Thwarting Organized Crime and Protecting Major Telecoms

November 5, 2018 • Amanda McKeon

Our guest today is Dale Drew. He’s chief security officer at Zayo Group, a global provider of communications, colocation, and cloud infrastructure. Previously, he’s held leadership positions at some of the largest and most influential telecommunications companies in the world, including CenturyLink, Level 3 Communications, and MCI Communications.

He shares the story of his unlikely start in the security industry, sparked by a stolen family checkbook, which led to a position with the Arizona Attorney General’s office, working to fight organized crime and racketeering.

We’ll get his views on threat intelligence, and we’ll learn why he’s leading an effort to champion open source tools in the industry.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 81 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Dale Drew. He’s chief security officer at Zayo Group, a global provider of communications, colocation, and cloud infrastructure. Previously, he’s held leadership positions at some of the largest and most influential telecommunications companies in the world, including CenturyLink, Level 3 Communications, and MCI Communications.

He shares the story of his unlikely start in the security industry, sparked by a stolen family checkbook, which led to a position with the Arizona Attorney General’s office, working to fight organized crime and racketeering. We’ll get his views on threat intelligence, and we’ll learn why he’s leading an effort to champion open source tools in the industry. Stay with us.

Dale Drew:

I’ve been fortunate, in my career, that I’ve had a steadfast focus on security and cybersecurity since the very beginning — I’d say since even high school. My first cybercrime investigation was when I was in high school. My mother’s checkbook was stolen, or a set of checks that were delivered to her were taken from the mail. They only took a portion of the checks out of the box, so it took awhile for us to discover. Law enforcement was not able to help much back then, and so … Gosh, I think I was a sophomore in high school, and I took it upon myself to conduct my own investigation. I took all the canceled checks and went to all the stores where those checks were cashed. Mostly they were cashed for cash. I asked the stores for video of the person cashing the checks. And I’d say, in most cases, they agreed. I was able to get a husband and wife that were cashing the checks. And in one case, the store manager recognized who they were and provided a name, and then I provided an investigation profile to the police and to the local FBI office, which then resulted in arrest. From that point, I was hooked. I was on task.

Dave Bittner:

Did they provide you with a shiny junior investigator badge or something like that?

Dale Drew:

Yeah, no, they were appreciative and encouraging and I took that feedback eagerly. And so, when I went to college there was no computer security degree programs. Cybersecurity wasn’t even on the lips of most people, so I went to a technical college to get a computer science degree. While I was there, again, I got a little audacious and I wrote a proposal for the U.S. Secret Service to create a cybercrime division and conduct cybercrime investigations, and I was going to do it as a school project. And in the proposal, I met with them — met with the U.S. Attorney’s Office — and that turned into a job offer, and that resulted in something called Operation Sundevil, which was like a two-year investigation. At the time, it was the nation’s largest cybercrime investigation. We did … Gosh, what was it? I think it was like 27 arrests in 23 states, mostly focused on credit card fraud and calling card fraud, which was rampant back then.

Dave Bittner:

So what was the state of cybercrime at the time? What was the state of the art? Computers were still relatively unsophisticated back then.

Dale Drew:

Yeah, and I’d say that it was truly the Wild West. The internet was not really taking off at that moment. The global data networks at the time were both modems, as well as these things called X.25 networks. And so, if you were a large company and you wanted to talk to customers, or you wanted to talk to other companies, you connected to these global X.25 networks. And X.25 is just a protocol, like how IP is a protocol. And so, from a law enforcement perspective, I was at the U.S. Secret Service and then I was with the Attorney General’s office, both doing cybercrime investigations.

And the state of the art was … That was essentially the “information needs to be free” era. And that’s where hackers were prominent, they were exploring, and the doors were relatively unlocked. Most companies either had modem banks that allowed their employees to connect them, or they were connected to these X.25 networks, and that’s how the bad guys would get in.

Dave Bittner:

So, you move on from there. What was the next step in your career?

Dale Drew:

Well, I then went to the Arizona Attorney General’s office. A little fun fact is that in the state of Arizona — specifically Tucson — at the time, Tucson had the largest number of retired mafia bosses — more than any other place in the nation.

