Know the Threat to Beat the Threat

October 23, 2017 • Amanda McKeon

Our guest today is Bob Gourley, author of the book “The Cyber Threat: Know the Threat to Beat the Threat.” Earlier in his career, Bob spent 20 years as a U.S. Navy intelligence officer. One of his last assignments with the military was as director of intelligence for the first Department of Defense cyber defense organization. He’s currently a partner at Cognitio Corp, where he leads research and analysis activities, due diligence assessments, and strategic cybersecurity reviews for clients.

Bob sat down with us at our annual user conference at the Newseum in Washington, D.C. for a wide-ranging conversation on what it was like to define emerging cybersecurity missions for the Department of Defense, the importance of looking back to history as a guide, and the growing need for threat intelligence and basic cyber hygiene.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 29 of the Recorded Future podcast. Our guest today is Bob Gourley. He’s the author of the book, “The Cyber Threat: Know the Threat to Beat the Threat.” Earlier in his career, Bob spent 20 years as a U.S. Navy intelligence officer. One of his last assignments with the military was as director of intelligence for the first Department of Defense Cyber Defense Organization.

He’s currently a partner at Cognitio Group, where he leads research and analysis activities, due diligence assessments, and strategic cybersecurity reviews for clients. Bob sat down with us at Recorded Future’s 2017 RFUN conference at the Newseum in Washington, D.C. for a wide-ranging conversation discussing what it was like to define emerging cybersecurity missions for the Department of Defense, the importance of looking back to history as a guide, and the need for threat intelligence, and basic cyber hygiene. Stay with us.

Bob Gourley:

I was a Navy intelligence officer for 20 years, so, tours in Europe and Asia. A lot of all-source intelligence fusion was my background. The last several years of my career was standing up the first Department of Defense organization to do cyber operations at a joint level. It’s the joint task force for computer network defense. This is the first organization that had direct command of defense, which led to today’s Cyber Com.

Dave Bittner:

When you’re standing up the first one of those, what are … What’s the parameters under which you’re doing that? What is the mission that you’re trying to accomplish?

Bob Gourley:

Well, our boss was a two-star general who was told, essentially, fix this problem, and was given some other guidance directly from the Secretary of Defense, which is, “If there’s an incident anywhere in DOD, I want to know about it.” He was to come up with a mission that helps defend 3.6 million computers and over 10,000 networks. So, how did he do that? He pulled together a small headquarters element. He had a J3 for operations, he had a J2 for intelligence — that was me. He had several other key staff to work at a headquarters level.

My job was to pull together all the threat information and to create an ability to understand what the adversaries are doing, figure out who’s attacking the nets, and then inform the J3 and others on how to stop it. The two-star general, then … you know how Department of Defense organizes. He had components in the Army, Navy, Air Force, and Marines to get stuff done, and DISA also had components that worked for him.

Dave Bittner:

What year are we talking about?

Bob Gourley:

We started working in December 1998, and then we became fully operational in April of ’99.

Dave Bittner:

Let’s put that into perspective. What are we talking about in terms of the evolution of connected computers, the internet, and the systems that you’re dealing with?

Bob Gourley:

Right, so in the ’80s there was the Morris Worm, which had taken down a lot of infrastructure and caused the creation of things called the CERTS. That was the state of the art when we came around. There were CERTS everywhere that were communicating and coordinating on computer science and computer incidence.

Then there were some major intrusion sets going on. Solar Sunrise was a famous one that just really had the Department of Defense puzzled. People were looping through several computers. We thought it might be the Iraqis, and we couldn’t investigate it and stop it fast enough. Turned out, it was two kids in California being mentored by an Israeli hacker, but we couldn’t figure all that out.

Also, there was a major activity, codenamed Moonlight Maze, which was being investigated by the FBI and the law enforcement agencies, and the Department of Defense, where someone was going in and penetrating Department of Defense computers and Department of Energy computers, and computers in academia, and we needed to make progress on that. We were born into that environment.

Moonlight Maze can be thought of as the first advanced persistent threat, and it was our job to figure out who it was. Our team, the intelligence team, pulled together intelligence from CIA, NSA, DIA, the imagery guys, HUMINT people, and open source intelligence, and counterintelligence, and were able to come up with a theory that proved to be correct, which is, it was the Russian Academy of Sciences backed by the Russian intelligence services who were trying to acquire sensitive information to benefit their programs.

