1990, have done every job, have worked in every industry. And I just love it so much, I love talking about. - Today, we're gonna be talking about the collaboration, integration and orchestration, thinking globally and acting locally for operations monitoring. So when you say CISOs to shift the operating model to collaboration, integration, orchestration, what exactly do you mean. - Well, it's a team sport now, it's not just in talking about security operations that I have my operations folks who are kind of watching the gates and if something happens, I learned and I escalate to my answer response team and then do the standard containment, eradicate and all that kind of stuff. But it involves working with the cloud team and working with the application team or working with the database team. And there are more people that in particularly as we go to cloud and mobile, and I'll just kind of use those as the foundation is as we're having more cloud services, then we may have to work with third parties, as we have more cloud infrastructure for our own company, we need to work with the cloud architects and cloud engineers, and particularly I go back to applications because the cloud is really just one big application. And so when we are trying to do, identify risks in a container for instance, it's very different than it's on a server and we may need some guidance on getting into how it's being managed and the containment of it or even looking at logs and how logs were stored and where they're stored. So the concept of collaboration is the fact that we have to deal with different groups that we didn't deal with five to 10 years ago. And in that we have different integrations that we didn't have five to 10 years ago. And therefore the visibility that we need to look at is much bigger because our surface area has grown as it was five to 10 years ago because of cloud and mobile specifically - Let's get in the weeds a little bit here for a second. Give me an example for talking about the kill chain and you have somewhere in the MITRE ATT&CK framework where you have to, you want to ultimately gain visibility and ultimately be able to stop an attack. How are you kind of using this model? - [Rick] Right. So, and I'll kind of clarify, when you say kill chain, I keep thinking of the Lockheed Martin Kill Chain because 11 years ago I was there when it was developed, I didn't have anything to do with it. Eric, Mike and Rowan wrote it, but I probably talked about it more than anybody because I was the chief scientist for cybersecurity which is really just a fancy title for the face guy who did a lot of talking about it. So when we identify wherever we kind of identify where the challenge was and whether, and when we look at these other cloud and mobile specifically, it's less about a phishing email or some malware gets on it on endpoint or things like that, it's more about some kind of like a door or window was opened and there might be some connection or more specifically an application issue where there was a public application that someone was able to kind of get around and get access to a database or some underlying infrastructure through pick your favorite way, Apache Strut apparently is back in the news. And so then we're on a different infrastructure than what we would normally have, meaning the cloud and the response people may not be as experienced with how to deal with containers or, the fact that it might be in some rotating infrastructure that was when it happened and we identify it, we saw a trigger to it yesterday and it was like, oh, okay, well here's this and they start trying to following it down. Well, now it's already rolled over to another infrastructure and the previous one didn't exist, and did that go with it? Did it stay there? Was their logs for it? And so, when we talk about this temporal and ever changing environment as opposed to we had a Solaris box that was sitting there and will be sitting there and not move for decade, it becomes a different kind of response capability. So then we have to get in the people who are experts or how do I get access to that? Or I may have to go to an AWS or Azure platform to be able to get access to the visibility that I need. And one of the many security tools they have, and whether it's about access rights or logging or their version of CASB or whatever if there was something that crossed over some domain then again, it's kind of, it takes a village of people like, we're working to get this information and it might not be something that happens frequently enough to have a standard operating procedure to say, oh, when this happens, go do this, go do this, go do this, go do this. - [Landon] You mentioned something earlier and you come from Lockheed Martin, you've done government consulting work. What does intelligence analysis mean to you in the world of information security? And I guess a kind of a second question is as, is information security professionals, do we have too much or too little data to work with in Europe? - [Rick] To me intelligence analysis is blinking the human to the act. And so there are situation awareness of what technically is going on on my network and what I just described as all technical, I hadn't kind of got to the point where when things were kind of leading to it of, okay, well now who is it? What did they do? Why they do it? What's their opportunity, their capability, their intent? Do I have