Dave Bittner:

I doubt the Chamber of Commerce put that on their masthead.

Dale Drew:

Yeah, exactly. I worked in the organized crime and racketeering division, and we handled all computer crime investigations relating to organized crime and racketeering. At the time, in Arizona, for retired mafia bosses, it was drug running, and they would use computers to do all the books. It was what they called boiler room investigations, which is when they would call people and try to scam them out of money by selling them fake products, just to get their credit card and charge something to their credit card. And then, more traditional hacking — even then, they were dialing into hospitals and trying to either modify or take hospital records. And so, it was all those investigations — both the investigative part as well as the forensics recovery part. That was my primary responsibility there.

Dave Bittner:

I see. And then eventually, you shifted over to the telecommunications sector.

Dale Drew:

Yeah, and so, when I was doing Sundevil, we encountered this relatively notorious hacking group called Legion of Doom and another one called Masters of Deception.

Dave Bittner:

I remember both of those.

Dale Drew:

Yeah, they were based out of New Jersey and New York. They had a bit of a competition going on. They were laying waste to companies all around the globe, trying to demonstrate that they could hack more companies than the other group. And so, as a result, they were just rifling through as many companies as they possibly could, causing damage and vandalism and intellectual property theft. So, with Sundevil, we had touched on investigating those organizations and at the Attorney General’s office, I continued it.

But they had compromised a company called TimeNet. TimeNet was one of the large global X.25 networks and they had offered me to come in. I saw an opportunity to migrate to the private sector and stop cybercrime before it became a law enforcement problem. And so, that’s the path that I moved on. I wanted to be a lot more proactive, and law enforcement is a very reactive situation. So I moved into more proactive cybercrime and investigated the Legion of Doom and Masters of Deception through TimeNet. We were responsible for the arrest of both of those organizations after a two-year investigation at TimeNet.

Dave Bittner:

So you’ve seen this evolution on the telecommunications side, from analog switching centers, to this fully digital place where we are today.

Dale Drew:

Yep. Absolutely. It’s evolved quite significantly from being a playground for teenagers to being a highly commoditized infrastructure used by organized crime and nation-states for competitive purposes, and for intelligence gathering. It has significantly evolved and almost become weaponized.

Dave Bittner:

So what are your responsibilities these days at Zayo Group? What’s your day-to-day there?

Dale Drew:

I’ve been involved in the telecommunications industry for 27 years or so, and mostly focused on the largest of the large — those companies that own the largest internet network, the largest content distribution network. Mostly, just trying to get proactive on finding ways of protecting that infrastructure, detecting the bad guys, sharing that information with the community, and trying to curtail the happenings.

I now work for a company called Zayo, which is a global telecommunications company, and it has an innovative start up feel to it, which I love. So I’m taking that energy and using it not only to protect my bread and butter, the infrastructure, protect the company, but also, again, use those mechanisms to find a way to be proactive and share information with the industry. The company’s been gracious enough to allow me to do some of these things at the company’s behest.

But as an example, I’d say the two things that I’m working on is an open source initiative. I’m trying to convert almost the entirety of our security architecture to open source, and build a use-case model that other companies can use. Whether they’re a global networking company like us or they’re a small company, they can use that model to get top-shelf, world-class protection at a fraction of the cost that they’re getting today by going to the 75 or 80 vendors that most CSOs have to manage to protect their infrastructure.

My objective is to bring top-shelf security to the masses and do it as an open source initiative. Not selling it as a product or a service, but trying to provide a guide for people of … You know, if security is your part-time job or your full-time job, here’s how you can get world-class security at a fraction of the cost. And so, I’m passionate about that.

I’d say the other thing that I’m focused on is trying to mature governance risk and compliance. That’s the emerging field in security right now. It’s not only the implementation of the infrastructure, but governing it and validating the effectiveness of that infrastructure — and that’s just GRC discipline.