Dave Bittner:

How did you all approach a problem that big? A problem as large as this scale of having to secure the entire DOD — how do you break that down?

Bob Gourley:

Well, you have to do it in a way that scales, so there’s a lot of problems which still exist today when it comes to data. We had to work collaboratively to figure out what the right plan is, but then, when you execute the plan, we did it with absolute command and authority. The collaborative part is, alright, how do we decide what information needs to be sent up to the center, because you can’t send all the information to the center. You want certain alerts sent, so negotiating what that should look like was key, and then in the stand up, we kept tuning that information flow.

The command part was, we had guidance from the Secretary of Defense that we had direct command authority to order things in the networks. Sometimes that worked, sometimes it didn’t. We were the first organization that was able to do that and make some progress. Now, back in those days, there was a lot of forgiveness for our mistakes because we were the first. These guys today have it much, much harder. Everybody expects them to defend perfectly, and it’s tough. Also, another difference today is the adversaries just kept growing and growing and growing, and our dependency on IT kept growing. I have a lot empathy for the folks doing this job today.

Dave Bittner:

Despite the scale, did you have an ability to be nimble?

Bob Gourley:

That’s an interesting topic. Now, first let me tell you the kind of people that were on this JTF. I was an operational intelligence guy. We had other people who were very operational, Army Infantry, Army IT, and several Navy guys, including F-14 pilots and F-14 flight officers. These guys think fast. They were just critical to our ability to execute. We would have technical people who would help explain to these people what was going on. They would ask the hard questions, and they would know how to execute and deliver orders. Our boss, this two-star general, was an Air Force fighter pilot — another guy that thinks fast.

Dave Bittner:

Right, so these are folks who come up having to make critical decisions quickly, decisively.

Bob Gourley:

Right. When General Campbell did that, he was the two-star general. He led us in our formation, and then through the operations, and then went on to become a three-star where he was head of all the military support at CIA, and is still very active in the cyber community today.

Dave Bittner:

So, contrast that — the things that you were doing then, with where you see things today. How have things changed and evolved?

Bob Gourley:

They’ve changed in a lot of ways, but some things are incredibly consistent, unfortunately. As we dug into this, some of the consistent things are when an adversary wants something, we all see this — they just keep coming and keep coming and keep coming. Yesterday, we were in the Spy Museum, where I saw some great exhibits. One was a Sun Tzu exhibit, and it was Sun Tzu who told us we really have to know the adversary, essentially, saying you have to know them because they’re going to keep coming.

Then another, just right next to it, is an exhibit talking about Hannibal’s famous invasion of Rome, where he crossed the Alps. He did that by laying out a great spy network and then persistently not giving up. When people told him to stop, his famous message back was, “We’ll find a way or make a way.” It’s that hacker mentality, and that’s the same thing we saw at JTF-CND. These hackers kept coming and coming and would never stop.

Fast forward to today, it’s the same exact thing happening now, where the adversaries are just not giving up. I think that’s the most important lesson we have from the ’90s, but it’s also the important lesson from Sun Tzu and from the crossing of the Pyrenees by Hannibal.

Dave Bittner:

The environment may have changed — we may be in a virtual environment today, but those rules, those bits of wisdom, I guess, still apply.

Bob Gourley:

Yes, because generally, the hackers that get through are working as a team. They’re organizations. They’re resourced, especially the really significant attacks. Maybe they’re a criminal syndicate or a country, and they are not going to quit. They keep coming and keep coming.

Dave Bittner:

You’ve written a book called “The Cyber Threat.” I want to dig into that book a little bit. First of all, what prompted you to write the book?

Bob Gourley:

Well, part of it was these lessons from JTF-CND when we were starting to realize that it is important to know who’s attacking and what their capabilities are. Sometimes, it’s important to help you figure out what your defenses should be, so there’s a very strategic level of intelligence — what are the capabilities of adversaries? Sometimes, it’s important operationally. If you can categorize who these attacks are coming from, maybe you can inform your defense and defend a little bit differently.

Then, tactically, there’s information that’s important, too. The rapid changing of firewall rules is a simple example. By writing all this out and saying there’s ways to enhance your cyber threat intelligence program by operational, tactical, and strategic intelligence, we are able to give a framework for how to improve intelligence.

