The Black Report, The Human Behind the Hack - An Interview with David Smith of Nuix.

 
david-smith-200x250.jpg
 

Interview with David Smith of Nuix:

Cyber Security Dispatch: Season 1, Episode 13
 

Show Notes:
Today on the show we welcome David Smith who is the CISO of Nuix. David is here to talk to us about the landmark Black Report that he and his organization produced. The document is a groundbreaking collection of findings on the world of security which profiles current threats with an emphasis on the social and psychological aspects of the hacker. In our discussion, David gives us great insight into the thrust of the report and shares many perspectives on topics such as the role of human motivations is attacks, current hacker trends or the lack thereof, hacker communities and of course ways to safeguard against threats. We also cover testing and drill protocols, David’s background in the secret service and the evolution of software. David’s expertise and methodical approach to cyber fortifications make this a must hear episode for anyone interested in the field, so join us for this vital conversation.

Key Points From This Episode:

  • David’s current position at Nuix and his background in the US Secret Service.
  • Some information on the Black Report and it’s defining characteristics.
  • The biggest realizations David has had working for Nuix.
  • Underestimating the human factor in current cyber attacks.
  • Better understanding the profiles and motivations of hackers.
  • The evolution of the mind of the attacker and how things stay the same.
  • Possible ways to go about testing and preparing for attacks.
  • David estimation of the social cohesion of hacker organizations.
  • How the security protocols and processes could be streamlined or sped up.
  • And much more!

Links Mentioned in Today’s Episode
Nuix — https://www.nuix.com/
Nuix LinkedIn - https://www.linkedin.com/company/nuix/
David Smith — https://www.nuix.com/david-smith
David Smith LinkedIn - https://www.linkedin.com/in/david-smith-57a19085/
The Black Report — https://www.nuix.com/black-report/black-report-2018
Verizon Reports - https://www.verizonenterprise.com/verizon-insights-lab/dbir/
Black Hat Conference — http://www.blackhat.com/
Lance Spitzner — https://www.rsaconference.com/speakers/lance-spitzner
Sans — https://www.sans.edu/
S3 Buckets — https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html
NIST — https://www.nist.gov/

Introduction:
Welcome folks to another edition of Cyber Security Dispatch, this is your host Ashwin Krishnan. In this episode, The Black Report, The Human Behind the Hack, we speak to David Smith, CISO of Nuix. Prior to Nuix, David served in federal law enforcement for 27 years including 24 years as a special agent for the United States Secret Service. He has been closely involved in the creation of this fascinating report which looks at the who, why and how of the hacker. We explore the implication of this report to both the security practitioners and vendors.

TRANSCRIPT

[0:00:35.6] Ashwin Krishnan: Welcome folks to another edition of Cyber Security Dispatch. My guest today is a very interesting CISO from a company called Nuix. I will have David Smith introduce himself but the focus of today’s podcast is really on a groundbreaking report called The Black Report that David and his team has assembled together.
Without further ado, I’ll hand it over to David to introduce himself and we can then dig deep.
[0:01:06.0] David Smith: Thank you Ashwin, my name is David Smith, I’m Chief Information Security Officer for Nuix. We are an Australian software cyber security software company. I had been the Chief Information Security Officer with Nuix for about one year.
Prior to that, I spent over 24 years as a secret service agent, supervising information security program management, cyber security training and - as well as heading up many forensic and cyber investigations. Thank you for having me.
[0:01:39.0] AK: Great, David, let’s get started over here, just before we started the podcast, we were discussing about the fair amount of reports that are out there in the market today and you mentioned Verizon and a few others which are really good at analyzing post breach, incident response times, detection, et cetera.
What makes this report, The Black Report different and why is this a huge complement to what already exist in the market today?
[0:02:06.9] DS: Very good question. Yeah, as you mentioned, there are many excellent annual or semi-annual data reports out there. You mentioned Verizon which I think is a very good one. They collaborate with Secret Service and other law enforcement and gather very good statistics on different types of attacks that have been reported, either to law enforcement or to regulatory agencies like HIPA, et cetera.
It does provide a very good statistical sort of analysis review of what’s going on out there. What makes a Nuix Black Report unique is that we concentrate on information that happens before the breach. Rather than trying to analyze different numbers and what’s the most common type of attack last year, what we want to do instead is do more of a psychological or sociological study of what makes people hack? What things they find successful?
What are the barriers in terms of what kinds of defensive mechanisms do you hackers have difficulty with? What kinds of Industries do they typically have more success with than others, et cetera. It’s really an analysis of what’s going on before the breach even takes place.