In my mind, there’s absolutely no standard to it whatsoever. It’s the most ambiguous discipline that I’ve seen. It’s hard to get consistency and expectations for how you mature a platform like that. Different customers want different certifications, and they want different questionnaires. It’s hard to get predictability on how you mature your platform when you can’t build a single way of validating your infrastructure and showing transparency to customers. I’m going to be spending as much energy as I can trying to convince the industry to have a single way of doing that. That’s the ideal world in my environment — there would be a single security certification, maybe even with a bunch of addendums for different environments, but a single certification for everybody.

Because right now, the industry has about 16 to 18 industry certifications, and it’s all based on the personal likes or dislikes of a particular security organization. So you have to manage an infrastructure at tremendous cost in order to satisfy the transparency of customers.

Dave Bittner:

From your experience at those high-level telecommunications companies — you’ve worked with Quest, you worked with Level 3, CenturyLink, MCI, real big names — are there insights that you can share for folks that don’t have a window into that world? What are the types of things they’re contending with today when it comes to trying to keep us all safe out there?

Dale Drew:

Yeah. I’d say that telecommunications companies are on a unique battlefront. Anytime that you have a company that sells a large shared environment, shared platform, that is the on-ramp and off-ramp for a lot of customers. The issue specifically is that you get both — your main attack vectors are organizational crime and nation-states.

I’ll give you a great example. If I’m an organized crime boss, I have two choices. I can break into tens of thousands of personal computers and modify those computers so that when they go to “mybank.com” it’ll actually send it to “evilbank.com” instead. That’s where the organized crime group has got a fake bank web page that looks like the “my bank” page. And it’ll ask for your account information and your name and password, and now they’ve got access to your account.

So I can either break into tens of thousands of computers and do that, or I can just break into a telecommunications company and modify the DNS — the domain name server — of their network, which controls resolving the address for anyone who is going through that network. So now, in one spot, I can manipulate the behavior of hundreds of thousands, if not millions, of users to go to my “evil bank” address. So that motivation is really, really high. And we’ve seen organized crime syndicates that have more people in their staff designed to go after telecommunications companies than there are staff in the security organization of the telecommunications companies.

And so, that is just a daily back and forth battle of them looking for ways to commoditize the actual network infrastructure. And then, same thing with nation-states. Nation-states use that infrastructure as a launchpad to be able to gain access to both companies and government providers, because that’s the network that provides that on-ramp and off-ramp access. So we’ve seen things like … And it’s silly things, but we’ve seen things like, I was working at a telecommunications company where we would pay attention to infrastructure bids, meaning, when countries or regional locations would ask for assistance in helping to reshape or rebuild their infrastructure — solar, energy, transportation, or whatever. Because whenever we saw a bid, a very large infrastructure bid, we would see countries participating in that bid process. You know, hire this company in the U.S. for your solar needs. Well, what happened is that nation-states would see those bids, break into those companies, steal their intellectual property, and steal the bid, and then do competitive bids using their own technology and shortcutting the bid process.

So we would always see a huge uptick in technology compromises and intellectual property compromises during things like infrastructure bid processes. Those sorts of things don’t naturally come to the attention of the average user, but are bread and butter for telecommunications companies.

Dave Bittner:

I want to switch gears a little bit and talk about threat intelligence and get your take on it. What part do you think threat intelligence plays in an organization’s attempts to protect themselves?

Dale Drew:

You know, I think that threat intelligence is playing a much more pivotal role, especially as that environment and process matures. I’ll give you an example. I recently came to Zayo, and I’m assessing the security environment. But the very first thing I did was, I subscribed to have a dozen threat feeds and analyzed those feeds in comparison to my environment to see if the industry was seeing any attacks coming from my infrastructure. And that provides a good checkpoint for not only validation that your security controls are working, but that it takes a community, it takes a village, to protect the internet.

