Identifying the Top Threat ActorsEx-FBI Investigator on New Targets
Cyber-attacks continue to hamper organizations, says former FBI investigator Shawn Henry. And the actors waging the attacks are targeting organizations for more than just fraud, he says.
See Also: 2020 Cyber Threats, Trends and Attacks
The three main groups launching cyber-attacks, Henry says: organized crime, foreign intelligence services and terrorists. And while these groups haven't changed much over the past 12 months, their techniques have.
"They've become more capable," Henry says during an interview with Information Security Media Group [transcript below]. "They've become more sophisticated."
As organizations work to improve their defenses, threat actors have reacted by becoming more flexible and adaptable, he adds.
"The reality is: The offense outpaces the defense, so they've been able to adapt and to overcome, even against what we would consider to be some of the most resilient defenses," Henry says.
Threat Actors' Targets
The financial services sector continues to be the most-targeted by organized crime, which aims to pilfer sensitive information that can quickly be monetized, Henry says.
"We've also seen some denial-of-service attacks against networks where there might be groups or individuals that are looking to make some type of a social or political statement," he says (see Are DDoS Attacks Against Banks Over?).
Foreign intelligence services, on the other hand, target multiple sectors, from government to manufacturing and energy to communications, in order to extract data that can be shared with industries in their specific countries, Henry says.
The other main threat: terrorist organizations, which seek to disrupt critical infrastructure and cause harm to, in particular, the United States, he says.
During this interview, Henry discusses:
- The actors waging attacks against leading U.S. organizations and agencies;
- Why DDoS attacks are concerning;
- The varying threats financial services, government and other sectors face.
Henry, who left the Federal Bureau of Investigation in March 2012, is now the president of cybersecurity firm CrowdStrike. While at the FBI, he oversaw international computer crime investigations involving DDoS attacks, bank and corporate breaches and state-sponsored intrusions. Over the course of his 24-year career, Henry worked in three FBI field offices, as well as in the bureau's headquarters. He oversaw the posting of FBI cyber-experts in police agencies around the world, including the Netherlands, Romania, Ukraine and Estonia.
TRACY KITTEN: Tell us about the work that you did with the FBI.
SHAWN HENRY: I worked with the FBI for 24 years and had a number of different positions. In my last position, I was responsible for all cyber-investigations worldwide, as well as criminal investigations and critical incident response. On the cyber-side, I focused primarily on breaches into networks by criminal groups, organized crime groups, terrorist organizations and foreign intelligence services. That included exfiltration of data where the adversary was reaching into a network to pull out data that they see of value, whether it be intellectual property, research and development, corporate strategies, financial data, as well as denial-of-service attacks against networks and other types of breaches where an adversary is looking to wreak some havoc on an organization or on the victim network.
KITTEN: When did you join CrowdStrike?
HENRY: I left the FBI in March of 2012 and joined CrowdStrike the following week, so April 2012. I've been there about 13 months now.
Evolving Cybersecurity Landscape
KITTEN: How would you say the cybersecurity landscape has evolved or changed in the last 12 months?
HENRY: It's an interesting question. I don't think the landscape has actually changed much. I think the exact same threats that were here when I left the Bureau are still here. What has changed is the awareness of the private sector. There's a lot more that's occurred here in the media that has gone out publicly. People have become aware of the threats. Organizations have begun to recognize the impact that they face and the real damage that can be inflicted, and that's not been out publicly for many years in my service in the government. That really is the most significant change, the awareness. But the activities have not significantly changed.
Top 3 Threats Facing Banks
KITTEN: What would you say are the top-three threats banking institutions face?
HENRY: The financial services sector is probably, in my opinion, among the best protected sectors regarding networks. What we see primarily facing the financial services sector is theft of PII, personally identifiable information; primarily organized crime groups who are targeting networks, trying to steal data which they can very quickly monetize. They do that regularly. They target not only the corporate networks, the financial networks, but individuals as well, trying to capture credentials, usernames and passwords so that they can access accounts. We've also seen some denial-of-service attacks against networks where there might be groups or individuals that are looking to make some type of a social or political statement. They recognize that western society and the United States as a whole relies substantially on the financial services sector, so it really is seen as a target of the west, as a symbol of the west and the prosperous United States of America. It's oftentimes a target of those types of groups.
Threats to Other Sectors
KITTEN: What about other sectors, including government?
HENRY: They're similar; they're not the same as what the financial services sector faces. As it relates to government and other sectors, there are oftentimes foreign intelligence services that are looking to pilfer data which they can then share with their industries in their countries, so that they have some type of a competitive advantage. Certainly, the financial services sector is not immune to that. They do get breached by foreign intelligence services that are looking for financial strategies, are interested in mergers and acquisitions, and are interested in partnership deals the financial services sector might be facilitating or enabling. But they're not the primary threat. It's those organized crime groups. The foreign intelligence services are hitting every sector in the country: government, military, defense contractors, manufacturing, energy and communications. It really cuts across all sectors. The other group that's a significant threat is terrorist organizations that seek to potentially disrupt critical infrastructure and to cause harm to the United States.