I think that probably the biggest takeaway is that how much things stay the same. There’s always a lot of interest in the new things. You know, for the last year or two, it’s been ransomware and internet of things. You know, certainly those things are worth paying attention to but sometimes what gets lost in all of the focus on the next big thing in terms of security or attacks is how much things just stay the same.
— David Smith

[0:03:13.1] AK: That’s great to hear. Maybe for the edification of the audience over here, what were some of the ‘aha moments’ for you and your team that you found surprising even with all of the wealth of knowledge you’ve gathered over the years is something that had jumped out at you saying okay, either this busts an existing myth or it shines the light on something that has been ignored for too long. Any 'aha moments' for you?
[0:03:38.1] DS: I think that probably the biggest takeaway is that how much things stay the same. There’s always a lot of interest in the new things. You know, for the last year or two, it’s been ransomware and internet of things. You know, certainly those things are worth paying attention to but sometimes what gets lost in all of the focus on the next big thing in terms of security or attacks is how much things just stay the same. If you download it, the black report which by the way is free to download at nuix.com, you’ll see the different statistics in there and you’ll see that still, social engineering and phishing are still probably the most common attack vector. Even though those things are not new, they’ve been around for quite some time but they’re still very powerful and very effective.
[0:04:23.8] AK: That’s interesting because I was on the vendor side selling security and cloud and personalization for over 20 years. One of the challenges I faced as head of products and strategy for a long time is it’s very difficult to go back to a customer or a venture capitalist looking for funding and talk about “Hey, things are the same, please fund me.”
Or, rise above the noise when I want to talk to a customer when I’m not using words like AI (Artificial Intelligence) and ML (Machine Learning) and deep learning, et cetera. I mean, would you find the vendor community somewhat challenged in acknowledging the fact that, hey, things are broken or things that we already delivered to the customer are not being used effectively, let’s spend some times talking about that versus having to sell something new.
Do you see that tensions kind of playing into this and how does somebody look at this report and kind of hit the reset switch and saying, okay, maybe we need to start slowing things down in terms of the newness that comes out over here?
Really look at the long tail of exposure that has not really been addressed.
[0:05:29.2] DS: As you know, the security software and hardware world is very large and it seems like every day, there’s another vendor getting involved with some kind of security product. Many of them are very good. I think what ends up getting lost in all the discussions is how much of all of this, both the offense and the defense is still human driven.
That human factor is something that technology is not always going to be able to solve. Maybe even help a little bit but you know, again, what the Nuix Black Report says is that the most common attack vector still, or at least the most consistently successful one is social engineering/phishing. 
There have been some technologies that have come out over the years that have tried to help with that. I mean, there’s different filters for email systems and things like that but hasn’t solved the problem. Things are still getting through, people are still falling for things. If you do read up on some of the more significant successful attacks over the past year, you’ll see that a large number of them are still social engineered.
In terms of what the attacker was able to displace. I think as a security community, when we lose sight of how important human factor is, that’s when things start to get out of control.
[0:06:41.7] AK: It’s very relevant, the social engineering aspect because of one of the most publicized attacks is the one at the Black Hat Conference where this lady goes to the phone booth and starts calling people up and how easily she’s able to kind of break down the defenses purely through a phone call and said, it’s scary, at the same time, it’s very revealing.
Switching gears a little bit and I had a chance of kind of going through some of the report this morning. One of the things that was mentioned on the report is most organizations define their security posture or vendors to find their security strategy by taking available knowledge, right? Through conversations with the other CISOs and conversations with customers and list reports et cetera.
The big missing factor is the actual attacker. I think this report seems to have gone to that extra length of actually interviewing, talking to the hacker community and learning a little bit about how they think and operate. Can you shed a little bit of light on who are these people?