We also went back in history. I’ve mentioned a couple of these already — Hannibal crossing the Alps. Really, the real first foray into cyber intelligence is entering the U.S. Civil War. Both sides, of course, had telegraph and used that to pass command and control information. Both sides soon learned that you could attack the other guys’ telegraph lines. Another exhibit over in the Spy Museum was a raid by a Union spy, James Andrews, who stole a Confederate train and then destroyed train tracks and bridges and telegraph lines. That was the first major cyberattack.

Since then, in the Civil War, both sides soon learned that you could actually listen to the other guys, so maybe you don’t want to destroy all the telegraph lines. They were doing espionage. Then, also, there is documented evidence of both sides passing false orders on the other guys’ telegraph to get them to move forces in the field. This is the early stages of cyber war. In all the wars since then, there’s been cyber components. Now in this digital age, it’s ubiquitous, unfortunately.

Dave Bittner:

Take us through some of the other lessons that you put out there in the book.

Bob Gourley:

Well, a lot of the lessons are the same thing that you’re seeing today as you try to defend an enterprise, which is, you really need to constantly prepare yourself and raise your defenses all the time, keep things patched. You’ve heard this a hundred times — I know your listeners have, too. I hope you’re not boring them with this, but it’s like eating your vegetables. You’ve got to stay patched and stay on it. You have to make sure that you’re agile in your defenses. It’s just the most critical thing.

It’s amazing how many of these attacks start with somebody clicking on a link in a phishing campaign, or clicking on a link in a social media campaign. That just gives the bad guys a foothold. It’s just surprising how 85 percent to 90 percent of the attacks we see are coming in through those simple ways.

Dave Bittner:

Do you think we have a problem with incentives? I was speaking to someone recently and they made the point that the average worker in a company is not given a bonus based on adhering to security rules, they’re given a bonus based on getting their job done. When these security rules are a speed bump for them getting their job done, we have a little bit of a tension there.

Bob Gourley:

Right. We have several clients in the finance sector. Theirs is a little bit different because finance is all about trust. There they are incentivized to protect that data. I think there’s a lot of strong, strong security measures throughout the finance sector.

In other places, we have clients who are — no kidding — creating cures for cancer, and it’s so exciting to read about what they’re doing and to talk to these people. Their job is not to do cybersecurity, their job is to do something that you and I want them to do, which is find cures to a lot of hard cancers. Unfortunately, sometimes, that means they don’t pay enough attention to security. They get infected by malware, it shuts down a lab, and then they wake up to it.

We have so many clients whose job is, essentially, innovation. Innovate fast and faster and don’t let security slow you down. This is a tough challenge. There’s always ways to get just the right amount of security to not impede that innovation, and that’s the sweet spot we think businesses should try for.

Dave Bittner:

This is the Recorded Future podcast, so we want to talk about threat intelligence. What’s your perspective on the role of threat intelligence in a company’s spectrum of defensive strategies?

Bob Gourley:

Well, I think it’s important in three ways: Strategic intelligence, operational intelligence, and tactical intelligence. Recorded Future and its many data sources is helpful in strategic intelligence because you can now brief executives, here’s what’s going on broadly, using very simple, easy to understand graphics that Recorded Future can present. Some of these are nice dashboards you can actually put an executive in front of and let them do some of the clicking. That’s very strategic and helps them think through major resource decisions, like what kind of funding do I need to put on security and how do I do that while still remaining innovative?

At an operational level, we see Recorded Future helping a lot of people make the tactical decisions. You read a vulnerability report. Do I need to take any action on it or not? Maybe nobody is talking about it. Maybe I don’t have any data that is vulnerable on systems that have that vulnerability. Recorded Future helps you through at that operational threat level.

Tactically is where it really pays off, which is, you have defenders in the fight right now who are trying to protect your most sensitive data, and they need to know who’s coming for it and what vulnerabilities they’re using, and what is the risk of that vulnerability and the exploit they’ve built for it of penetrating you. That’s my lens of looking at Recorded Future: Strategic, operational, and tactical intelligence.

Dave Bittner:

Looking forward, as you look towards the horizon with the experience that you have, where do you think we need to go? What are the next logical steps for us?

Bob Gourley:

Well, there’s basically two kinds of people in the security community that have been doing this for a while. One is incredibly gloomy, and it’s like, everything is going to fall down around us, and the Internet of Things is going to steal all my data. The other kind is the optimist who says, “Man, we’ve just got to keep innovating. This stuff is great. It’s going to change our world. It is going to cure cancer. It’s going to extend life. It’s going to make us all wealthier with more leisure time, and we can all study poetry.”

