Cyber criminals are growing in their attack planning. CISA is continuing training their teams to look for vulnerabilities and help out not only the government, but other entities secure their networks and products. Today’s guest is Robert Karas. Rob came to the Cybersecurity and Infrastructure Security Agency in 2010. He has over 30 years experience in the information security field and significant experience in building nationally recognized security platforms. At CISA, Rob built the Cyber Hygiene Program, risk and vulnerability assessments, and penetration testing programs. He has also created the Cyber Defense Education training programs to address industry challenges. Rob was also recognized by Cyber Patriot as Mentor of the Year.“A lot of it starts with phishing and social engineering. That is still the number 1 we’re seeing that are able to successfully attack.” - Robert Karas Click To Tweet
- [1:03] – Robert shares his background, what he does at CISA, and what CISA does as an agency.
- [4:01] – At CISA, agents hack into a company’s system with their permission to see where the vulnerabilities are.
- [5:53] – Phishing and social engineering continue to be the most successful attacks.
- [8:41] – A lot of times it feels like good security equals bad customer service.
- [10:27] – Playbooks are all the same or similar but the tools that CISA uses are unique.
- [12:29] – With the introduction and evolution of AI, there is some preparation to be done for an inevitable increase in attacks.
- [14:07] – Attackers prey on human vulnerability and emotion.
- [15:53] – Phishing emails are so good now that many times they really appear to come from someone you know.
- [17:15] – Over the last ten years, the statistics of people reporting a scam have improved.
- [20:16] – It is important for organizations to be prepared. For help with this, you can email [email protected].
- [23:39] – CISA has implemented Secure by Design.
- [25:30] – If you suspect you are communicating with a scammer, stop communicating right away.
- [27:02] – It is overwhelming when you think about the amount of devices we have that are connected and relied on.
- [30:16] – The amount of data we have and can have access to is so immense. How can we inspect everything?
- [32:09] – When it comes to purchasing new devices, ensure that frequent updates are part of the guarantee.
- [34:41] – A great place to start for resources on CISA’s website. Robert shares some of the resources available, including Secure Our World.
- [35:54] – CISA also offers free vulnerability scans for businesses.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- CISA Secure Our World
- CISA’s Website
Rob, thank you so much for coming on the Easy Prey Podcast today.
Yeah, thanks for having me. I'm excited to be here.
Can you give myself and the audience a little bit of background about who you are and what you do?
Sure. Rob Karas and I work for CISA. I've been at CISA for 13 years and I run our attack surface evaluation branch, which consists of penetration testing, red teaming, vulnerability scanning, and attack surface management.
For those that don't know, what is CISA?
CISA is the government agency that protects our country from cybersecurity threats and infrastructure. We were signed into law a few years ago and we're the newest federal agency. Our responsibility is cybersecurity and infrastructure security.
Newer than the Space Force?
Oh, federal agency. I would say that's DOD and more federal agency. Let's go with that.
OK, that works for me. I just want to be able to say Space Force on a recording.
How did you get into this field? Was it something that you always wanted to do, or was it just the natural progression of your schooling and education and career?
I think a little bit of both. I graduated college and found myself a federal employee doing system administration stuff on the unit side. Then I transitioned over to some compliance work. Right about that time, I was working for DISA, Defense Information Systems Agency. They had a call out for real technical people that wanted to start the first red team and the first computer emergency response team. I raised my hand and I was selected as lucky enough to start those two ventures. The one went on to be morphed into the NSA red team and one [inaudible 00:02:52]. I've been doing this for 30 years.
Nice. For those that don't know, can you explain when you say red team? I know what that means, but the audience is like going, “Is this a football team? What's this red team stuff?”
A lot of people have different definitions of it, but how we define it, and I could go into our penetration testing team too, but basically we have a bunch of security professionals called professional hackers that break into companies' networks.
We attack them through electronic means, through phishing accounts or attacks through social media, through various services that are open to their entities on the Internet. We get in and we embed ourselves in there. Then we have different measurables and metrics that we test.
In the end, our red teams basically last 90 days. The last two or three days, we worked with their senior personnel and their security operations center and we trained them on how we got in, where we saw them, what we did, and how they could improve themselves. Basically, it's an offensive team trying to break in and show security awareness to companies.
