Though the typical image of a hacker is that of a hardened, determined criminal, that’s not always the case. Most hackers – like all other humans – are lazy. They’re just in it for the money, and they want to make it as easily and quickly as they can. For defenders, the goal should be to place enough controls on your systems that it makes like hard for threat actors, forcing them to move on to the next potential victim.
In the third episode of our Cybersecurity Awareness Month podcast series, we welcomed back friend of the site Lesley Carhart, director of ICS cybersecurity incident response at Dragos. They discussed how to make hackers lives more difficult, why it’s essential to prepare for a cyber incident and how to improve the talent pipeline. Listen to the entire podcast here, and listen to Carhart’s first podcast with ICS Pulse here.
The following has been edited for clarity.
Gary Cohen: Cybersecurity Awareness Month always highlights a few key behaviors, things like multifactor authentication, passwords, updating software, etc. What do you think people should be focusing on this month?
Lesley Carhart: I’m afraid it’s the basics for me, too. Those things that you just named, like multifactor, enabling good multifactor, not reusing passwords, using a password manager, doing updates to computer systems, for the average person, raise the barrier of entry for most criminals out there in a significant way that makes them look for another target. I understand that what we, as security professionals, say is a lightweight thing, like getting a password manager or a YubiKey to do authentication instead of just reusing a password all over the place, is actually very challenging. That’s a lift. It takes time out of your day, and it can be technically challenging, especially if there are things like vision impairment to do. So we understand there are challenges, but do understand that if you can make the time and find the assistance to do those things in your daily life, like get a password manager, use multifactor authentication, especially strong multifactor authentication, like a authentication app or a YubiKey, what I say to people is, “Make the bad guys’ lives harder. Make their lives harder, so they target somebody else.”
It’s just like your home. It’s just like your house. If you just close your door, it might deter people who accidentally were going to walk into it from walking in. If you put a deadbolt on, it slows some people down, and they go to the next house. But if they really are motivated, they’re going to break a window. So you install a security system, like an alarm system, and that deters a lot of people, seeing that sign out in your yard saying you’ve got an alarm system, and somebody will respond. They might move to the next house. Then, you can keep increasing that security in a way that it deters more and more crime. A really dedicated person will always find a way to get in with enough time and resources, but it’s the same with your digital security. Doing those steps, like doing multifactor, getting a password manager, updating your systems and making sure that they’re current on security patches are a level of deterrence that can cause the bad people out there, the cyber criminals, to choose another target. And that’s a big deal. So make their lives hard.
Cohen: It might seem simple, but how many of the major headline-grabbing cyberattacks in the last few years have been because of shared passwords or somebody went off the default passwords, simple things that should have been done?
Carhart: Look, I do this for a living. I do incident response for a living, and we almost have in jokes in our community now of when we see a company release a press release that says, “There was a major cyberattack. It’s disrupted operations.” If it doesn’t say what it was, it doesn’t say a specific thing that they tried to do, like steal a bunch of stuff or tamper with a specific system, we just automatically jump to the conclusion that it was ransomware, and the adversaries got in using one of those simpler methods. Because we see those cases again and again and again for individuals, for consumers and also for companies, from small companies to big companies.
Again, one of the rules I tell my students is that hackers are lazy, just like everybody else — path of least resistance. They will choose the easiest targets to make the most money as fast as possible, because for the most part, they’re in it for the money. They’re going to choose the easiest targets, and they’re going to be deterred from the ones that are harder targets. But what we do see repeatedly is simple things getting abused to compromise both consumers and companies. A lot of it is ransomware, because that’s a very effective way to make money.
Cohen: What trends or developments in cybersecurity are you particularly excited about heading into the new year?