I mean, clearly, you have debunked the myth with says, “Hey, this is a disgruntled team in the basement of his parent’s home trying to hack something.” That’s not really the profile of the attacker. Can you talk a little bit about what you learned in these conversations with the actual attackers and what both vendors and practitioners can do about this?
[0:08:11.4] DS: Yeah, absolutely. Many people in security community probably know a gentleman by name of Lance Spitzner who is instructor at Sans and for years and years, Lance has always urged, us to paraphrase, know your enemy, in other words, you can’t just look at threats and risk as just being a sort of faceless, something that’s out there to get us.
The more you understand about the type of people that want to do you harm, the more you can try to tail your defenses or improve your defenses. I think to leverage what Mr. Spitzner has talked about over the years, I think The Black Report is a good byproduct of that.
As you mentioned, yeah, a lot of people, when they think of hackers, they think of this teenage person in the basement with the hoodie and cans of Red Bull or whatever. That’s not necessarily the case. If you read the statistics where people provide a lot of information about themselves and their backgrounds.
You’ll see that the attackers are probably better educated than what people give them credit for. 75% of the respondents have either a bachelor’s degree or a graduate degree. They’re very well educated, many of them work for companies during the day.
Large companies, maybe in the security industry or maybe they are a programmer. They do different things for fun or just for learning or whatever. Speaking of learning, that was one of the biggest motivations. If you read The Black Report and you get to the pages that talk about why do you hack, why do you attack systems. 
You’ll see that things like financial gain are actually pretty low on a spectrum as far as the motivation. The biggest motivation is to learn or curiosity. A lot of the things that happen out there are people just trying to figure out, how does this system work? How can I get around this software? 
Is there some way I can overcome this security feature in this particular piece of hardware or something like that? Then you’ll see this quite a bit in some of the news articles that come out about different security weaknesses with different companies.
One of the things I’ve noticed a lot in the last year is the number of companies that have had their data exposed on cloud systems, particular S3 Buckets. A lot of these exposures come from research companies that go out and basically scan cloud environments looking for poorly secured data.
I think that just confirms what The Black Report says is that there’s a lot of people that are out there just either for knowledge or curiosity. Looking to see if they can get around different security defenses.
[0:10:39.9] AK: David, do you bring up a very relevant point which is, the S3 Bucket exposure that’s obviously been quite embarrassing to companies over there. Also, it also highlights if you mentioned which is are we leaving porous defenses of the lowest level we’re trying to secure like you mentioned, ransomware and other times, cripple jacking attacks, right to the top, which other ones that get maybe the boards attention and budget as well.
Are we fighting two different battles? Are the defenders focused on the next cool and sexy attack while the actual attackers are going about their business in a relatively low key fashion, looking for existing holes that are relatively easier to attack. Do you see a mind shift that needs occur where there’s more focus on attention, focused on windows 2000 servers and un-patched Apache servers and stuff like that?
If so, is that going to be led by the security practitioners, they’re going to be led by regulations, it’s going to be led by vendors, where do you think this focus shift is going to come from?
[0:11:51.0] DS: Looking at things from the offensive side, I see it sort of a two pronged view point, on the one hand, we do have some of the more famous or more infamous recent things like the S3 scans and ransomware, things like that.
You know, obviously it’s a problem, otherwise it wouldn’t be making the headlines that it is. Again, as The Black Report is also shown and there’s still plenty of traditional sort of old fashioned things. I mean, phishing is still a very much alive and well.
Scanning networks for poorly secured, remote access or VPN opens is also been around for years and years. It’s still alive and well. Even just more traditional malware is still very common. We do sort of have this one two punch of some new things as well as some old things. 
I think from a security perspective, what that tells us is, what works best is still the defense and depth approach. Rather than chasing the latest threat with the latest tool or latest security vendor product, think what works best is to stick with what’s tried and true which is applying security in different directions.