All with the company's permission, correct?
Correct. It's funny, when I came here in 2010, I was raring to go, but it took me a year-and-a-half to actually get a network installed. Then it took me longer than that to get all the legal documents involved. We have standard legal—now they're standard, but at the time they weren’t—agreements with our customers that they sign and we counter sign up before we do anything.
You want to make sure that you're doing stuff with permission. You're not, I don't want to say not really hacking, but you're not doing anything illegal in the process of trying to help somebody out.
Absolutely, and I don't want any of the people that work for me or myself to end up in jail.
Nobody wants that. Let's kind of shift and talk a little bit about what the current trends are and what you're helping companies with. Then we'll talk a little bit about what consumers should be looking for. What are the kinds of the current corporate threat profiles that we're looking at?
For threat profiles, it varies from industry to industry. The big thing to know is that whatever industry you're in, or the critical infrastructure sector, you're basically under attack 24 hours a day, especially with automation and getting more into AI. It's just getting more and more persistent.The big thing to know is that whatever industry you're in, or the critical infrastructure sector, you're basically under attack 24 hours a day, especially with automation and getting more into AI. It's just getting more and more… Click To Tweet
Various actors will focus on various sector groups. A lot of it starts with phishing and starts with social engineering. That's still the number one way that we're seeing and that my red teams and my penetration testing teams are able to successfully attack and get into the inside of a federal agency, state, local government, or company.
People on your team calling up and getting a little bit of information, using that parlay, and to get a little bit more information to gain access to the networks?
I'll tell you about one of our latest adventures. We were working on a penetration test, and we did some research on the entity and we found out that they have a program where they offer students tours to come and see. We politely emailed and had a nice interaction with the staff saying we'd like to come and see a tour. We're excited about this and several emails, 10, 15 emails back and forth.
Finally they said, “OK, we'll fill out this web portal and let us know who's coming.” We said, “We're having problems accessing this web portal. Can we send you a PDF, or can we send you something? Can we post something that you could download?”
Since we had already built that trust, they agreed to it and they downloaded the file. It looked like it had a bunch of students' names on it, but in the background, it had a nice payload and we were able to execute and get on their network. It's all about building that trust, building that rapport, doing your due diligence, and investigating your target.
To me, that's always the scary part. That nothing of that interaction seemed inherently red flaggy in a sense.
Right. There was nothing. It was good-natured and people wanted to help. That's one of the vulnerabilities. Everybody's willing, especially when you have a program where you're thinking we're going to educate some of the future staff or future of our country and we're going to bring them in and show them all the great things we do. Naturally your guards lower.
I always think about it when there were times that I was working for a small company and it was one day that the receptionist was out. I was trying to help out and answer the phone. Anytime someone called and wanted to be transferred to somebody, I'd be like, “Who are you? Why are you calling?” Just being the paranoid person that I was, I'm like, good security is the antithesis to good customer service in a way.
Correct. It's hard to find that balance because you want to get the person off because if you're filling in, you might have two or three calls coming in, or four calls. You might want to just be able to afford it and they want to get to who they're trying to talk to. Then you want to do a first screening where there's that fine line of how much do you question them before you pass it on?
When you're doing your pen testing, you're attacking clients that are willing. Are hackers kind of using those same techniques when they're attacking corporations themselves?
We go to a lot of conferences and meet with a lot of people and understand their tactics and techniques and we put our own in. We don't follow one APT or follow their playbook line by line. We basically have our own, but the playbooks are pretty similar. What's our scope? What's our target? What's our time frame? What are we trying to get? Then, where's the low-hanging fruit and how can we get in and get out without notice.
If we want to stay entrenched for a long time, where do we stay entrenched and what's the best place to do that? How long do we set our beacons to call back for? Do we call to have them set up for one week, one month, or 17 days et cetera?
The playbooks are all the same now. The tools that we use; we have our own tools. I'm sure everybody else has their own tools. One thing that's really interesting and one of the good things that we have coming out of this is we have a lot of data. We can see data and we could understand where vendors are successful and where they're not successful and help them become successful without ever having to put anything out in public.