Carhart: I really like some of the programs for improving our pipeline of new talent into the field. I’m really excited about that. It’s something I’ve been passionate about for my whole career, because it was so challenging for me to get into the field. I’m seeing a lot more scholarships. I’m seeing a lot more hiring clinics. I’m seeing a lot more companies develop pipelines for non-traditional talent. A lot of companies had pipelines to train talent before, but the only ones that were really getting non-traditional backgrounds were the military branches. Now, we are starting to see organizations, like the big training and certification firms, and also large companies, that have pipelines for new and junior talent, trying to find talent in different places than just people who have university degrees. Because, unfortunately, a lot of people who are getting those degrees, they all look the same. They’re all from the same background, especially financial background.
There are a lot of people out there who will be great at cybersecurity and can’t afford to go into debt forever in college loans. And maybe they can’t join the military. So we never see them in this field, and we need more talented people who are willing to learn and willing to grow, and not just maybe get a degree because it sounds good and they have the money. I really am excited to see a lot of those organizations trying to find new and creative ambitious ways to recruit talent from people who didn’t necessarily come from the military or from a prestigious college. I think that’s really, really cool.
Cohen: I love that answer. I feel a little greedy asking you this next question, because you already gave us a great story in our last podcast, but can you share a memorable experience or a case from your career that really highlighted for you the importance of cybersecurity?
Carhart: I see a lot of cases, and I’m not allowed to talk about a lot of them, because they’re under non-disclosure agreements. What I will tell you is that I see a lot of the same problems again and again, stories that will never make the news. Some of the saddest cases that I see are the organizations that don’t prepare for incident response in advance. They never want to believe. Just like when we’re young, we think we’re invincible. Organizations never want to believe that they’re going to have a cybersecurity incident. The saddest cases for me, and some of the most emotionally impactful ones, are the ones where organizations never planned to have a cybersecurity incident because they thought they were not going to be a target. They weren’t big enough. They weren’t important enough. They weren’t in the right vertical. They have an incident, and they have no plan.
What that means is they scramble, and it becomes a very expensive, very panicked scramble. And what I’ve seen happen in a few cases that really, really hit me in the gut was they Google for help. They start Googling down the list of, “Who can help me?” They start calling the large, credible cybersecurity firms for assistance, and everybody’s backlogged. There are tons of cases, especially ransomware cases right now. So if you don’t have a retainer in advance with an incident response firm and you can’t do it internally, you’re going to wait, typically. You’re going to wait for help. And when you get that help, when they finally have people, it’s going to be at a much higher hourly rate. Now, the unfortunate thing is, when you’re doing that Google dance, everybody knows that people who shouldn’t be able to advertise on Google do, and they sell things they shouldn’t be selling.
People know that you want to buy incident response services, and they know you’re in a crisis. There are, unfortunately, groups of people out there who will take advantage of that. If you Google first to buy something on Google, you will find somebody willing to sell you that. It might not be quality. It might not be legitimate. What I’ve seen happen is they do that Google dance, and they keep calling down the list on Google until they reach somebody who says, “Oh, yeah, sure, we can fix your cybersecurity problem.” So, they’re like, “Yeah, yeah, how much money do you want?” And its’ $600, $700 an hour, and they really don’t know how to do incident response in their environment. In my case, it’s particularly industrial environments. They either damage the environment, or they just make up a conclusion about the source of the breach, and they write a report. They take a bunch of money away, and it’s incredibly unscrupulous.
Again, there’s always going to be somebody who’s willing to sell you anything you want on the internet. What happens in a lot of those cases is they realize that they got a bad product, and they have another breach or something, and they call somebody like me or my colleagues, my peers at other organizations, that are credible and reputable, and we have to redo the whole effort. At that point, the forensic evidence has been stomped on. They’ve already paid for an entire incident response effort at hundreds and hundreds of dollars an hour, and they’re out a massive amount of money. They’re out time, evidence has been destroyed and we’re trying to redo all of the work to try to figure out what happened and prevent it from happening again. That’s even more operational time when they’re down, so it drives me crazy.