The different defense in depth models that are out there but they come from the top 20 and different models from the US government, et cetera. If you look at these different defensive models, they typically have the same kind of, a lot of the same elements. You know, user education and awareness, backups, contingency plans, things like that.
That’s one of the things that really came up. I think in the last year, that we haven’t heard of so much prior to all the ransomware attacks is the importance of having data recovery and data backups. You know, we used to hear a lot of that back in Y2K and then it kind of went away for a while.
People were more worried about other things and you know, whether it’s two factor authentication or whatever, you know, security community tends to kind of get led in different directions by what’s the hot topic. Sometimes the old topics are kind of boring a little bit, like backup plans and contingency planning.
Kind of start to fall away for a little while and then guess what? What did we learn last year? The people that did not – the companies that did not have backups, that did not have good contingency plans were the ones that were suffering the most with ransomware.To those that had good backups, the ransomware may not have been a big threat to them. 
I think having that holistic 360 degree attitude towards security has been and I think always will be the best way to approach things. If you do that, then you don’t have to worry so much about the latest shiny object or the latest storm clouds that are threatening your organization. If you have a solid security plan, that reaches out in all the different directions, I think that’s the best way to go.
[0:14:37.9] AK: Yeah, again, you mentioned data backup and recovery. The question is, do organizations have to stage mock attacks where they actually have files, critical files encrypted so they actually go back and see what they can recover from backup or is it still an open play that you are snap-shoting, you know once a day or once a week or something and hopefully nothing bad happens.
Is that also a sense of urgency of saying okay, let’s pretend we’re under attack and see how we recover from that?
[0:15:03.7] DS: I think if an organization can do that, that’s extremely useful, I think to use the NIST phrase, the testing of your security controls. I think there’s extreme value in that because how do you know that they’re going to work until you tried them out?
You know, the first step of course is to put the controls in place.
[0:15:20.6] AK: Correct.
[0:15:22.2] DS: You know, that’s better than nothing but if you don’t try them out. Especially for something as critical as backups and recovery. That’s the kind of security control that you really won’t know if it works until you try it out. That should be part of a larger incident response plan for the organization that goes through what’s going to happen and whether you do it through table top or whether you do it through actual – almost like an employee recall plan kind of thing.
Where you actually unplug things and see how people respond. I mean, there’s different ways you can go about the testing. Yeah, obviously, you don’t know for sure if your plan’s going to work until you give it a shot.
[0:15:58.3] AK: One psychology and you mentioned the sociology and psychological annual of the attackers, is the prevailing myth of the hacking community being a very tight knit community and having - they exchange information, they help each other out, is that a myth or is that true based on the other findings of The Black Report.
[0:16:17.8] DS: I mean, I don’t think that there’s some monolithic community out there. I mean, there’s not some evil empire of hackers where they’re all talking and things like that. Certainly, there are different forums and you know, different communities of people that blogs, you know, things like that and Twitter feeds and things like that. Where people do share information with one another. 
But in my personal experience and also, I think from what we learned, the black report, it tends to be small-ish groups. You know, maybe a group of half a dozen or a dozen share information and for the non-criminal, I should have emphasized, the noncriminal ones. It tends to often to be focused around a certain category of exploit. You might get a community for example of pen testers, red gamers that are really, really interested in power shell scripts and so we’ll get together on websites and blogs and so on to share information with each other about something that they learned, some new vulnerability or attack vector or things like that. 
And on the criminal side, you get a little bit of a mixture. You get everything from just individual people just doing their own thing through fairly well organized crime groups that is like with the traditional organized crime and the mafia type stuff. Where people will organize themselves and there will be leaders and there will middle people and there will be just the street runners and things like that. So it’s all over the place as far as the size of different groups.