any other evidence of them doing something else on me or to my friends beforehand? And how can I enrich that into understanding what the potential threat and impact is of that actor as a threat? So for me, when we're tracking, we talk about security intelligence, it's tracking specific campaigns or threat actors and again, who they are, what they're doing, who they work with and what are they after. And that helps influence my protections in detections to know that for instance a certain threat actor is less about do, one threat actor is more about using email fishing to get in and do credential harvesting and send emails to go to links to get credential harvesting and go from there where others may be looking more for expose RDP or going into third parties that may have connections who are less secure or subsidiaries that may be less secure and try to get in that way. - [Landon] Okay, so those kind of help influence, where I kind of put my instrumentation to be able to kind of look at that. And so, and then when we talk about the response, it's like, are these are ones who are traditionally, if we're like look at a ransomware gang that is mostly just doing this from a monetary, just doing this for monetary gain, that's a very well understood nowadays process of, okay, come in, gain persistence, find out where the service counts for the backup are, figure out what data is important, Pull that out, then encrypted and then work on extorting them while trying to do the ransomware as well. It was like, okay, that's different than a high-end campaign or a nation state campaign which will be very patient very low and slow and will be a lot less obvious. And when they kind of come in, then there might be multiple levels of persistence that they will try to get in. So you think you found the one place or two places, and it's actually ten. You mentioned something at the top of this, linking the human to the act, for a security professional, the things that they don't care who the human is, they just A, want it to stop and B, want to keep confidentiality, integrity and availability of data and systems and networks running. What's your thoughts on that overall mindset? - [Rick] Good luck on that. And you're gonna continue to be frustrated. And that was something that even at that time when I was at Lockheed Martin, we were socializing this with a lot of other, the industries, energy, oil and financial industry. And they were exact same way, it's like, I don't care who it is with what happened, how to happen, make it stop, make sure it doesn't happen again. And we, and it kind enforced on them, it was like, no, you really wanna know who this human is and who's backing them and what they want. And because this is their job, they're a giant, because at this level, it is their job to get this information. They have cleaned their calendar, this is all they have, it's not doing it for like, hey, if this is too hard, then I'll go somewhere else. No, I mean, they have a lot of incentive and maybe even their life at stake if to be successful. So that's the P part to persistence in advanced persistent threat. And so, we try to impress upon them that you really wanna know who the human is. Now, it is easier in defense, industrial base and in clear environments because we have more information and cleared environments of who these actors are, but we still have a lot of information on the non cleared side in commercial, just from visibility and actions that we're seeing out in the wild that probably are classified, but, if you're not clear, then it's not classified. So and then understanding that. And so, what the evidence to me of like when they finally figured it out is when there was a big brain drain from DC to Wall Street, after the JP Morgan thing in the mid 2015-ish area, when they're like, oh, I guess we really need to care who the actor is. Let me get all these DIB senior security people who know this stuff and bring them up to Wall Street. - [Landon] Let's keep going with that thread. Did you see that mentality change where they said, okay, let's really get into the weeds and get down to attributing, not only the threat actor group, but also the humans? I mean, have you seen that, in your opinion, you've seen that mindset generally shift over the past five years? - [Rick] Yes. And it's certainly something where now being briefed to enroll as a management consultant, now our brief to the board of the most mature companies are these are the threat actors we're tracking, that we know they're targeting us, this is why they're targeting us, this is who's behind them, it may be corporate espionage, maybe nation state, could be whatever. That is again, the root of our security strategy is we know that these are our named adversaries who are against us. And that's how we did it in a dip, there'll be a much longer list depending on what defense thing you supported, but you just track where they are, any activity you've seen with them or on your network or on your friend's network and keep an eye out. - [Landon] I've seen boards that just say straight up, not only a systemic, but an existential event, this thread is as existential and they'll put resources toward it and then I've seen others that frankly don't wanna know anything, you've been a consultant for a while, or like, how have you seen, I guess, boards kind of adapt, it's intimidating, right, because a lot of times boards know business