A couple of things lately are, and it seems like, especially with our phishing payloads and if you go back to antivirus, you will get antivirus. About four to five years, you can reuse the same techniques or same payloads. What we were using four or five years ago hasn't been working. But because vendors, they only have so much that they can put in their EDR, their machines, and defenses that they rotate them out.
Now what we're using four or five years ago is becoming successful again and you wouldn't think it. Because of AI and automation, were able to use those payloads. It's not manual. We have automation where it doesn't hurt just to click a button and see if these payloads work.
That's one of the interesting facts and one of the great studies that's coming out of this so we could warn vendors and other people about these trends that we're seeing. Then the vendors can take action and you just don't protect one company. You protect everyone that's using it.
With the rise of AI, computational power, and organized crime with access to large sums of money, have you seen a significant escalation in what the threat actors are doing in the last few years?
Not yet, but we're starting to see it and we're starting to see people preposition themselves and understand the AI models and get the AI models ready so when there is an earthquake or flood overseas, they don't have to take the time to actually go and program that. It's already programmed to hit certain headlines and thresholds and then automatically set that.
We haven't seen it actively happen, but we know that people are pre positioning and getting ready for that day. It's only a matter of maybe they're ready now. Right now we'll be getting ready for a federal shutdown; it could be something related to that. The Congress is passing a bill or they're not clicking here for the latest. We just don't know. But it's on its way if it's not here right now.
That, to me, is always one of the things that I hate most about the scammers is when they're leveraging natural disasters and horrible events to line their own pockets. That's particularly disturbing to me.
It really is and it's sad. It happens. They prey on human nature, our vulnerabilities and our sense of trust manipulating our emotions. If they can get you to be emotional for a second and just click that without thinking, they win.
Is that some of the challenge in that I think most people think from the technical side of, “If I have the right antivirus, if we have the right network protections if we have the right technology in place, we're safe.” But then there's this big human component that is a lot more squishy, for the lack of a better term.
It seems like we have a good idea how to address the technology side. How do we address the squishy human side of things?
That's wonderful. We train them, but training can only go so far. People get trained to a certain level and you can't train anymore. You know what you know. At that point it turns to training them on what to do if they feel like they've been scammed or if they've clicked the phishing link and trained them and exercised what the company policy is or how do we act.
Do they know who to call? Do they know who to email? Do they know what to do when they notice an incident or something's not working right or they did something wrong? There's no shame in it. It just happens. It's our human nature, but how do you react to it?
The sooner you react, the better chance your IT team or your staff has of protecting your company and your assets. I think it shifts to more exercising and training on what to do next instead of detecting the phishing email from the Nigerian prince, because phishing emails now, they’re so good. It looks like it's coming from a corporation.
How much of a challenge is it for the companies when you're doing your pen testing to get the employees to report things that are suspicious and report the links? Are they just clicking on it? “Oh, gosh. I've realized I've done something I shouldn't have done,” and kept their mouth shut, or are people getting better at saying, “I think I did something I shouldn't have done”?
Yeah, that's great. I'll tell you about 10 years ago, eight years ago, nobody was reporting it. It was almost like you were a social outcast if you did that. People accepted and learned that that's not right, that we need to embrace this, but you recognize that it happens and that if you report it and the company can handle it in a certain way, that's socially acceptable now.
Before, if you click something, it was almost like, “Oh, my gosh. Look what he did or look what she did.” Now it's like, “OK, we deal with this as a company.” We have some statistics that show the improvement of internal users or people within companies actually reporting it to the IT staff. We have seen those numbers increase over the last eight or nine years, which is promising. They're not where we need them to be and we're just trying to figure out if that's it because they didn't realize that it was a phishing link or something that they clicked on, but the stats are getting better.
That's definitely one of the things that I'm trying to do with the podcast, is trying to destigmatize people that have fallen prey to scams and whatnot, because I think the more people that talk about what happened and how it happened, other people are more willing to talk about it. As we start having these conversations, the person that is at work is going to be like, “Hey, Bob. I clicked the link,” as opposed to, “How long can I hide before someone figures out that I clicked the link?”
