Brittany Day recently had a conversation with acclaimed cyber security expert Ira Winkler, author of Advanced Persistent Security: A Cyberwarfare Approach. Mr. Winkler is a security researcher and a former NSA employee who writes about cyber security and enterprise digital threat protection.
In this interview, he discusses his career, his views on computer security and his role in building effective enterprise protection systems.
Mr. Winkler is also the President of Secure Mentem. As an author, his writings clearly explain the ongoing threats that businesses face and the approach they should take to effectively combat them.
Understanding threat actors’ motives is extremely important in successfully fighting attacks. Winkler’s background in psychology has provided him with a unique and exceptional understanding of this aspect of cyber security threat.
Ira Winkler is a renowned security researcher and author with a background in Psychology which has enabled him to better understand threat actors’ strategies and motives. Ira, how did you get involved in security and how did your career as an author begin?
My career as an author with an expertise in cybersecurity had a somewhat unusual beginning. As you mentioned, I earned my undergraduate degree in Psychology. At the time, I did not have much of an interest in computers or digital security. However, I wanted a job in the foreign service, but the career counselor also recommended I take the test for NSA. I took a test for the NSA, which showed I had an aptitude for many career fields. I took a job as an intelligence analyst, which I hated. So, I applied for the Computer Intern program, where I was retrained as a computer systems analyst. After a few years, I left the government and went to work for government contractors. They had policies that if you were accepted to a professional conference, they would have to send you, so I submitted conference papers and articles about security, which received a great response. I went on to write my first book Corporate Espionage. A year later, my second book Through the Eyes of the Enemy was published. Since then I have written Spies Among Us, Zen and the Art of Information Security, and Advanced Persistent Security. I am currently in the process of writing my sixth book, You Can Stop ‘Stupid’, which will be published in 2020.
Ira Winkler uses the term Advanced Persistent Security to describe a proactive approach to enterprise cyber security which includes an effective protection/detection/reaction strategy. Ira, can you sum up what Advanced Persistent Security means to you?
The term “Advanced Persistent Security” should be referred to as adaptive persistent security. This concept describes a comprehensive security approach that takes protection, detection and reaction into account. I think it is important to grasp that security fails when a threat actor gets out, not when he or she gets in. The problem is that the criminals go undetected. In many cases, threat actors are not outsiders. Rather, they are employees. This is something that is important to consider when creating a protection/detection/reaction strategy. Another important concept is that there is no such thing as perfect security. Threat actors are always thinking of new ways to carry out attacks, hack into networks and compromise information. They are often highly persistent and refuse to give up until they have succeeded. Thus, businesses should expect this and build failure into their security posture. A successful protection/detection/reaction strategy matches the persistence of attackers’ methods and evolves to take the latest attack variations into account. As I state in Advanced Persistent Security, “Advanced Persistent Security is Defense in Depth that is enhanced with a comprehensive methodology for integrating the appropriate and properly configured detection capability, along with proactively implementing and executing a reaction capability.”
In Advanced Persistent Security, you explain the importance of designing and implementing an effective enterprise protection/detection/reaction strategy. In your opinion, what is the biggest misconception that currently exists regarding enterprise protection/detection/reaction strategies? What is a common security mistake you see many businesses making?
As is true in many aspects of life, people often fail to consider the basics when thinking about enterprise protection/detection/reaction strategies. It is not uncommon for security experts to focus on addressing highly complex and somewhat obscure attack variations, and to neglect basic cyber hygiene. Basic attacks are still around because they are highly successful. For instance, the latest attacker du jour, APT 10, began their latest attacks with a classic spear phishing email.
Threat intelligence is a complex concept that many people do not fully understand. Your book Advanced Persistent Security talks about building a threat intelligence program. Can you tell our readers what that means and how one would get started doing that?
Threat intelligence means different things to different people. In my opinion, a true threat intelligence program stands apart from traditional security technologies and products in that it is an ecosystem that can be tuned, programmed and continually analyzed to suit the resources and threats with which they are working against on a daily basis. The first step in building a successful threat intelligence program is proactively determining the types of threats that pose a risk to your business. The more specifics the better: try to identify who would carry out these attacks and the tools and methods they would likely use to do so. This information is important in developing effective countermeasures. In general, businesses need to be better about planning and preparing for attacks, not just reacting to them.
The Dark Web is a term that refers to a collection of websites that exist only on an encrypted network and cannot be accessed using traditional search engines or browsers. Many security researchers and ethical hackers use the Dark Web as a resource for their research or their work. How can a security researcher or ethical hacker benefit from using the Dark Web?
Although the Dark Web has a bad reputation, it does have some benefits for security researchers and hackers. Primarily, the Dark Web has great resources for finding and buying attacks of different types. It makes committing computer crimes easy. However, if you monitor it appropriately, you can stay abreast of the latest concerns. While the Dark Web does contain a lot of illegal material, it is interspersed with valuable resources and research material.
Botnets have been a major security concern for the past 20 years. What are some current trends you have noticed related to botnets? How do you feel they should be addressed?
To be honest, not much has changed regarding botnets since hackers began using them. Approaches that are currently being taken to combat botnets are generally ineffective, because they are reactive instead of proactive. In other words, people try to blacklist botnet nodes after an attack is in progress, but do not try to take down botnets as they are built. Even when you know where they are, it takes a coordination of law enforcement and vendors to take them out.
The digital threat landscape is always changing and evolving and attacks are becoming increasingly advanced and dangerous. In what ways do you feel cyber security has changed/evolved over the past five years? What changes do you expect to see in the next five years?
In my opinion, the same underlying problem persists: known vulnerabilities are not being patched. Companies and vendors are often careless when it comes to fixing known security bugs that exist in their products, and then it comes as no surprise when these flaws are exploited. This is essentially a cyber hygiene issue. Threat actors are succeeding due to known weaknesses that should not exist, coupled with ineffective protection/detection/reaction strategies.
Email attacks are more sophisticated and targeted than ever before. What do you feel is the single biggest email threat that businesses currently face?
This is a difficult question to answer, as the email threat landscape has become very diverse and complex. I will say, however, that malware, ransomware, and phishing have always been and continue to be very successful methods of attack. Even with user education and training, user behavior is unreliable, so it is critical to create a strong environment around the user through the use of technology. Investing in a well-designed email security gateway is the single best way to mitigate email threat risk by preventing the attack from getting to the user.
Social engineering plays a critical role in many email attack variations like spear phishing, whaling and BEC. In what ways do you think that social engineering has changed/impacted the email threat landscape over the past five years?
This may come as a surprise, but I actually don’t think social engineering has changed much at all in recent years. Social engineering attacks have been centered around lying and manipulating from the start. Attacks vary greatly and the tactics used can be very creative and unique; however, the motives behind these attacks are the same or very similar as they were in the beginning: to deceive users into sharing confidential or personal information that can be used for fraudulent purposes.
Guardian Digital is looking forward to following up with Ira in another interview once his next book, You Can Stop ‘Stupid’, is published in 2020.