real well but they don't necessarily know threat intelligence or even cyber threat actors? - [Rick] Brief-me boards is a virtual CISO. And it's interesting how sometimes they embrace it because it's kind of cool, right? I mean, this is kind of like literally spy stuff and they're like, oh, okay, well, so there are these groups that are on the other side of the world that this is there and it's really about education and kind of getting them in very practical and in their language, their job is to make sure that the business stays viable and doesn't go out of business. And they know from a business perspective, there is competitors who will do all kinds of nasty things to try to take their actual property or steal their customers or whatever. It's like, yeah, we get that. Well, now let's look at it from a cyber perspective that maybe it's the same actors 'cause there's a lot of proxy actors. And particularly in certain parts of the world, like Adele Laughton, Latin America, it's all proxy actors. And so the adversary, the actual adversary is a known competitor company. And then they just hire some proxy actor from some other part of the world to do the cybersecurity stuff that we've been talking about. And so when you equate it to business risk as like, well, this is what they're trying to do, they're trying to steal intellectual property which makes us less competitive or trying to steal our contracts to be able to negotiate better and get with our peers or with our customers or they're trying to disrupt our ability to do things so we're not as successful so they can take over. I mean, if it's thinking about money and we're talking about just more hacker gangs who are just trying to be, doing it for monetary gain, then they can kind of accept that risk. And it's like, yeah, yeah, that's fine. But when they understand that it's something that could really impact the business, they're all ears. - [Landon] You know, to do this well, you need a lot of sources. You need a lot of necessary accesses. What's your thoughts on what parts of this can be crowdsourced and what are the sources and necessary accesses that are important to do this well? And what I mean by doing this well is attribute appropriately down to the threat group level, sometimes to the human level, to make it relevant frankly for business, and to inform board members of that existential risk? - [Rick] I wanna clarify something that I said, just, that you refer, kind of referred to the human level and you talk about the threat actor, the actor groups and I mean them in the same sentence, you're right in that there's individuals in these groups but you know, my act of, what I try to impress is that there are humans on the other side, they are acting together, very rarely but occasionally alone, and that's the linking. I appreciate that you're making that distinction. And I just wanna say that I acknowledge that. The most important intelligence is that's on the network. I think that we failed many times in our industry by saying, oh, let me get some, a bunch of intelligence feeds and then I'll put all these indicators in my network and I'll look and see what lights up and you get nothing but garbage because different threat actors are focused on different industries, on different sizes of companies, on different regional areas. And it's like 90% just garbage. And so it's kind of better to do it the opposite way in saying, all right, well, let me look at what I'm having. It's like, oh, that's interesting, I see this pattern in this group is going after these particular individuals and, regularly, and whether it's like, an R&D, group or finance group or whatever it might be. and what's the cadence of that, and is there something that kind of triggered that that they did, went to a conference or whether or not they did something that like made them public? Or is this something that's ongoing? And is it something that they're escalating or is it something that's kind of commodity and they keep trying the same thing over and over again? And then they'll go out and look and see, all right, is anyone else seeing this? Particularly what we learned in the database is that particularly at the highest level of these campaigns, it is like you have one job to get this particular information from this company and you will do nothing else. And so it is a very bespoked attempt and set of capabilities that will be seen nowhere else. And we learned very quickly not to like, go, hey, has anyone see this? Because then you'll know that they know that we know that, the counter OPSEC thing. So in corporate America, that is not even understood. I mean, everything goes through the virus total, everything is like, whoa, whoa, whoa but that still exists. And so going back to answering your question on crowdsourcing, probably the most effective ones are the ones like the ISACs or the InfraGard working groups for their specific industries or the local communities like here in Charlotte, where we can kind of talk amongst our peers about, hey, what are you seeing? Because, sometimes it's something that's more broad against us and it industry or a region and we may see it hit one of our neighbors before it gets to us and we can get a little early warning to it. Other times it's only target against us, and there's like, yep, I haven't seen that. It's like, okay, cool, I guess it's just me then. This is how I'm gonna deal with it. And then