Collective Cyber Defense: An Interview with Brett Williams of IronNet Cybersecurity

In the early days of computer security, your most serious adversary was most likely a bored teenager defacing a system. In that sense, appealing to the hacker’s parents was often as powerful a defense as any of the functional safeguards of the time. Fast forward to today’s cyber security environment, however, and now your most serious adversary is most likely a capable, trained military group with the time, funding, and skills to wreak considerable havoc on your systems. As a result, the modern cyber defender must now employ the type of strategic capability and orchestrated collective defenses that were previously found only in the military. Brett Williams, former General Officer in the United States Air Force, and Chief Operating Officer (COO) of IronNet Cybersecurity, spent some time with us recently to share his thoughts on how advanced cyber security defensive strategies can be used to keep up with these rapid and powerful offensive attacks.

EA: Brett, your team uses the term collective defense – what is meant by that?

BW: To begin, collective offensive action already exists, and is key to outpacing defenders. At the grass-roots level, anonymous black markets for vulnerabilities, cyber attack kits, botnets, and other offensive capabilities are accessible to anyone with the right browser plug-ins. At the high-end of cyber offense, capabilities are shared by governments with less sophisticated criminal and activist groups to leverage against new targets of interest. Social media sites serve as amplifiers, spreading knowledge and source code to enable variants and offensive toolkits. Defenders are overtaxed by the sheer volume of information they must deal with, and also suffer from a skills gap. No organization has the resources to stand alone against nation-state actors, let alone the myriad of criminals, hacktivists, and other threat actors. As a result, collective defense is necessary to cope with the present and future cyber threat. Companies must band together to gain broader awareness of the threats targeting their sector, and to jointly mitigate threats aimed at the group. For collective defense to function, information sharing must occur at network speed, across a broad base of indicators, risk-models, and enrichment resources. With such a system in place, an attack on any organization in the collective can be immediately addressed by all.

EA: How important are advanced analytics to the detection of unknown threats

BW: Cyber security is now a data aggregation and mining problem. The time required to detect threats is critical to any cyber defense and is increasingly difficult, given the complexity and noise in most enterprise networks. The goal of leveraging advanced analytics for detection is to move beyond identifying moment-in-time events, to modeling the adversarial tools, tactics, and procedures (TTPs) used to orchestrate and manage attacks. Detecting offensive TTPs reduces cyber risk by shrinking adversary playbooks, thereby reducing the success of available tactics. Producing adversarial models is difficult analysis, as it requires the time and resources to develop defensive models against the most likely threats. It also requires access to trained data scientists and experienced cyber defenders with knowledge of the tactics used in advanced threats. However, when done properly, the benefits are substantial. Such modeling enables detection across an adversary’s full range of tactics, and not just the latter stages of the kill-chain. This improves detection capabilities and raises the bar for the offense, by forcing them to design new targeted TTPs, versus retooling and repackaging malware, scanners, and tools.

EA: Do you think there is much that commercial industry can learn from government teams regarding cyber defense?

BW: Absolutely. Defending against nation-state threats in the Federal Government has led to advances in cutting-edge, defensive tactics, operational procedures, and detection techniques. Equally important, personnel who have experienced both the defensive and offensive side in government are valuable resources, should they decide to join the commercial sector. If you look at how businesses are investing in cyber security today, you will notice that many new CSO/CISOs and their staff have had experience in an operational government environment. Many security best practices and frameworks that drive cyber security spending are based on government frameworks such as NIST. Many of the new cyber security start-ups that are developing cyber defense solutions are founded by former employees of the US military or intelligence agencies. Note that government teams have also learned from industry, including how businesses protect their resources from fraud and theft. This helps government address gaps on national level.

EA: IronNet Cybersecurity has always focused on addressing attacks on high capacity networks. What is the secret here? Is it hardware? Software? Perhaps a combination?

BW: It’s really all the above—plus data scientists and security analysts that can provide feedback. Our solutions empower our customer security analysts to be more effective across the full spectrum of their work, versus creating point solutions for subsets of the problem. Consequently, our efforts have been to deliver the full range of capabilities necessary to support a security team’s strategic objectives. The hardest part is having the expertise to put it all together at the size and scale necessary to support the mission. While many solutions leverage similar technology platforms or foundational techniques, in practice, it can be difficult to deliver an effective analytical solution with the breadth, scale and depth to defend against the full range of threats. Perhaps the easiest way to understand this is to think about the differences between a great chef and an average cook. Both start with similar tools—a knife, a pan, a stove and some ingredients. The difference is that the experience and choices made by a great chef can result in a dish much better in taste that can scale up or down as needed to meet the size of the party. It is the same when building cyber analytic solutions — an experienced team with domain experience can build a cyber analytic solution that is an order of magnitude better in terms of detection capability, scalability, and user experience.

EA: What trends are your team seeing from the most capable offensive actors?

BW: We are increasingly seeing cyber attacks by state actors that are designed to project national power or goals against countries, companies or other organizations. At IronNet, we are working closely with commercial organizations in critical infrastructure sectors to help defend their networks against all sorts of cyber threats. One recent case involved the use of destructive malware against a subsidiary of Fortune-100 company located in a geographically sensitive region of the world. In this case, the malware was hidden in software distributed by the local government to be used by corporations for tax calculation purposes. The malware was particularly virulent and spread quickly throughout the organization, wiping out many of the computers, and resulted in material impact to the organization. We suspect that this was led by a nation-state actor trying to disrupt commercial activity to advance their national goals.