I’m a pretty ethical person, and that organizations will lie and say they can do incident response in a process environment or do incident response at all, and they’ll produce a shoddy product just because they know people are desperate and they’re in a crisis, that kills me. That makes me really mad. But those people can have the same certifications. They can definitely get the pieces of paper, and they can look really credible on their email signatures. It’s why it’s so, so important — and I’m not trying to sell something here — but it’s so important, if you work for an organization, to have a plan for what you’re going to do if you have a cybersecurity incident. I gave you an example earlier that it’s like protecting your house. If there’s somebody who’s motivated enough or you just have a bad day or you get unlucky, anybody can be the victim of a cybersecurity breach or incident or malware infection, ransomware infection.
It can happen to anybody. It can happen to you. You can be a target for a multitude of reasons, even if you think you aren’t. You need to have a plan of who you’re going to call and what you’re going to do in an emergency. It’s like being an ER doctor. It’s like being a firefighter. You need to have a plan and drill it in advance. And that includes knowing who’s going to do the incident response in your environment. Have an internal team or have a retainer with an incident response firm. They’re not that expensive. You get incident response at a much lower rate typically. So have a plan because there’s people that are going to take advantage of you if you don’t, and it’s going to cost you a lot of time and money and stress.
Cohen: One of the people that we talk to pretty regularly does cyber simulation training, and I was asking her about companies she talks to, especially in this field. I asked, “What do you find? Are they totally not ready?” And she said, “You know, actually, I was very impressed with their lack of overconfidence.” I thought that phrase was perfect. Don’t assume you know everything. Don’t assume you’re never going to get hit because you’re the CEO or you’re Google or whatever. Be humble enough to go, “Yeah, it can happen to all of us. It can and will at some point.”
Carhart: We’re desperately trying to remove that stigma. There’s a lot of problems with the stigma around cybersecurity incidents. First of all, we don’t know what’s going on if nobody says anything. We have some visibility to our customers, and what’s happening in our customer base is different from our peers’ and our competitors’ visibility. Nobody’s talking about what happens with them because they’re embarrassed, especially in the industrial space. We have ISACs for sharing intelligence. There are industry and vertical sharing groups, where people are supposed to be sharing those things in private with their peers and their vertical, but it’s not enough. People are still embarrassed to admit things, or there’s legal liability potentially.
It’s really bad because nobody’s getting a clear picture. Nobody’s getting the intelligence in advance that they might be a target of the same things. It’s a bad situation, and we’re trying to fix that by making it more normal to understand that anybody can be a victim of these things. You should do the basic cybersecurity things. It’s possible to make mistakes. Anybody can make mistakes. We try to do our best to build good defense-in-depth. So it’s not as big of a deal, but it can happen to anybody, and we should be talking about those things.
Cohen: There have been a lot of cyberattacks lately — headline-grabbing ones from SolarWinds to JBS — and a lot of these attacks have been on OT/ICS systems. What have we learned from this recent slate of major attacks that have made headlines?
Carhart: It’s more of the same. There have been a lot more supply chain attacks, and people have blind spots to their vendors and suppliers. But it really does come down to doing the fundamentals, doing the basics. It can be just as challenging for a really big company to secure their industrial environments as it is for a really small company. Big environments, when you have 100, 200, 300, 500 facilities to secure, can be incredibly challenging, because the OT space is somewhat discreet from the enterprise space. You can have a very well secured enterprise business, where everything is uniform, and you have the same image on all of your clients. You’re dealing with Windows, and they all have agents on them. They all have XDR, EDR, whizzbang, next-generation cybersecurity tools. But you go into those OT environments, and it’s a new space. It’s usually not in the same domain.
Somebody else might have been doing the IT. Different security tooling, if there’s any security tooling at all. Maybe there’s no logging out of it. Maybe nobody knows how to monitor it and respond to things. Everybody’s starting to build those capabilities slowly. But if you have a very large environment, building those capabilities across 500 discrete, very different facilities can be incredibly challenging, which makes it more plausible that one of those environments will be compromised and potentially used to compromise everything else. And if you’re small and under-resourced, trying to do cybersecurity for two environments, your enterprise and your OT, that’s incredibly resource intensive and challenging, too, because you only are staffed to do your enterprise cybersecurity. That’s a big task alone. So regardless of the size of your organization, moving into the OT cybersecurity response and monitoring and security space is a very, very challenging move. It’s something that people are more aware of that they need to do right now, but it’s tough. It takes resources, and it takes time.