it was also good to have organizations that have got foot on each side, particularly for companies who are not involved in, I mean, we were very spoiled in the DIB as I had mentioned before, as we would all literally in the dice, especially when our community, that community that would get together, the defense, industrial base companies, we would all get together in a skiff at one of ours and of course our marketing people have a heart attack that that our competitors are getting together in one room, but to kind of talk these things out, in the commercial world that is not in that, that's outside of DC, then we have to kind of do it less formally. And we need to be able to kind of like know who we can trust and who has the most mature system. So just like with any intelligence, I need to know the viability or the accuracy or the confidence of the data is real. And some peers of mine I know, it was like, hey, have you seen this? Like, yeah, no, that's just one of your tools, kicking something off, it's nothing. But others that I know have like real intelligence analysts are like, hey, have you seen this? And like, oh, that's interesting. No, but it's related to something else I've seen that I see similar and I know I talked to my friend that did that and you need to talk to them. - [Landon] What do you mean exactly talk to him and talk to them? - [Rick] Oh, I mean, connecting to see like is there something that they've seen, that's what I'm saying is that, I may not have seen it but I may know someone else who I had talked to has a similar thing where, and again, I'll use a base example where somebody is persistently after like SMB shares that are externally facing or SharePoint more likely, they're externally facing, like, oh, well, that's interesting. There was an old thing a while ago where it used to, somebody had figured out that kind of like the handshake is like, hey, we just opened this sharer to you. Just letting you know if you wanna reciprocate, and that people would sometimes do that. And then now we have, you just opened a, one of your SharePoint shares to somebody you didn't know. But the, a little thing, like it's like, oh, I heard somebody say something similar to that. And maybe the same actor or someone who's working with somebody else actor. That's what I meant is like getting people who may have similar experiences, so again, going from, my perspective of going inside out is, hey, this is what I'm seeing, is anyone else seeing this? And not like, hey, what's everyone seeing? And I'll see if everything, if I see any of it here. - [Landon] I see, so, I mean, if I understand correctly, when you say crowdsource, you're really talking about different elements of the security team coming together and almost dog piling on a specific threat to see if they're seeing something from their different telemetry, ultimately taking and in, you said an inside out approach rather than an outside in approach, is that correct? - [Rick] Yes. And the dark power is both, that's where they think global act local is. - Right. - Locally, it is a team that like, hey, cloud folks, what are you seeing? Mobile folks, you see anything here? You know, application people, is there anything that I should know about? Database people, are you seeing anything or any even like infrastructure people, but then going back out another ring, which is my industry, hey, I'm the healthcare AIESEC, has any, look A, looking and see if anyone talked about it before and then maybe posing it to that group or a specific subset of that group. - [Landon] From that perspective, how do you do threat intelligence effectively? Right, because threat intelligence is very much like you said, that like outside in approach, there's a lot of noise. Somebody that says, there's no shortage of folks that say, look, here's what the industry is doing. And of course the corollary of that is okay, well, what does that mean for my organization? And certainly there are a lot of folks that struggled to answer that exact question, right. Having said that, there's certainly no shortage of examples of threat intelligence that ultimately certainly drives an investigation. So I guess the question is where is that happy medium so to speak where threat intelligence can be useful, but certainly not that swarm of feeds? - [Rick] Right no, that's exactly the right question. And I touched on it, but I didn't finish it. And that's when I said, there were people who like have a foot in each world, and I'll just kind of generically say the beltway of DC and the talented community and government and clear things, and the people who work in crossover into commercial because my understanding of who my named adversaries are, I get from people like that, who my experience is much older so I'm not sure who, what actors, and so that's the next ring, right? As I talked about, okay, internally, we all dog pile on it, externally, I go and I talked to my peers in my industry or my region, or friends of mine who were of similar maturity levels. And then the other ring is, okay, what is my intelligence source of people who have insight into the threat actors and what is going on in other groups? And very specifically, not generally, like here's a list of 50 IFCs, but oh, we're seeing this actor, like when we were all talking about May as well last year, okay, they pivoted from this to this. I mean, even the fact that they pivoted from, hey, we're