I'm not proud of it, but it was about four years ago, there was a gentleman at a 7-Eleven that skimmed my credit card right in front of me. Not proud of it. It happened. My bank called me and I got a new credit card right away, but it happens and you just accept it and you face reality and you don't hide from it.
I really appreciate you sharing that. I often do ask my guests, have you had something happen to you in the past? I think it's important for people to hear that. That you have people that are in this industry, people that are in this field, that if we can't get it right 100% of the time, Bob, who has no formal training in this, shouldn't feel bad that he wasn't able to protect himself 100% of the time.
Yeah, absolutely. Me being a cybersecurity professional for 30 years experience, I'm like, really? That just happened, but it happened. Luckily, I was able to call my bank and my bank texted me and I got a new credit card. I had no money taken off my account, which was great. How you react I think is just as important as facing the reality that it happened.How you react I think is just as important as facing the reality that it happened. -Robert Karas Click To Tweet
What should people be doing? I guess there's two different sides to this, because what businesses should be doing is probably fundamentally different than what consumers should be doing. Let's talk business and then we'll talk about consumers. If a corporation falls victim to a breach, what should they be doing? Who should they be reporting it to? I know laws are constantly changing if your data has been breached, but is there kind of an official clearing house for that information?
It depends on what industry you're in. You have to have what your internal policy is. I think that's one of the greatest things that a company can do is be prepared. We have cyber security advisors, CISA does, spread out across the country. Right now we have 110 of them in almost every major city and every state across the country.
If a company doesn't know where to start, these are great advisors. People can reach out and contact them. If somebody wants to know who their cybersecurity advisor is, there's an email address, [email protected], and they'll put you in touch with your local cybersecurity advisor. They can help you get on the path of building the plan, and building the policy and figuring out what to do in case of an incident response and how your company should handle it.
If you're in the finance business, who do you need to contact? If you're in the gas and oil business, this is your process and procedures. There's experts across the country and I highly advise you to use them.
I think that's great advice for a plan for an event happening before it actually happens as opposed to something happening. “Our system is down. Who do we call?” Start your work at that point, you're already behind the curve.
Yeah. But if it does happen, report it. There are some things that make sure that your coworkers know that it happened. If your company has a password policy, make sure that you change your password or work with your staff and make sure that you have multi-factor authentication involved, but absolutely report it. Then let your co-workers know so they don't fall prey to the same attack.
Do you see an increasing adoption in employees and consumers using two-factor authentication and asking for it in places where it doesn't exist?
I see them accepting it and adopting it. I haven't seen them proactively ask for it, but I do see and a lot of the online community has adopted it and almost forced people to use it. It's becoming the social norm where before it wasn't. I'm hoping we get to the point where security professionals like myself ask for it or we look for it. But my wife or my dad, they're just happy with the password. I'm like, “No, you need to put this on.” Then they remember about two-factor authentication or multi-factor.
I've been excited that more and more recently when I've been creating accounts, two-factor authentication has been turned on by default as part of the account creation process. Whereas it used to be, if you want this extra security measure, you've got to go hunt and find it. Now it's, this is part of the setup. If you want to disable it, you've got to jump through all these hoops to disable it. I'm sure that really is helping the adoption.Anything you put out there should have security designed into it and should come out of the box with security. -Robert Karas Click To Tweet
Yeah, absolutely. In CISA, one of the great things that we've been striving and pushing forward and we'll continue, but it started a couple years ago, is secure by design. Anything you put out there should have security designed into it and should come out of the box with security. It shouldn't come with an empty password. It should have something in it. Your example that you laid out of having the user have to adopt and opt into two-factor authentication is a perfect example.
I have to admit, I still occasionally get hardware sent to me that the username and password is user and password. I'm like, “Oh.” But there's definitely some stuff when it shows up, there's a sticker on it. “Here's the username. Here’s the password. Don't lose it or you're in trouble.”
It's like, OK, there are some manufacturers that are starting to not have every single device going out their door having the same password on it.