KITTEN: How have the actors who are waging some of these attacks changed in recent years?
HENRY: I don't know that they've changed drastically. The same types of groups that I put into three different buckets - organized crime, foreign intelligence services and terrorists - remain primarily the same. We've seen these hacktivist groups which I would really kind of put in the terrorist bucket, but the groups themselves haven't changed. Their capabilities have changed. They've become more capable; they've become more sophisticated. They've had to become flexible and they've had to adapt their capabilities as defenses have gotten better and as organizations have become more aware or more resilient in their defense. But the reality is the offense outpaces the defense, so they've been able to adapt and to overcome even what we would consider to be some of the most resilient defenses.
KITTEN: Would it be fair to say that attacks backed by nation-state are posing greater worries today?
HENRY: Again, I think it really depends. It depends on who you are. If you're a defense contractor that's developing certain military capabilities for the next-generation war fighter, nation-state is a significant worry to you. If you're a financial organization, you're probably more concerned about the organized crime group because that's the thing that might impact your bottom line. If there's a $10 million loss, it's going to be on the balance sheet. People are going to see it, maybe the media. It's going to pose a risk to the organization's reputation. That's going to pose a risk to their operations and customer confidence sometimes. It really depends who you are what the greatest worry should be to you.
Some have said that nation-states, because they're so closely tied to the U.S. economy, that they would not necessarily take destructive actions, where a crime ring might attack a company and pose some type of a threat to data, to destroying data, in exchange for some type of a monetary reward. We've actually seen extortions where companies have had their networks breached, and they've then contacted the company and said, "We'll be happy to turn your data over for a $150,000 consulting fee. And if you don't, then we're going to destroy your data." It really depends on who the organization is [regarding] what their greatest threat to them is.
KITTEN: Would you say that the lines that divide these groups are blurring?
HENRY: We have seen some overlap. It's not always clear. It used to be clearer in the past, but I think that the capabilities of some of these organized crime groups are such that they actually approach the maturation level of foreign intelligence services. They're very, very capable; they're not just kids [moving] around on the network. These are organized, methodical and well-practiced, so I do think that there's a bit of a blur. It's also not always clear that the groups and some of the individuals in the groups aren't crossing lines perhaps, working for the government on one hand and then perhaps on the weekends moonlighting and doing some work for themselves.
KITTEN: Do you see international investigations improving?
HENRY: Every cyber-investigation for the most part has some international nexus. There's something that either originates or ends internationally or transcends an international point. From an information-sharing perspective, it requires good coordination and good lines of communication, both in the private sector and in the government sector. In terms of identifying who the adversaries are, there needs to be what I call actionable intelligence sharing, where government-to-government they've got to share indicators that will help to identify who the adversary is and if they can arrest them or take some type of action to thwart the attack.
From the private sector perspective, there needs to be sharing even within the same companies that have international capabilities across many countries. They need to share information, actionable intelligence, so that they can better defend themselves and provide a better defense. I do think it's improving. Again, the awareness piece is really important, the fact that more organizations have visibility into these types of attacks and they have a sense of understanding about what the impact is. That encourages better sharing of actionable intelligence.
Information Sharing Challenges
KITTEN: What are some of the challenges facing information sharing?
HENRY: There are a couple things. One, I think the sharing between the government and the private sector is still not as robust as it needs to be. There are a lot of reasons for that. One is the lines are not clearly drawn of exactly what companies need and what governments need. There's a national security perspective sometimes, so it's difficult to share classified information. That's a bit of a challenge. Companies still have some concerns that by sharing information they'll be revealing unnecessarily to the public that there's a problem on their network, causing some type of a lost confidence potentially with their client base. All in all, I think it is getter better. There's still a long way to go, but it's certainly one of the bigger challenges.
The last piece I'll add is the concern people have about privacy. What are we sharing? I would argue that there's no need to share content. You don't need to share Word files; you don't need to share content of e-mails; you don't need to share spreadsheet information. What you need to share is a lot of the technical data, what we call indicators if there's been a compromise, the signatures of malware and the types of information that would help to identify how an attack occurred and who might have launched an attack, but does not compromise the actual content of data. But that privacy piece is rightfully so a concern by many people, both public and private, and it does cause some consternation when you talk about information sharing because people just need to be educated about what that information really is.
KITTEN: What can you tell us about what's likely going on behind the scenes?
HENRY: Let me first say that I do not have any inside information about what's occurring. Any of my comments relate specifically to my observations from the outside looking in. But I think that there's certainly a cause for concern any time there's some disruption of service; or when people have difficulty accessing their networks, there's a cause for concern. I would think that the FBI would be looking quite closely to try to determine where the attacks are coming from. I think that they would likely be working with international partners, both in the intelligence community as well as in the law enforcement community, to try and identify what the sources of attacks are. Once you can determine where those attacks are coming from, you can take law enforcement action to disrupt the networks that are launching those attacks and actually disrupt the people that are causing those attacks. Through the execution of search warrants or arrest warrants and the like, that's going to be an action that's going to help mitigate the threat, by actually taking the bad actors off of the playing field.