now, A, how they're structured and how they're kind of franchised or whatever and then when they shifted from, it's not just encrypt your data, but now it's steal your data, then encrypt the data was like, oh, okay, well, that's a change. And then, oh, they're also now have franchise, oh, and now they've kind of renewing on something else and they were focusing more on this. And, oh, it seems to be that they're looking with those things. I don't know that. It's the people that are on that outer ring that have their foot in both sides that are kind of tracking the threat actors perhaps across multiple customers or multiple industries. What is being said to put these dossiers together of who these threat actors are and what they've done and what they're changing. And that's the kind of thing that, that links more threat intelligence. And, so our internal threat analysts are looking at what's happening and what patterns we're seeing and everything, and then they take that and say, hey, sit down with our external threat intelligence folks that are at the level that I was just describing and like, okay, does this map anything without your seeing, and this is a human based, not automated thing because like I said, it could be very customized to us or they say, oh, no, this is commodity. We see this and this and this and it's this other thing. Okay, great, thank you. - [Landon] I'm tracking. So in essence, you think that there is viability for ultimately like you said, almost a, think of team that ultimately has a lot of the different external type of telemetries available, let's just call it that. And that's kind of just another add on for the internal team to kind of go to, that certainly has viability to ultimately make a threat intelligence more useful, frankly. - [Rick] Yes. And particularly those who may not have, being an industry that has an ISAC that, it's like, hey, I saw there's this thing it's like, hey, give me the IOC, let me see if I saw it here. Okay, yeah, I did see it at this time. It was like, okay, cool. And blah, blah, blah. If you don't have that, then you need a group like Joe, we just been talking about that has access to that information. And then to us who already have these other layers, we need at the highest level, not just, give me an automated feed through sticks or taxi to get me the latest IOCs updated and refreshed and delete the ones that are now stale, but more so that have that ear to the ground in whatever their sources, particularly related to my industry or my region of who are the threat actors, who are the proxy actors, what are we seeing? And that kind of thing which would feed intelligence reports as in the formal definition that you did before, then kind of understand that. And that's more like the human and so all the automated stuff, yeah, we got all that taken care of but it's the stuff that informs our strategy of, okay, this is how we're gonna adjust what we're going to put our protections detections for. We need that insight that only someone who has spent their life in the industry and knows the industry and how to communicate, can give it to us. - [Landon] Understand. That's a perfect transition certainly to our final thought. And there's a lot, we've talked, we've touched on a lot of disciplines that go into operations monitoring. In your opinion, what is the one that is the hardest to get right? - [Rick] I guess it's quickly identifying if this is targeted or commodity. And because then the path is different depending on what that is. And the people you get involved are different, and that goes to that group of who am I gonna start engaging. And then my process is different because I might be engaging people that I'm gonna read in, and it's like, listen, this is red, don't tell anybody about this. They'd be able to have his commodities like, oh, crap, here are these folks who are banging on the door again. Yeah, you seeing this? Okay, cool, whatever. And so I think that that's the first step because once we know that, then it's pretty well understood, like, okay, this is what we need to do, this is what when you find out, this is what we need to get the information on, is contain it, was get information, like even in for response, it might be getting some of that intelligence about, are these people who like to maintain persistence at the active directory or the domain controller or are they main persistence in a certain thing? Or they may have expertise on a certain platform that Linux platform, as opposed to a Windows platform or AWS, as opposed to Azure, those are the things where then you kind of get in and get, but it's kind of at the highest level of maturity where that makes a difference, right. Because if you're a lower maturity, you're just doing all the basic, like whack-a-mole, contain it, eradicate it, hope we got it, get it out, let's see if it worked or not. And not like, okay, let's kind of do this dance and see what we're really up against and let's be very conscientious and lecture, we measure twice cut once kind of thing. - [Landon] In the world of cybersecurity, I think there's no question, is the haves and the have nots, right? So maybe we should have probably broken that question up a little bit more. So let's take a medium size organization, right. They need to get us mature security program out of the door, and they have a security team of probably five to 15. What's the hardest to get right for