By Wallace Witkowski, MarketWatch
Alexander Morozov/Courtesy of FireEye
Whether it’s the integrity of a corporate computer system or an electoral process, the most secure state of mind is to assume something has already been hacked and then use the best intelligence to verify what you can trust.
That’s MarketWatch’s takeaway from an interview with Sandra Joyce, senior vice president of global intelligence at FireEye Inc. /zigman2/quotes/204730283/composite FEYE +4.48% , who sat down for a one-on-one chat last week at the annual RSA cybersecurity conference in San Francisco.
Joyce, who reports directly to Chief Executive Kevin Mandia, is responsible for the collection and processing of threat intelligence at FireEye, whether it be from cybercriminals to nation-states out to destabilize larger organizations. She has worked in the security industry for more than two decades, is a faculty member at the National Intelligence University and has collected four master’s degrees; she is currently completing an MBA at the Massachusetts Institute of Technology.
FireEye is known for its intelligence about international hacking organizations and their actions, and released the M-Trends 2020 report at RSA, which outlined trends in cybercrime, warfare and espionage. The report found that while security professionals are rooting out intruders on their systems quicker, hackers are getting better at disguising themselves with malware — 41% of which has never been seen before — that is much harder to detect.
Joyce discussed the changes in malware and ransomware, two of the most common types of online attacks, as well as election security and more. The interview is edited for clarity, length and brevity.
MarketWatch: What does it mean that 41% of malware is previously unknown?
Sandra Joyce: There’s a lot of ingenuity for people who are creating malware, we detect new malware families constantly. So that is something to be mindful of, because the threat actor has to continue to evolve and change, because once detections are in place they are less effective. And all the new malware that’s coming out — they’re either developing it themselves or they’re taking pieces from other code and making something completely new, and one trend we’re seeing in that realm is ransomware.
MarketWatch: What’s the trend you’re seeing with ransomware?
Sandra Joyce: It’s getting a little bit worse, because before it was just commodity, like “I’m going to do this, lock you up, get 300 bitcoin and maybe you’ll get your data back.” But what we’ve been seeing is a lot more deliberate, what we’d call a post-intrusion malware event. What that means is, what they’re doing is more reconnaissance and they’re getting access to deeper parts of the business to lock up more critical pieces. And the economics of this are that the ransom amounts, the demands, are much higher. In Europe, we responded to a ransomware incident where the demand was over 300,000 euros because of the sensitive information that they captured.
MarketWatch: Can’t that just be resolved by backing up systems more?
Sandra Joyce: It would be great to have an easy button, and it would be great to have a hot site and just roll back to that. Every case is different and some of them they’ll lock up actual technologies and infrastructure. It’s not just about “I can roll back” now, maybe you’re not providing services to customers, maybe it’s for days, maybe it’s for hours. What we’re encouraging companies to do are these tabletop exercises and actually be ready for an event like this. Especially if you have a high profile, you have to have a plan for strategic communications. You at least have to walk through the process.
Whether or not to pay [ransom] is a really complicated decision. It seems like people would say “No, hell, no, I wouldn’t,” or “I will,” but we can actually tell you about that threat actor and say, “This guy will spill your data anyway.” We can do the research on the threat actor, we may already recognize him. If we’re so-called “lucky,” we would.
The real business impact comes in how long and how successful the threat actor is once they’re in the system itself. Everyone should just assume that they’re breached, just like if you rush the guards at a bank, “Congratulations, you got in. Do you know the combination to the safe? Do you know where the money is kept? Do you know if that thing you’re after is there? Can you get out without anyone seeing?”
If you have that mentality of “yes, I’m going to assume that there’s a breach, but I’m going to have technologies and processes in place to track lateral movement in my organization,” that’s really where the business impact is. You can still preserve a lot of your business functionality if you can respond to that lateral movement.
MarketWatch: What are your thoughts about election security?
Sandra Joyce: The question of whether nation-states are meddling with elections is asked and answered. We’ve seen the impersonation of political candidates on social media by Iranian actors. We’ve seen inauthentic websites being posted. We’ve seen Iranian threat actors posting letters to the editor and getting published in newspapers. So the question of whether they are doing it should be asked and answered. They definitely are trying to do that. The question that I find surprising is when people ask, “Which political candidate? Which groups?”
It doesn’t matter.
The whole election security topic, we need to think of it as an ecosystem. There’s voting machines: The surprising thing we’ve seen that as of January we haven’t seen any direct attacks on voting machines that would change the tally, so that’s good news. But if you go out of the circle, to support organizations, [personally indentfiable information] has been stolen from voter registries and these are cybercriminals who are selling them in the underground, and maybe their intent is to not disrupt an election but they are still eroding that confidence in that process. And then the largest attack surface is the electorate themselves. We’ve seen a concerted influence operation.
MarketWatch: Who has become most active threat over the past year?
Sandra Joyce: I would say Iran has become the most active. It’s likely because of the increased tensions between the U.S. and Iran, the nuclear deal situation, with the United States pulling out of that. If we think of cyber as the tool for the extension of the political will of a country, then we can see a country like Iran that can’t challenge on any other instrument of power like military or economic or diplomatic, is a very attractive for an asymmetric kind of capability. So we will see that direct relationship between geopolitics and tensions and the use of cyber tools because it’s become the Plan A of countries who can’t challenge in any other way.