Q: Greg, GDPR goes into effect in just over six months. How is Palo Alto Networks helping enterprises prepare for the mandate?
Palo Alto Networks has been communicating the significance of GDPR for over 12 months now. Our aim is to share the knowledge and best practices we have built with our partners, including legal partners, consultancy firms and cybersecurity experts, as widely and openly as possible. As the deadline draws closer, this mission continues and this content is available to anyone at get.info.paloaltonetworks.com/webApp/eu-cybersecurity-requirements-en
As a technology company, we help organizations in a number of key processes on the GDPR journey. This starts with the capability to understand how and where information flows between applications and users, through our usage reports that give insight both inside and outside the business network.
To minimize the impact of GDPR, organizations should be looking to enforce stronger preventative measures wherever personal data is being used. To do this we encourage customers to leverage the zero-trust mindset applied through our next-generation firewall platforms.
Critically, the security incidents that GDPR addresses occur most commonly from credential misuse. Specific new capabilities in our Palo Alto Networks OS-8.0 release simplify multifactor authentication zoning and identify phishing attacks. As a result of our acquisition of LightCyber, customers can also spot abnormal spikes in traffic through user behaviour analytics and other capabilities.
Many of the requirements for state-of-the-art cybersecurity and breach notification are about organizations applying best practices. While many have, for years, used a variety of disparate best-of-breed tools, the human intervention required to coordinate cybersecurity has hampered the effectiveness of this approach. GDPR provides the ideal opportunity to consolidate and automate cybersecurity processes around a much more proactive prevention security posture, which is core to Palo Alto Networks own strategy and vision.
Q: Alexander, as a threat intelligence analyst you are constantly exposed to the latest tactics, techniques and procedures used by threat actors. What should enterprises be scared about the most? What keeps you up at night?
Good questions! Having witnessed the changes in attack methodology over many years, something to be aware of is the evolution of persistence techniques and detection evasion. During the installation stage of the attack lifecycle, as the attacker gains a foothold on a compromised host, they will try and move laterally to compromise other hosts, increase this foothold across the network, and hopefully gain the privileges required to perform the action on their objectives.
The evolution in cybercriminals' techniques to achieve this has shifted to include greater, and more sophisticated, use of built-in tools provided by the operating system. These tools themselves are becoming ever-more powerful, allowing for system administration, are occasionally run with elevated privileges and often have implicit trust to run on the system, and can therefore sometimes be ignored by some security software leading to further compromise.
This self-sufficient method doesn't just stop with the installation stage. It can also be used for Command and Control (C2) communication as well as data exfiltration, and can often be done in memory, leaving no footprint on the system's disk. Furthermore, techniques can be employed to eliminate traces of compromise by removing system event entries that could lead to post-breach detection and hinder incident response.
Aside from my young kids, or the thought of being compromised by malware myself, attribution of adversaries sometimes keeps me up a night. It's an art form more than anything, extremely difficult if not impossible at times, and is fraught with problems and numerous rabbit holes. Many of the indicators that could lead to successful attribution can be forged to frame others, so occasionally I find myself running in circles when investigating. A colleague of mine uses an apt term for these situations – attribution soup.
Q: Greg, the cybersecurity security skills shortage has become a very real problem for organizations worldwide. To what extent can automation help alleviate the issue? For what kind of security tasks do you absolutely need human skills?
Cybersecurity can typically be broken into two kinds of threats: known and unknown. With the former, it should be possible to leverage automation for prevention, but the challenge today is that too many incidents fall into the "unknown" category. Scarce human cybersecurity expertise and resource must be prioritized to be able to deal with what should be the small percentage of truly unknown attacks, and correlating the business implications of these.
Why are so many of the known attacks identified as unknown? Attacks are made up of multiple phases that must be correlated together in order for there to be confidence in the conclusions we draw. The problem is that too many organizations are still using fragmented security tools that give partial answers and cause confusion with duplicated alerts. All this means that a human must step in to validate and make the final decision, which is no longer sustainable.
Organizations recognise this and are moving from reliance on a collection of historical best-of-breed tools to consolidated security platforms. These allow much greater automation, by leveraging security tools that are natively integrated and, as such, share common intelligence. With this level of automation, organizations can correlate each element of an attack across different detection techniques to see the whole attack lifecycle. This reduces the number of alerts, increases confidence in the detection efficacy and thus moves what may seem to be unknown into known attacks.
Automation continues to evolve. With new evolving cloud capabilities and machine learning we can gather richer intelligence that can be processed at greater pace. Organizations can correlate all the permutations used by an adversary over time, not just for an individual attack, and thus build out detailed adversary playbooks. The value of these playbooks is the identification of effective security controls and the resulting evolution of tactics deployed by the adversary, which becomes an ongoing cycle.
Q: Alexander, ransomware was a pretty hot topic at Black Hat Europe last year. What do you expect will dominate the conversation at this year's event?
Ransomware will likely still factor quite highly in conversations this year, given its continued growth and evolution. Since last year, many more families have been identified, together with new techniques for malware delivery, infection routines, and ransom requests. Some interesting examples include a Middle Eastern ransomware requesting the victim update their public-facing website with violent, politically motivated messages; so-called educational ransomware exists whereby users must read articles about computer security in return for decryption; popcorn ransomware requested victims nominate other parties for infection to avoid paying; and recently, ransomware demanded nude photographs of the victim rather than traditional payment.
Newsworthy variants made use of the EternalBlue exploit to leverage network-based vulnerabilities in Windows to spread ransomware like a worm – something the industry hadn't seen for years. In many ways, the ransomware was a distraction, especially when the poor implementation of the malware is considered together with the low ransom requested. WanaCrypt0r and NotPetya could have been even more effective had it not been for various reasons. However, they did startle Internet users with what could be possible.
Other conversations this year may include threats to cryptocurrencies, not just those that use them, such as ransomware. Considering the evolution of over 1,000 different digital cryptocurrencies, with a combined total market cap of almost &136 billion, this ecosystem is a perfect target for cybercriminals. Not all organizations conduct business using digital currency so many might not be targets of malware looking to steal from their digital wallets. However, everyone is a target for malware looking for additional CPU power to mine said currencies.