InSIGHT: Putting Frameworks to Work [Podcast]

Share :

InSIGHT is a cybersecurity podcast from Arctic Wolf geared towards the cyber insurance, legal, and incident response communities.   

Hosted by Joseph Perry, Director of Education and David Kruse, Director of Insurance Alliances, the pair draw upon their years of experience within the insurance, cybersecurity, and incident response communities to share their perspective on the major issues, trends, and events impacting business leaders and practitioners in these industries. 

In the inaugural episode of InSIGHT, the duo discuss the three most important cybersecurity frameworks that guide decision-making and govern daily life in their industry, and discuss the implications of September’s big Uber hack.  

You can subscribe to InSIGHT via Apple,Spotify,RSS, and most other major podcast platforms.  

InSIGHT Episode 1 Transcript 

Joseph Perry  0:03   

Hello and Welcome to InSIGHT the only cybersecurity podcast in the entire world. If you think you’ve heard of another cybersecurity podcast, you are wrong, that podcast doesn’t exist. 

David Kruse  0:12   

InSIGHT is presented by Tetra Defense, an Arctic Wolf company, and we’re here to welcome you to the wild world of cybersecurity. We dive into the topics that matter most for people making business decisions about security, the big questions, the important answers, and the major news.  

Joseph Perry  0:26   

And in today, our first ever episode of InSIGHT, we’re here with some good ones. We’re going to talk about the frameworks that govern daily life in our industry, we’re going to compare them to one another. And then we’re going to talk about the recent Uber hack for our German listeners. That’s the company Uber, that’s not just a really big hack.  

David Kruse  0:42   

But before we begin, I want to take a moment and introduce ourselves here on our first ever episode. My name is David Kruse, and I’m the Director of Insurance Alliances here at Tetra Defense. Before that I was a cyber insurance broker in negotiating insurance contracts for my clients. And before that I was everything from a high school teacher to a banker to a commercial painter, you know, the typical path to a career in cybersecurity. 

Joseph Perry  1:02   

The standard run of the mill process and exactly love it. And I am Joseph Perry. I’m the Director of Education here at Tetra Defense, an Arctic Wolf company. And before I did that I was a red teamer and an incident responder, I have worked across most of the industry. And before I did that I was a cybersecurity engineer working for the National Security Agency in the United States Navy in research and development. So a bit more typical in background, but maybe not as common of one. 

David Kruse  1:28   

And how many boats have you sailed on Joseph? 

Joseph Perry  1:31   

I have sailed on exactly zero boats and all of my several years in the Navy. Not only that, I have actually only ever set foot on a boat as a tourist.  

David Kruse  1:40   

Now, today’s episode, we’re talking first about frameworks. Whether you’re new to cybersecurity, or you’ve been around a while, you’ve definitely heard of some of these frameworks referenced NIST, ISO and CAS being the big ones for most folks. But what you may not have heard is that these frameworks are not interchangeable. Each focuses on specific areas and serves a specific purpose. 

NIST Cybersecurity Framework

Joseph Perry  1:59   

That’s right. Starting from the top NIST, the National Institute of Standards and Technology maintains the NIST cybersecurity framework. Now this is published for free on the website, along with a tremendous number of supplements and resources and other educational sources for it. And this is the only one of the frameworks we’re looking at today, which is a specifically American invention. But NIST is also influential around the world. So you’ll see similar if not exactly identical programs, in a lot of other countries, especially countries that are allied with the United States. 

David Kruse  2:29   

I said that each of these frameworks serves a different purpose. Joseph, what’s unique about the NIST framework and what makes it useful for businesses?  

Joseph Perry  2:37   

Yeah, so first and foremost, the NIST cybersecurity framework is a communication aid. That’s really why it has such a broad international reaches that it’s really just there to establish shared language and make sure everybody understands one another. 

David Kruse  2:49   

Shared language seems like a pretty basic step here. When we think about cybersecurity, we tend to imagine genius hackers up against state of the art surveillance, not a roomful of government employees haggling over a bunch of definitions. Where does that disconnect from come from Joseph? 

