The following is a Q&A with Pete Smith, a network practice lead for FaaS (FireEye as a Service). In this role, Pete is responsible for designing network services that our analysts use to defend our customers from advanced attackers.
How did you initially get interested in cyber security?
I became interested in cyber security as a little kid. I started learning about computer networking and attended LAN parties as early as eighth grade. As I became older I’d look at packets from a network administrator perspective and find some malicious packets that didn't look quite normal to me. I'd wonder what those were, so I'd dig a little bit and I find this entire world of network security that existed where attackers were sending traffic out to malicious command and control servers. I thought that was cool and wondered if I could catch these bad guys. That’s when I realized that advanced persistent threat (APT) groups were becoming a big problem. I read about these groups and learned about Mandiant and its work with advanced threats. I joined the Managed Defense team at Mandiant in 2010.
Can you describe the technology used on the Managed Defense team during that time and how it evolved to what we do today on the FaaS team?
Our first network sensor worked with a BSD and later CentOS box that we slapped Snort on, with a couple of perl scripts to make it run a signature set that we created. It had maybe 3,000 signatures and was entirely custom built. We had a packet capture capability so we were getting full PCAP on it, and eventually we tacked on Netflow and some other investigative capabilities. In 2014 we started looking around for a technology replacement and we found the nPulse PX, and that’s been our network sensor workhorse ever since.
Of course, we've still got thousands of the legacy network sensors deployed in the field and they're humming along – they’re great machines. But also having PX has really upped our game and our ability to defend customer networks, so we're pretty excited about it.
We're always interested to talk about the unique things we see in the field. What's something interesting you've seen lately?
The attackers are getting smarter. I think once the APT1 report came out we began shining a spotlight on the bad guys. They're getting really crafty with the way they do business and I'm talking specifically about the use of legitimate Microsoft tools such as PowerShell and their ability to reach out to GitHub and pull down a configuration file. The TechNet stuff, Twitter, reading tweets off of that and understanding their command and control somehow and their general adoption towards encryption has led to some defensive problems, I think, for defenders to see what's going on in networks. So those are sort of the general observations I make about the interesting things they're doing and I think we'll talk about encryption probably a little bit later because that's one of the biggest ones.
What is a typical day in your role? Are you actively out there hunting on networks or are you overseeing the team? What does a day look like for Pete Smith?
I started in the Security Operations Center (SOC), which back then was a cube with two people. Now our SOCS have 70 to 80 analysts in four countries. I work with those guys a lot, finding the bad guys. Sometimes that means training and imparting what I know about the attackers, or designing tools for them to be able to do their jobs faster, and other times I’m looking for the bad buys myself. I definitely still have my head in the game because if my knowledge gets stale, I’m not effective in my role. I need to stay sharp.
What do you enjoy most about it?
There are two things: the people and the mission. I work with some of the smartest people I’ve ever met, without a doubt. We are working in the defense of customer networks and the mission we’re trying to accomplish together requires a certain caliber of people. We have them. That’s why we’ve been so successful. That combination really keeps me going.
…and you get calls for some of the biggest breaches on the biggest networks.
Yes, our new analysts come in here hungry. We don’t get the candidates that have never heard of FireEye or Mandiant. They’ve read all the papers and they want to get in the game too.
What do you see across the threat landscape? Do you see any technologies that you think could really change the game from the defender perspective?
The attackers are using encryption, which has already defeated some of the defenses we’ve stood up. For example, in 2010 or 2011, we started pushing signatures for SMB lateral activity, so attackers are using encryption now or binary protocols that are more difficult to detect. So having a general understanding of what or where the encryption is is getting pretty key, because it really hampers our game a little bit.
What do we do about that ultimately? Can we hunt for the use of encryption based on the certificates they’re using? Are there patterns in their communications? What’s our counter to that?
Yes, we’ve had signatures for certificate metadata for a while. The attackers are getting pretty crafty, and they’re using legitimate services such as SSL-encrypted sites, even Gmail. How do you find an encrypted session going to Gmail that’s malicious? If you can solve that, you’re probably going to make a lot of money! We’re addressing that by having an SSL man-in-the-middle appliance that we can insert and get some visibility into the encrypted streams. I think that the solution to this problem may exist on the endpoint, and I think that technology that gets us on an endpoint where we can see the traffic before it's encrypted is going to be one of the most important things so we can apply detection there.
So given everything that you see, if you were to boil it down to one or two pieces of advice for either the CISO or someone responsible for defending a network, what would tell them to do?
I think that the biggest thing a CISO needs to be aware of is knowing and understanding their defensive capabilities and more importantly, what they’re defending. I think they want to know what the attackers want in their environment and design a defense around that. They have to really figure out where they’re weak and where they’re strong. So if they’re good with intelligence or incident response, or have great visibility but bad patch management or vulnerability management, then they need to find that gap and attack it. We always talk about this layered defense approach and every one of those layers needs to be strong to work together to keep the attackers out.
Many organizations are not ready to run their own intel shop, incident response, SOC, vulnerability and patch management. It's really, really hard to do that. They have to know their environment to make the best decisions there. They need to understand, or find out, how and where encryption would help or where it hurts and specifically, where it hurts or helps their defensive posture. So if everything is going to the cloud and that's encrypted along the way, they have to figure out how they can get some visibility into that traffic to defend against what's going on in it or at least be aware of it. So they need to understand their security posture in terms of encryption, and figure out where it makes sense to relax it or enforce it or at least get some insight into it.
Are you implying that there's over-encryption at times? I guess, we're moving to a point where everything will be encrypted at a certain point, so you're just saying you've gotta have that visibility in the middle there?
I think we might be over-encrypting some stuff. I think there're places where it makes sense, if you have a PCI or a highly sensitive healthcare data, etc. But for example, at a small firm that trades with mostly private intellectual property, encrypting SMB streams isn’t valuable because defenders are probably the only ones sniffing SMB traffic for anything. So when you shut down that visibility for us, we lose some lateral movement insight, file transfers, credential dumping, all kinds of stuff that we want to have. If you've got Windows 8 or Windows 10, consider whether that host-to-host encryption is worth it. Consider whether your proxies and your SSL-enabled HTTP proxies are worth it. I'm sure they are in most cases, but where it doesn't make sense to do that, at least try to tap into it, get some man-in-the-middle in there and at least see that traffic.
I think what you're saying is that we sometimes have a knee-jerk reaction and want to encrypt it all, but we really need to make more of that risk-based decision?
Yes, that’s exactly right. I think it's totally risk-based and I think part of our onboarding process in FaaS has us asking customers those questions. It's about, “Can you afford to relax this security measure here,” which feels strange because you never want to tell a customer to be less safe, and that is what people think about when they think of less encryption. But if doing that enables our visibility, then they’re probably safer overall. So we have those sorts of conversations and try to determine that trade off.
Learn more about Pete and others from the FaaS team here.