I think that the direction that threat intelligence is moving in, and moving in very strongly, is this community effort of sending us indicators of compromise. So, send all these centralized collection points, these clearing houses. Send us your indicators of compromise. They’ll correlate it and then redistribute it out to everybody else, so everyone is aware of what attacks are currently happening in the industry, of where they’re coming from, so that you can subscribe to those and you can, for example, tell your infrastructure, “If you see someone coming from this compromised set of addresses, don’t allow my company to talk to them.” And things like that are providing significant inroads for companies to be able to protect themselves far above and beyond the capabilities of their existing infrastructure. People’s current security infrastructure is designed to protect just their environment with no knowledge of the rest of the world. It’s threat intelligence that provides the context of this world hacking platform and how it impacts your particular environment.

So I think it’s becoming much more critical, very mature, and I’m extremely excited to see that it’s growing and see its community orientation.

Dave Bittner:

Now, what are your thoughts on the best ways for organizations to dial it in? I’m thinking specifically of how you manage the spectrum of automation versus having actual analysts there. You know, butts in seats, taking a look at these things, and having them not be overwhelmed by the amount of data that’s being sent to them.

Dale Drew:

Yeah. That’s a good question because I think what happens is, when people think about threat intelligence, they think that they have to have advanced analytic personnel building behavioral algorithms, or doing threat hunting, doing all this correlation. And I think the nice thing about threat intelligence, in general, especially as an overall platform, is that there are essentially different stages of threat intelligence you can subscribe to and get tremendous value across those stages.

So as an example, I can subscribe to threat intelligence feeds that have been vetted in various degrees. I can subscribe to threat intelligence feeds, I can have some degree of confidence that those feeds have been vetted, and I can just feed that directly to my infrastructure and say, “I trust that the value of this data is accurate. Go ahead and block, based on what you see.” And I’d say with a 95 percent accuracy, I’m going to be comfortable that those feeds are doing their job, and just automatically protecting my infrastructure without any more effort required on my part.

There are other things where I’d say there’s an emergence of more-capable behavior analysis algorithms, which I’m very excited about. I’m a huge proponent and supporter of behavior analytics. And instead of the infrastructure detecting things that are bad, I’m a huge fan of the infrastructure detecting things that are not known to be good. So behavior analysis algorithms are starting to be able to model user and system behavior within your environment. Compare that to the rest of the industry so you get a baseline — not just for you, but for that kind of traffic everywhere — and then start to build a model to say, “This doesn’t look like it’s good traffic.” That still requires more advanced butts in seats to be able to act like a credit card company and call that person and say, “Hey was that you logging in from North Korea at three o’clock in the morning?” “Ugh, no.” Okay, that really was bad.

And so, I think the spectrum is broad, but I think that’s probably the strength of that environment, depending upon how in-depth you want to go, and how capable you want to go. They do nothing but enhance your existing capability and I think it’s growing and getting more mature, and I’m very excited we’re headed in that direction.

Dave Bittner:

I want to you ask you to put on your prognosticator cap and look toward the future. Just from the big picture, where do you think we’re headed when it comes to cybersecurity? What are the tools we’re going to need to have? How are we going to need to structure ourselves as we go forward, to protect ourselves?

Dale Drew:

You know, going for the future, I’m going to focus just a little bit on the behavior, analytics, and threat piece, just for a moment, but I would love to see the Tesla of the security environment, for security practitioners. I would love to see that sort of behavior analytics and self-learning model deployed inside a security system, to be able to self-learn what is good and bad behavior, and not require so much analytical work on the backend to do validation. Those models exist, that capability exists, that logic exists. It’s deployed in other industries for other uses. I’d love to see it applied to the security industry. I think that that sort of artificial intelligence and self-learning platform would be a significant platform — to not only be able to detect bad guys, but eventually self-heal the infrastructure.

So imagine a platform that can monitor what applications you have, what dependencies those applications have, and what they use, and be able to compare that to new patches being available. It knows that the application of a patch won’t hurt your environment, hurt the availability of your environment, and just automatically heal the network. And other ones that know that it may hurt the environment, alert a user to say, “You need to do some testing before you deploy this patch.”

That kind of situational awareness and knowledge and self-healing, I think, would provide tremendous value to the security industry, and to the stability of corporate environments everywhere.

Dave Bittner:

Our thanks to Dale Drew from Zayo Group for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.