The following is a Q&A with Nicole Oppenheim, manager of Advanced Practices for FaaS (FireEye as a Service). Nicole is responsible for reviewing our analytical strategy within FaaS and determining the best way forward to find advanced attackers.
For someone who's not really familiar with FireEye as a Service, FireEye products generate alerts, as well as our threat intelligence. But it sounds like your team is really above that. If it's not triggering an alert, what do you do beyond that?
We look at the attacker life cycle as a whole. We try to figure out where our different detections lie within our products and how we can collect evidence using those different products. We make sure that we cover the different attack lifecycle stages to ensure that we have the maximized coverage for our customers.
How did you initially get interested in cyber security?
At 16, I was a high school work-study at NSA. I knew that I wanted to catch bad guys and I liked computers. I wanted to join the FBI and look through real crimes, but I wanted to use computers. I talked to FBI guys and they told me to come back after I got my degree. And at NSA, a lot of the leaders there said, “Hey, while you're getting your degree, why don't you come over and work in our Threat Operations Center?” I was put in a SOC (security operations center) and we were tracking down what is now Advanced Persistent Threats. I just had a knack for it. I liked bad guys, I liked tracking down what happened and I love network analysis.
So you were working for the NSA from like high school all the way through college? What background did you have to do that?
Both of my parents worked there for a long time. And in Maryland, if you’re within driving distance, they have a high school work-study program where you can apply and then they'll assign you to an office. I happened to just get lucky to be in the office that morphed into doing cyber threats.
So from there, how'd you find your way to the FaaS team?
I worked with a lot of different law enforcement agencies, tracking down different intrusions into military installations. It led to multiple people who went to Mandiant. So by working with them and seeing where they were, it kind of pulled me in. Seeing where the threats were going, I could tell it required help that the government wasn't going to be able to provide. It really led me to want to go and help out these companies. So I went to Mandiant as a network analyst, and that morphed into our managed service provider, which is now under FireEye as FaaS.
So you obviously see some of the most interesting things across our FireEye clients. Can you share some interesting findings? What has the team been coming across lately?
I think the biggest trends we’ve been seeing are the use of legitimate services for command and control (C2) and the increased use of SSL-enabled backdoors. So the combination of SSL-enabled sites to legitimate infrastructure – attackers using these types of services presents a unique challenge for us. We've worked multiple different intrusions over the past couple months that involved backdoors calling out to these different sites to get C2 locations.
And for those who aren't as familiar with that type of threat, what makes it so much more difficult?
What makes these really unique and challenging to discover is the idea that normally you would just rule out these big service providers. So the infrastructure itself can't be used as a key-off because there's so much legitimate traffic going to it. On top of that, it's going to the SSL-enabled version, so having legitimate certs going to legitimate infrastructure, you can't see the underlying traffic to determine if this is a C2 protocol or is this legitimate traffic.
That's kind of one part of an evolution that we've seen just in the way attackers work. I thought it was really evident in the HAMMERTOSS report last year, where the C2 was being hosted on sort of legitimate architecture. Back to the old APT1 report from years ago, there were servers they were maintaining in their building. It has changed so much.
Yeah, it's interesting to watch the evolution. In an old APT1 case, we had a self-signed cert to go in that infrastructure and catch them. Now, having these groups that are not only going to one legitimate site, but using it for multi-stages of their intrusion is even harder because when you look at the world in legitimate user traffic, the ones that blend in a lot more are the ones that are harder to confirm whether they are attackers or users.
It really changes the game. So if attackers are all using legitimate infrastructure, what are some things you can do to detect them?
We can’t just rely on one thing to detect them. Looking through what we can do for detections, anomalies or statistical machine learning, what evidence we can pull off a box and then process? How do we use it holistically together and not individually? So we don’t just rely on a Snort rule or detection or one particular IOC, we have to use it all together. That's where we've been really focusing our efforts on trying to see the whole picture, and using it all together to benefit us in the long run.
So what does your team do when they're not actively hunting for evil with some of these advanced techniques? What's a day in the life of your team?
A day in the life of my team is kind of looking in the future. One of the things that we oversee is how we hunt in FaaS. It’s been interesting to do it as a service because when you think of hunting, it’s very specialized; you pull a ton of data back, you take an expert and their intuition and experience and that's how we hunt. But we have to do it at scale and for 200 organizations, and figure out the right ways to do it. We have to come up with a strategy, so we look toward how do we improve it, how do we do it as a service, how do we look at some really unique and very hard unscalable problems and try to make them scalable for our service? So we spend a lot of time just building out structure and how we're going to view analytics, and how we can put it together into a service and how to can execute it between multiple global SOCs.
I think your team is very emblematic of why we always say a good security is not just about a product; it's about the right people, the right intelligence, and the right technology all together. When I hear you talk about what the team does, it's a reminder you can't just drop a product into place and get the same level of protection as you can if you've got a team of experts hunting every day.
Exactly. And making sure that everybody understands the latest techniques, that we've documented the things in the right way, that we're applying our knowledge across all our different customers as fast as we get it and into each of our analyst’s hands. I've seen if there's not a lot of good documentation, structure, good internal learning and information sharing – analysts are learning for themselves. So instead of having all of our analysts individually learn, we want to make sure we're focused on bringing all of those things together, having our analysts understand the products, understanding what each other is going through, and how to solve problems.
Given everything you've seen, if you could give a couple of pieces of advice to someone who's trying to defend their enterprise network, what would you tell them? What do you think the biggest gaps are?
I would say a lot of people just rush into it and that they just start doing things that seem right. I think taking your time and understanding what your end goal is, the purpose of why you're doing security, and how it all connects together is probably where I'd start. Take detection, for example. People think they want to write their own rules. What type of rules do they want write? What type of things do they want to detect? How are they going to manage the intelligence behind why they put in a rule so when you increase more analysts looking at it, they know what it means? How are they going to prioritize alerts? How do they use detection and alerting with hunting? And then how do they know what their analysts should hunt through and are they duplicating work? So putting the structure in place to be able to make sure that everybody's coordinating, having the right work, organizing your thoughts and your analytical ideas and having a holistic picture of what your operation is doing is the key to making sure that it's long-term successful.
What about tactical things? What do you see, as in, “Not enough companies are doing X?”
I think not enough companies are applying the right sets of data. I think they're just relying on having a feed, plugging it in and letting it take over. I think they need to tactically understand what they’re taking in and how to process it and what it means to them.
What do you love most about your job at FireEye?
What I love most is being able to apply what I've learned over all the years to a service, and to be able to do it globally for multiple different companies. I really love knowing what's going on, I like to watch attackers evolve over all the years. I like being on the other side of the fence, feeling like I'm actually fighting them. One day, I want be able to look back and see their faces as I was doing something on the other end, because it's a game where there's actually someone on the other end. So I love being able to come in and do that every day and actually have an active role in this fight.
Learn more about Nicole and others from the FaaS team here.