Joseph Perry  3:05   

That’s a really great question. And in fact, kind of one of the most interesting things about the industry, David, which is that both of those visions are true. There are a bunch of really highly skilled, highly immoral people in the world who perform complicated attacks with next gen tools against trillion dollar surveillance behemoths. But there are also a lot of operation centers, security providers, security as a service, and 1,000 other different professions that are staffed by folks who just kind of work nine to five, and don’t necessarily want to take every second of their day keeping up on all the posts from InfoSec. Twitter. 

David Kruse  3:33   

Oh, geez. So what you’re saying is that the NIST frameworks, common language allows everyday cybersecurity practitioners to understand and to work with really, really advanced folks, it sounds like it gives them a shared point of reference, so that they can interact with or cooperatively or otherwise. 

Joseph Perry  3:49   

Exactly, it’s even if even ransomware actors need their victims to know what ransomware is, or they’re gonna waste a lot of time, basically doing IT support trying to explain what they’ve done to the person they’ve done it to. 

David Kruse  4:00   

Sure. Sure. That makes sense. So I can see why we’d want to have a framework just focused on getting everybody on the same page. But what about the others? Where does the ISO 27,000 series come into play?  

Joseph Perry  4:11   

Yeah, so that is where things get a bit more formal. So ISO is an international body, which produces standards and auditing guidelines. ISO 2701 is the most well known and it governs Information Security Management. So it’s used to both set very concrete tasks about what data needs protected and controls that need to be in place policies that need to be developed. And it’s also there to help validate those tasks from a third party perspective. 

David Kruse  4:34   

So NIST is something you can use to sort of get your feet under you and learn the language. ISO is more about developing and verifying strong security practices. Exactly. Well, that leads us to our third and final framework of the day, the CIS, if we already have a language, and we already have a set of standards, what’s left? Why do we need this third standard? 

CIS Critical Security Controls

Joseph Perry  4:54   

Yeah so in my opinion, we’ve really saved the best for last here, and that’s not just because I wrote it. The CIS is critical security controls are a set of actions and policies that are built specifically around the process of implementation. So that is to say that all the various tasks and controls are broken up into what kinds of organizations need to perform those tasks, and where in their security journey they should do so. So CIS recognizes three different implementation groups covering every level of maturity. And that makes it a lot easier to understand what actual steps need to happen next in your process.  

David Kruse  5:26   

So that makes a lot of really good sensor, Joseph. So NIST provides the language, the definitions, ISO provides the rules and standards. And then CIS provides the methods to implement those rules, using that common language. 

Joseph Perry  5:39   

Exactly. And it’s very much like the end, there’s a lot of overlap between them because of that, where each one is going to touch on the same subject, the same control, but it’s going to do it with a different perspective or coming from kind of a different frame of reference. And that’s why very often security practitioners will say you don’t want to treat these things like checklists, you want to use them as tools, because individually, they don’t actually each do the same thing. You can’t just run down a list of tasks. What these are designed to do is create that understanding and using them in concert to that better, smarter security program. 

David Kruse  6:08   

In future episodes, we will be diving into each of these frameworks in more detail starting out with the CIS and we’re going to be talking about all the many topics and ideas contained within them for today, though, however just the learning part is over. And the news part is just beginning today.  

Joseph Perry  6:24   

Yes. And so every episode here on InSIGHT, we’d like to take a few minutes and talk about what is happening in the world of cybersecurity. 

David Kruse  6:29   

And for the last few days, all anyone has been talking about is the Uber attack. 

Joseph Perry  6:34   

Again, that’s the company not just a big hack, though it is also a really big hack. 

David Kruse  6:40   

For those that not in the know on September 15, employees at Uber started receiving Slack messages. If you don’t know Slack is an internal instant messenger system. The employee started receiving Slack messages which read ‘I announced I’m a hacker’ and Uber has suffered a data breach.  

Joseph Perry  6:55   

Not exactly Ozymandias, but it really does get that point across. 