Building an incident response plan takes time. Understanding your architecture and your asset inventory in an environment takes time. Those are big projects that take time and money away from other things. We’ve seen a lot of these organizations start being more of a target for criminals because they know that. They’ve learned. They operate on a budget, too. They have small margins, too, and they’re out there again to make money. So they understand the environments where they’re more likely to be able to get in because there’s less security. It’s probably going to create enough of a disruption and impact, not necessarily to the low-level process device, but to the people doing their jobs, that they will have to pay out a ransom potentially. So continuing problems with resourcing and building security out in those environments, increasing disparity in the level of vulnerability in those environments versus IT and enterprise environments with newfangled Windows 11 security and modern security products, they’re a really big target, and securing them is challenging.
Cohen: What emerging technologies do you see impacting the field of cybersecurity in the near future?
Carhart: In general, outside of OT, I’m really impressed with what the operating system developers, like Microsoft, are doing with their consumer operating systems. The changes in Windows 11 are a big deal, even in Windows 10. There are many ways to much more firmly lock down your operating system and much more integrated support for things like backing up files so they’re potentially not destroyed if they’re ransomed. There’s a lot of thought going on the side of people who produce consumer operating systems and technologies about cybersecurity. We see more promotion of using things like password managers, though not all of them are created equal.
We see more integrated support from multifactor authentication, which is wonderful, and more promotion of using things like authenticator apps, instead of just text messages, which is phenomenal. We’re seeing more support for tokens, like YubiKeys, which is fabulous, too. There really has been a lot of progression in the consumer client space, which I think is fantastic. Of course, there are verticals and parts of the space that need to catch up. The financial industry is one, for sure. But for the most part, things in the client space are headed the right direction, and I think that’s really fantastic.
Cohen: I’m going to preface this last question by saying I have high expectations for you, because we had a long conversation about pop culture at RSA. What is your favorite movie or TV show that has something to do with cybersecurity?
Carhart: My favorite, just because it’s fun, is “Leverage.” I love “Leverage,” even though a lot of its cybersecurity stuff is very, very silly. Some of its physical pen testing stuff is a blast. To talk about the most realistic one, I’d say, of course, “Mr. Robot.” That’s the ubiquitous answer. I don’t really even enjoy it, because it’s too realistic. It’s stressful for me, because I do know people who have been through a lot of the same challenges as the main character with mental health issues and substance abuse and things like that. So a challenging watch for me but very, very realistic technology. Actually, my friends and I have, for the past several years, been going around the Midwest to various geekdom conventions and doing a hacking and fiction panel, where we watch everything in the last year that has hacking in it, terrible and good.
Then, we talk to the audience about what we liked and what we didn’t like. So we watch everything. And if you want some good shoutouts from the last year, a really good movie was “Resurrected.” It’s a found footage film, and the hacking scenes are so realistic that it’s goofy and you giggle, because they’re doing messy, ugly hacking things that people really do, like use TeamViewer to get into systems. It is not the best movie in the world otherwise, but the hacking scenes are a lot of fun. “Twenty Hacker” from 2021 is also really, really fun, in terms of their hacking scenes. That was another one in the last couple of years that was worth watching. But, yeah, we watch all of them, and then we sit there, and we talk about which ones were awful and which ones were good.
Cohen: What is one of the most ridiculous ones you’ve seen? I know it’s a long list.
Carhart: Yeah, it’s a long list. It’s mostly the crime shows on TV, like the syndicated crime shows on TV, because we actually found out, as we were producing that panel, that the people who develop those scenes kind of compete with each other. They have a bet going to see who can create the most ridiculous scenes and get them to air, which, once you know, it’s kind of funny. Once you know the inside baseball on that, it’s kind of amusing.