LAS VEGAS - BLACK HAT USA - The Federal Bureau of Investigation revamped its approach to fighting terrorists after 9/11. Corporate America can apply those lessons to protect the networks from cyber-attackers, a former official told attendees at Black Hat security conference.
Attacks have changed, and anyone can now launch a cyber-attack, but organizations haven't changed the way they view security or do business, Shawn Henry, the former executive assistant director of the FBI and currently a president of CrowdStrike Services, a division of security startup CrowdStrike, said in his keynote speech on the first day of Black Hat in Las Vegas. Until March 2012, Henry was responsible for all of the FBI's criminal investigations worldwide, including the cyber-investigations, critical incident response group, and international investigations.
There needs to be a new “paradigm” in how business views security, Henry said, and the best way to do that is to take the lessons learned from protecting the physical world. The actual tactics used to launch the attacks may be different, but the theory is the same, he said. The threat from computer network attack is the most significant threat—after weapons of mass destruction--facing society, he said.
"The adversary knows that if you want to harm civilized society -- take their water away, do away with their electricity," Henry told attendees.
So much of the data integral to personal lives and the organization's intellectual property is stored on the network, Henry said. When attackers breach the network, it's the data being held hostage and the life of the organization that is at risk. A company could lose a decade worth of research in a matter of days with a single attack, Henry said.
"Today, with a $500 laptop and an Internet connection, anyone anywhere can attack anyone, anywhere," said Henry. Many CEOs still haven't accepted the new reality yet, asking why their organizations would be a target, he said.
The FBI had to change their approach and tactics after 9/11, becaise it was clear the terrorists were already inside the country, and the best way to to catch them was to work with other intelligence agencies to gather and share better intelligence, Henry said. By the same token, the private sector has to accept that companies can't keep focusing on protecting the network perimeter but acknowledge the adversaries are already inside.
Once that is acknowledged, the question is why organizations aren't looking for the adversaries on their networks, Henry said. Looking for adversaries rely on the organization collecting information about what is happening on the network. But organizations can also think about creating a hostile environment for the adversary.
Henry described using “denial and deception,” such as allowing cyber-criminals to steal outdated or wrong data, or just not putting certain types of data on the network in the first place.
To catch the adversaries, organizations must focus on intelligence, Henry said. They need to think strategically, collect information, analyze the situation, and execute, he said. Organizations need to be focusing on granular intelligence, to be able to share high-quality information about the attacks, the origin, and even the entity behind the attacks.
"We need to understand who the adversary is," Henry said, "because if we understand who they are, we can take proactive measures."
He was very quick to assert that his repeated statements for the private sector to “step up” and be proactive about cyber-threats did not mean he was advocating hacking back against the originators of the threat (as that would be illegal). Instead, he believed that intelligence sharing and partnering with other organizations were important tools.
Some attendees weren't swayed by Henry's impassioned call to action to “stand side by side to protect that line between good and evil.”
Information sharing is not as effective if the government is sharing information the public already knows about, Kurt Baumgartner, a researcher at Kaspersky Lab told SecurityWeek. The government has to provide actionable and worthwhile intelligence, and that really hasn't been the case so far. However, the government is trying to change that to give more valuable information, Baumgartner said.
At a session after Henry's keynote, Marcus Ranum, chief of security for Tenable Security criticized the premise that the responsibility for network defense was on the private sector and not the government.
"I lose my cool when I hear people from the government, or formerly from the government, say the private sector needs to step up," Ranum ranted, adding. "Providing for the common defense is what the government is supposed to do."