I tend towards that more optimistic side. I love all this stuff. Let’s keep moving, and moving faster. Let’s invest more in artificial intelligence. Let’s figure out the magic of the blockchain that makes Bitcoin work and see how that journaling can help with security. Let’s figure out how to do encryption in data at rest and in motion, and let’s figure out how to put thousands of chips in everybody’s home in ways that improve their lives, but keep the bad guys out.

Now, the problem with both ends of that spectrum is the guy who says it’s all gloom and doom — it’s not all gloom and doom. The guy who says it’s all perfect, bring it all on. There’s going to be issues and risks that we have to deal with and mitigate. That’s where we have to find balance. It’s what’s going to keep all of us in this field busy.

Dave Bittner:

It seems to me like there are some things that lag, that have a hard time keeping up with the velocity of change with cybersecurity. When I think of legislation, and our legislators in particular, here in the United States, if you look at our Congress at the age of everyone, the age of the Supreme Court, these are not folks who are digital natives. How do we provide the protections that we need when our legal framework and the people we entrust with our legal framework might not be up on the technology. Is this not reflexive to them?

Bob Gourley:

Yes. I want to mention two things that have come up in our research and just observations. One is, unfortunately, this is a real problem. We have noticed this thing we call cyber threat amnesia, which is the tendency of an organization to forget the cyber threat as soon as you have mitigated the previous attack. As an example of this, in 1977, there was a report done by RAND called the Ware Report, which said in the growing age of computer connectivity, there’s an increased threat of attacks.

This caused a lot of change. It created the information assurance director at NSA, for example. It was widely seen as a wakeup call. Unfortunately, the wakeup call didn’t stick. By the time Morris Worm hit, people had forgotten about that. By the time the Hannibal hackers hit, people had forgotten about the Morris Worm lessons, and on, and on, and on.

By the time I was involved in it, Solar Sunrise was there, and the deputy director of the Department of Defense said Solar Sunrise was a wakeup call for the Department of Defense. The very next year, it was Eligible Receiver, and the secretary of defense said Eligible Receiver was a wakeup call for the Department of Defense. The very next year, it was Moonlight Maze.

Fast forward another 10 years, it’s Buckshot Yankee in 2009, which the director of national intelligence said was a wakeup call for the Department of Defense. We go on, and on, and on. The very next year, the deputy secretary of defense Lynn writes an article in Forbes saying the Department of Defense has had its wakeup call in cybersecurity. In 2011, Bob Butler says that Wikileaks has been a wakeup call for the Department of Defense in cybersecurity, so on, and on, and on, we get these wakeup calls and we forget about it. It’s the cyber threat amnesia, so that’s one thing I want to mention.

Dave Bittner:

Yeah.

Bob Gourley:

Another is, we go in and do an assessment of an organization. It could be a very big enterprise. We will assess hundreds of factors to help them build an action plan to get better, but one factor dominates all others. That is, does the CEO get it? Does the CEO care? If the CEO doesn’t care, all is lost. Forget it. You need to make that guy care. Help him understand why it’s important, or else nothing else matters. If the CEO gets it, he still may have a lot of hard work to do, but that one factor is over all of them. That’s a little bit of a cause for worry, but maybe some optimism, too, because more CEOs are getting it.

Dave Bittner:

I wonder if we’re heading towards that with cybersecurity, where it’s just part of everyone’s day to day. Just like you wash your hands, you take care of your personal hygiene — your cybersecurity protection hygiene is just going to be a part of what we all grow up with, knowing that it’s something we have to take care of.

Bob Gourley:

I hope so. We can dream, and that would be my dream and vision. I’d love for everybody to understand the importance of this technology and the cyberspace that we’ve created. Cyberspace is really just our interconnected computers, and everybody really needs to understand how these interconnected computers work.

Dave Bittner:

All right. Bob Gourley, thanks for joining us.

Bob Gourley:

Thanks.

Dave Bittner:

Our thanks to Bob Gourley for joining us. The title of his book is “The Cyber Threat: Know the Treat to Beat the Threat.”

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe and I’m Dave Bittner.

Thanks for listening.

Related Posts

Exploring the Future of Security Intelligence at RFUN: Predict 2019

Exploring the Future of Security Intelligence at RFUN: Predict 2019

December 5, 2019 • The Recorded Future Team

Just about a month ago on October 29 to 31, more than 600 Recorded Future partners, clients, and...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...