Yeah. I think as more and more people do that, more and more people will demand it and expect it. When the consumers expect it, they'll call according to demand. If you get something from a vendor that has admin or user password, you're going to question that vendor. You're like, “Hey, here. Do I really need to order from that vendor? Or next time do I need to get a different hardware solution?”
Yeah, it really makes you question their commitment to security if the username and the password are the same for every single device going out the door.
On the consumer side, what should consumers do when they've either fallen victim to a scam or been technically exploited?
On the consumer side, I would say stop communicating with the scammer immediately. If you're doing it over email or you're having constant texting communication or some other communication, stop that right away. Then make sure as we talked about changing your passwords.
If you don't have multi-factor authentication, implement it immediately. Then consider reporting an attack to the police or maybe even filing something with the Federal Trade Commission, depending on your case. I think those simple steps will be a good start. Maybe even if you have a friend that's in cyber, they can advise you to go. I think as you, as you start talking and you start reporting it, you'll get more information and people will have more advice for you. At least stop communicating with scammers, change your passwords, and implement [inaudible 00:26:22].
Got you. Maybe the more disturbing part of our conversation, where do you see threats coming from in the future? Not to saying what entities are attacking us, but what are the things that we should be watching out for in the future? Everything is connected these days. When you're in your office, there's the cameras, the printers, everything is connected. Smart cars, AI, chatbots. What do you see as kind of the emerging threats?
It's overwhelming the amount that's coming at us. I think from my point of view, from an attacker, what I've seen happening recently is a consolidation in the cybersecurity marketplace. In the past, I had 20 vendors that I had to worry about how to get around their security; maybe now it's a handful. If I know it's only a handful, I could really focus. If it's down to one or two competitions, I can focus on getting around that one vendor.
If 80% of the companies are populous, I can't get around it. One case in point is an attack that we did recently. It's called payload inflation. When you send a phishing email or a link, a payload gets distributed to the user. What we do is we do payload inflation. Typical payload is about two megabytes maybe, maybe one megabyte, but we inflate that to be 250 megabytes. We don't send it right away when a user clicks on it or gets to the system. We wait like 10 or longer than that, but a certain amount of time and then we download it and it does two things.
The detection isn't looking that long and then the detection can't go through that big of a file. With us being interconnected, years ago, if we sent a 250-megabyte file, somebody would just disconnect and be like, “I don't care about this. I'm not worried.” But now I could download that in seconds and send it to somebody.
It goes back to the resources. The protections don't have the resources to scan all 250 megabytes. Maybe they look at the first 50 or 100 or whatever they look at. Then we're getting in. I'm worried about the speed of everything. Everything's going so fast. Do we have the speed and the architecture to actually adapt and find out everything that's going by or inspect everything that's going by? I think that from my defensive and offensive side, I would say that.
Then where's it coming from? Is it coming from a refrigerator? Is it coming from a microwave? Or it's from somebody that clicked something?
I'm amazed at when my first internet connection was—OK, it was a dial-up modem, but let's talk about internet connections—my first dedicated internet connection was a 1.5 megabit DSL connection. Now I've got fiber into the home. I could move a DVD worth of information to and from my co-location facility in a matter of seconds now where that used to be, “I’m going to download this movie. Let me come back in four days and I'll have it.”
Yeah, let me go watch four days of movies.
It's almost that things have kind of gotten asymmetric, not in the upload and download, but in terms of just the vast amounts of data is starting to overwhelm our ability to manage it.
It is. I think that's the point. How do you inspect everything, especially my watch right here and this mouse here and this lamp in it? It's like wow, the threat directors have just grown exponentially.
Is there a kind of developmental community, the manufacturers are starting to say, “We really need to do a better job with our security under devices. We need to do a better job providing firmware updates for years as opposed to days or weeks.” Are they kind of coordinated?
They're getting there. CISA is leading the charge and CISA is leading the charge of helping to hold companies accountable and security by design. Anything that you design going forward, we're actively seeking people to pledge that they'll use good coding practices and good coding languages.
It's starting, and I think it will be like a snowball. It's going to start slowly, but once it picks up momentum and is adopted and adapted in the training community and education community, I think we'll see it rapidly increase.