David Kruse  6:58   

Now there are two parts of this which have everyone talking. First, it’s the scope of the hack and the way the attacker got in. We know the attacker got access via social engineering and they contacted an Uber employee with a compromised password over WhatsApp convinced them to approve an MFA push notification, and then found administrative credentials stored insecurely within the network. 

Joseph Perry  7:20   

That’s right. According to screenshots on Twitter from the attacker, it looks like they spammed an employee with hundreds of MFA pushes, it looks like around 2 a.m. until that employee finally accepted when they were told that was the only way to make the pain stop. When the attacker got inside the exploit. It’s a weak internal security, escalated privileges and from looking at it had access to every single data asset Uber controls, hacker posted screenshots of private data as well as critical systems and sent those same screenshots to the New York Times and a whole host of the usual suspects of security researchers. 

David Kruse  7:51   

So not only did the attacker get into Uber’s system, they were also able to grab everything. That means that they could have done some serious damage, maybe even crippling — ransomware attacks are often accomplished with less access. From the reports though, that didn’t happen. Most of the time, when we find out about a data breach, it’s because someone paid a massive ransom, or because they had to shut down operations. This time though, the attacker is just bragging, Uber found out about the attack because the attacker posted in their slack telling everyone that it had happened.  

Joseph Perry  8:23   

Yeah, and hacking has a long tradition of this. So this kind of capturing flags. And that’s why we have so many Capture the Flag events is attackers really often are just starting out just kind of seeing what they can do. Then it graduates to see what they can get away with. And eventually, it graduates to seeing how much money they can make and how much damage they can inflict. And so this is the case of an uncommonly talented attacker who hasn’t yet gotten past that seeing what they can get away with stage. 

David Kruse  8:44   

So maybe this isn’t necessarily someone who’s trying to do a lot of harm. Just someone with a skewed sense of adventure. 

Joseph Perry  8:51   

Exactly, it probably won’t make that much of a difference to the blue team at Uber, who I imagine are still working since Friday. But it definitely seems like this is a case of someone who’s more excited than they are wise. Alternatively, it could very well be a high profile attempt at a job application. The alphabet soup agencies have been known to hire people for less impressive work. 

David Kruse  9:09   

So the attacker may have some complicated motivations. But Joseph what can we learn from the hack itself? 

Joseph Perry  9:15   

Well, it really it helps to tell us how major breaches happen. Different analysts are gonna quote you different figures. But every single red team I’ve ever performed involved some amount of social engineering, and well over nine in ten compromises I’ve seen relied on social engineering at some point in their attack path. This isn’t some new kid genius finding a flaw in an encryption algorithm. It’s not developing a new polymorphic malware. It’s a kid with a WhatsApp account finding the right Uber employee at the right time. 

David Kruse  9:42   

What you’re saying is that the danger isn’t necessarily a sophisticated attacker more just a lucky one. 

Joseph Perry  9:47   

Exactly. You know, there’s I’m not knocking this kid there’s no doubt they are about a cut above the average hacker. But what got Uber here was the law of large numbers with enough employees it becomes impossible to say that they are all going to do security perfectly. That’s why people like us are constantly talking about defense in depth and layered response strategies when you’re planning your security strategy boundaries are important, but they cannot be your silver bullet. 

David Kruse  10:11   

If an organization wants to protect itself against the odds, they have to take a big picture holistic approach, the sort of approach that starts with a common language creates concrete goals and lays out a clear implementation path. 

Joseph Perry  10:23   

And that’s exactly right. And to help with that, our next few episodes are going to be diving into the CIS critical security controls. And we’ll be talking about that language and learning how to apply it in our own work.  

David Kruse  10:32   

Until then, I’ve been David Kruse. 

Jospeh Perry  10:34 

And I’ve been Joseph Perry. 

David Kruse  10:36 

And this has been InSIGHT with Tetra Defense. 


InSIGHT is a production of Tetra Defense, an Arctic wolf company. To learn more about how we partner with cyber industries like insurance and law, talk to us at alliances at Tetra  

Transcribed by 

Subscribe to InSIGHT via Apple,Spotify,RSS.  

Picture of Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter