Executive Threat Briefing: Responding to Cyber Espionage and Advanced Targeted Threats

Recently we hosted Mandiant's fifth Executive Threat Briefing of the year, a lunch event at RN74 in Seattle, WA. We had a great crowd representing a cross-section of companies in the Seattle area, which led to some interesting dialog on how we should respond to cyber espionage and advanced targeted threats.

Our three speakers laid out some big-picture themes: Richard Clarke, former counterterrorism czar, talked about the nature and scope of the threat; Kevin Mandia, CEO at Mandiant, shared more detail about the threat and what it means for us; and I spoke about the organizational response.

Mr. Clarke started by talking about taxonomy of cyber threats, using the CHEW model: Crime, Hacktivism, Espionage, and War. Espionage is the most concerning of these-crime and hacktivism are problematic, but their impact is more limited. The threat of cyber war (the title of Mr. Clarke's latest book, incidentally) is very real, but there are few regimes that would benefit from an all-out cyber war. Espionage however, is occurring today on a scale that few realize. He provided examples, including one company that, "lost intellectual property that had cost $1.3B to develop-in a matter of 30 minutes." It was useful when Mr. Clarke highlighted the risks to transactional data such as details around pending M&A activity (for more information on cyber threats and M&A activity, check-out my recent M-Trends blog post). We often imagine that cyber spies are only looking for jet fighter designs or chemical formulas. However, we know their interests extend to anything that might be useful for a growing economy or further their international business dealings.

Kevin Mandia took the stage next and started his talk by reminding us that responsible, well-funded, mature security organizations are still constantly being compromised. It doesn't matter if you're an "A" at security or a "B-"...the adversary scores any organization with an "F," as we've yet to see an organization that avoids compromise while remaining connected to the internet. In today's threat landscape, quickly detecting, responding to and containing targeted threats is paramount to an organization saving millions of dollars in lost intellectual property. During his presentation, Kevin highlighted several key trends from M-Trends: An Evolving Threat. He elaborated on M-Trend #1, which illustrates how malware is only present on 54% of the compromised systems we find. If you follow this blog, you've probably heard that stat a few times already, but I don't think it can be repeated often enough. If you are just looking for malware, you are missing half the story. I recently wrote an in-depth blog post on this M-Trend, you can read it here.

I had the unenviable task of following Dick and Kevin in the speaking rotation. If there's one thing I know about though, it's how it feels to be sitting in the hot seat when your organization is under attack. I shared "Five Things I Wish I'd Known Before The Breach." I'll elaborate on these in a future blog post, but they include:

  1. the importance of a real, rehearsed IR plan (Sounds trite. It isn't.),
  2. traditional vulnerability management is a distraction,
  3. visibility matters most,
  4. carpe crisis, and
  5. being the victim of cyber espionage changes everything about your organization's security program.

The audience Q&A has become the highlight of these breakfast briefing sessions. One theme that continues to be on everyone's mind is information sharing. In each event, we have fielded a lot of questions about who should share what, the incentives to do so (or not to), and the pending legislation that would impact this area.

We'd like to do a few more of these events in 2012, and are narrowing down the list of cities (we've hosted in Houston, DC, NYC, LA, and Seattle so far). Let us know if you'd like to see us in your area, and keep an eye out for the next Executive Threat Briefing!