This might be a little bit outside your scope of expertise, but when people are buying hardware, whether it's for their companies or for themselves, should they be asking the company, “How long are you going to provide firmware support for this product?” If they say, “We're going to provide it for 10 years,” that's probably good practice. But if they say, “No, we're only providing it for the next one year,” where's kind of the point where some people need to question whether that's the right product for them to buy?
I think that's going to depend on how long they want to have that product in their environment. I would say if they intend to have that device in their environment for 15 years, they should demand from the company 15 years of firmware or product updates. If they are only going to have it there for two years, then that's acceptable. I think as it goes back to the cycle costs and analysis that you do on that product. That would be my rule of thumb.
I'm just laughing to myself thinking everybody keeps stuff around twice as long as they originally thought it was going to be there. If you're planning it being in the life cycle for two years, you better plan for four or five.
That's a great question to ask and hopefully when you're buying, you buy from a company that's been around a while so you can at least do some due diligence on it and maybe even talk to some past vendors, or even you have some old devices on your network and you're seeing that they're being updated and taken seriously and that they're just not left alone, or that they do have an end-of-life and they know end-of-life. Then work with companies to get that off and get something new on the market in place to keep your operations running.
Turn off all those Windows 95 boxes.
Are there, like, any additional tips, any additional resources that we want to make sure that we communicate to the audience today?
Yeah, absolutely. One of the great things is we could tell people to create policy, our [inaudible 00:34:06] management backups, but CISA offers free resources on our website and free services that I'll talk about here in a second.
One of the best places I think people should start is at our website, cisa.gov. It's a great starting place. We just launched an effort called Secure Our World. You can visit that site at cisa.gov/secure-our-world. This site has information on how to secure yourself and your family, actually how to secure your business, and then how to secure your products.
Then if you dig down deeper, there's information on how to teach employees to avoid phishing. There's a link there, then it would be cisa.gov/secure-our-world/teach-employees-avoid-phishing. That's under the umbrella of Secure Our World. It's a great program, and it's new to our cyber security awareness program.
In addition, I talked about the cyber security advisors. There's 110 of them out there. You can reach them through the email [email protected].
Third, I want to pound my chest here. These are services that come from my program. We offer free vulnerability scanning. If you're a company out there that has assets hosted on the Internet, we will scan them persistently and provide you with a weekly report. The weekly report will show you what vulnerabilities we see there, which vulnerabilities you've closed, and we will rank them. We'll tell you if they're known exploitable vulnerabilities, if they're critical, if they're medium, high, low criticality level. Then we should show you charts over time if you're fixing those vulnerabilities.
It's easy to sign up for if you email [email protected] and ask about our vulnerability scanning service. You'll get a response and information on how to sign up. To me, that's one of the best things that CISA has. We have over 6300 stakeholders that take advantage of that service right now and we'd love to have 6300 more.
I was about to say in about five minutes, you'll have 6301.
That sounds like a really cool program because it's one of those things, like some people don't trust the government, but I would rather trust a government entity to help with the scanning as opposed to, “Let me go to this random website of sketchy partner or sketchy entity that I don't know where they're from.” I don't know that I want to raise my head up and say, “Hey, take a look at my surfaces and see if I'm safe.”
Right. This is great because I've always contemplated that and I'm always like, “Ah.” I was at a speaking event for 911 centers last week. I was with the gentleman from region five—we break the United States up into 10 different regions and this gentleman was from region five—and he was sitting next to me. He was asked that question and he had a great answer.
He said, “Foreign countries' governments are scanning your government anyway. Do you trust them? You can't stop them, but you can allow your federal government to help you. Obviously we need a legal agreement so what's one more government scanning you? We're doing it for good for you.”
We're going to give you the reports. They're not going to give you the reports.
For the listeners, we'll put all of these links in the show notes. That way, in case you missed a hyphen, you don't get a 404 error, but that it's easy to find. Anything else before we wrap up here, Robert?
No, that's it. I really appreciate you having me there. I appreciate CISA allowing me to have this interview with you and join your podcast. I look forward to people signing up and going to our website and joining the Secure Our World cybersecurity awareness program that we just launched.
Awesome, Rob. Thank you so much for coming on the podcast today.