that kind of team? - [Rick] Well, assuming that they're doing the basics and they're doing all the right, they've done their, all the CIS critical security controls stuff, which version of what's being released on May 18th, actually we're releasing that. And so totally redid that. If you're doing the basics like in what is, NIST or cybersecurity framework or CIS critical security controls and you're looking at it, all right, how do I kind of go to that level? And it really is based on the human, the maturity of the individuals. It's not as much the size. I mean, I was exactly that, I was a CISO of a 2500 person worldwide company that was in that range of revenue. And it was me and one of my buddies who was smarter than I am, and we held it down because we know there were questions to ask. But what are we like is services to be able to do that, like sassy to me working in a big company is like, I would never do that, I want control and visibility and everything. But when I had my own, I was like, I had no resources, I'm like, great, give me a clean pipe, give me a portal where I can access stuff. And then I'll access to people because one of the most important things for me was that kind of like that threat intelligence. So when I can correlate, when I see things is this like a known bad neighborhood or not, or whatever. And I didn't really need to care about the who at this point, because it didn't matter at the level that I was, but to accompany that if I had the ability to, and again, it's more about maturing the people, not the size of the company. If you have a mature person who wants to do well, who understands this, and that's a small group of people anyways, as we mentioned before, then, yes, having a service to be able to kind of like give me access to that information of where are the bad neighborhoods, who are the bad actors, who would be targeting me, giving me a report every quarter or every week, or every whatever timeliness of like, hey, here's some activities going on against you, your region, your industry, whatever. Based on these actors who were kind of targeting you, you may wanna make sure that you're kind of covered up and then being able to have access to people who can, bouncing off, like, hey, I've seen this. And it came from this crazy little island off of Madagascar. Is this someone you'd worry about? And then some I'm like, oh no, and then have the resources to be able to run that down and get back to me - [Landon] Larger organizations, I think that if you get that scale down, I think that they're able to hone in more of like, is this target, or is this commodity? I was reading something after the solar winds attack, SISA, when SISA testified, to the hill whoever the CSUN representative was basically said, you can't detect what you can't see. Being a practitioner in this space, how critical is asset validation is just a fundamental thing to get right for any security team and which is a hard question to ask for a security program, security person because it bleeds so much into that IT aspect as well. So I'm just kind of curious at your final thoughts there. - [Rick] Well, and that's why in CIS critical security controls, number one is asset management of hardware. Number two is of software. You know, if I can't protect what I don't know. And while that is kind of an IT function, I had learned when I was a CISO before that I had better insight into what our architecture and what our assets were, then my IT department because I had sensors going that watched everything or I had agents on everything. And if I didn't, then I need to put one on. And so, the number one thing is, do I have metrics, right, is do I have appropriate coverage of all my things? Am I seeing all the things in all the places? Am I seeing all the data and all the flows? And if I don't have that, then I'm never gonna win. And so that is why it's so fundamental to be able to start with that completeness. And that completeness, it also includes data, right? And so that's what the intelligence in is like, okay, well, I know what's going on in my network and I know what's kind of coming and going, but I don't know what any of that means. And that's why I come back to, and this is my opinion and feel free to have a discussion, in another podcast if you want someone who disagrees with me, I'd loved to have that discussion of that, that's why to me, when I was setting up the program years ago was like, is it commodity or is it targeted? Or is a commodity, do I know it's commodity or I'm not sure if it's commodity? And if I'm not sure, I need to research it and see if it's come out of your targeted, because that will change my path. And I can't do that if I don't know, I know what's on my network, what it's supposed to be doing. And to be able to see that because yeah, that's where the fundamentals really have to come into play. Because if you don't have those down, then none of it's gonna be effective - [Landon] Rick you're a master of your expertise. I appreciate being on the show, sir. - [Rick] For the latest subject matter expertise around manage intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary, research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engaged with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high state security investigations. Without the value the team provides day in, day out, this podcast would not be possible. Thank you for listening.