[0:17:40.3] AK: So I think we are meeting the end of our podcast but I wanted to talk a little bit about, you mentioned something about the community itself wanting to learn and therefore, they have a day job. They go home and they try to figure out vulnerabilities and exploits and so forth so they’re doing learning and we have seen this enough. I have been on the vendor side so I know this personally. It is let’s an ethical act leeches out and says, “I discovered this vulnerability and I am going to post this online in the next two or four weeks.” 
Number one is the vendors need to respond to that, right? but then the second step is let’s say the vendor actually chooses that path, now it is contingent upon the actual security user to deploy that patch and sometimes that requires the Google’s lines of businesses. So every step of the way there seems to be more challenges for the defenders. 
So is that any streamlining, do you see that helping out as that would actually make this ethical? I had detection to the vendor community actually showing a patch to the security person actually being able to install the patch is that going to get time compass any time soon or is this the nature of the business if we are going to have this exposure which the hackers can exploit? 
[0:18:57.0] DS: I don’t think anything is going to change anytime soon. I think the only thing that is changing a little bit maybe is I’ve seen a slight increase in the so called bug bounty programs where companies are starting to be a little bit more open even aggressive in paying people to uncover vulnerabilities and then notify them. Anyway it’s always been a little bit of a controversy within the security community about when – if you are an ethical hacker and you happen to find an exploit, through whatever means just to experimenting fuzzing, whatever, what are your moral obligations as far as notifying the company? 
Because people always want to rush to get credit too. There is an academic slant where I want to be known as the person that found this gigantic gaping hole in your product but at the same time, if you announce it before you give the vendor a chance to fix the product. 
Well then bad guys can take that vulnerability and weaponize it and do harm to innocent people. So it is always a little bit of a debate about what’s the best way to approach this kinds of things and when to do it and how much time to give and things like that. 
Until the supply chain and the software development cycle, somehow gets tighter in terms of not having as many vulnerabilities I think we are still going to continue to see the same kind of cycle. 
Which means that from a defenders perspective, from a security perspective, that the whole configuration management life cycle is still very important which means that paying attention to patches and staying on top of them and then getting them and then testing them and then deploying them, which any CISO knows is not fun. It’s a big chore, it can be a challenge. Sometimes when you have a patch that actually breaks something legitimate. 
Now what do you do? You’d wish that whole cycle would somehow shrivel up and will go away but I don’t see it happening anytime soon. 
[0:20:48.5] AK: Yeah and again, to your earlier point, each of this actually involves a human right? All the way from the hacker and then moral obligations to what does the vendor do to what does the – I think the human element continues to “plague us” as we want to get better and more efficient at defenses. 
[0:21:06.4] DS: Yeah, I agree and I think if there is one – if I could have just one final word about The Black Report before is that it sheds a light on the human side and I think as you and I are both in the CISO world and I think when CISOs lose sight of the human factor, whether it is training awareness or just understanding that there is their whole body whether they have a hoodie or not behind the keyboard on the attacker’s side. 
Once you lose sight of that and get too wrapped up in the technologies. then I think that is when you start to lose your power as a defender and as a security person. 
[0:21:40.0] AK: That is a great takeaway for all the listeners out there in terms of hey, never forget that the human at the end of the cycle looks from that. Whether it is an attacker or it is people within your organization in terms of how they need to react to change as well as vulnerabilities and how they can do stuff more efficiently. 
So David, it has been a really fascinating conversation with you. Again I appreciate you time. I am sure the listeners are going to be a wee bit more educated than they were going in. 
But I highly encourage everybody to download The Black Report. I think it is really fascinating piece of intel in the community that has gone and the readers to straight jacket them into thinking of hackers in a certain fashion. I think all of those myths are busted over here. 
So again, it is a really good piece of reporting so thank you for that and thank you for your time David. 
[0:22:27.1] DS: Thank you for having me. I really enjoyed it.