Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Mike Fabrico

By deploying a deception strategy, we want to entice the adversary to touch us. I use the analogy a lot in my talks where the adversary is inside a dark room and he or she's trying to find the light switch. There’s a hundred light switches. So you've touched us, we've gained a lot of information, and now we can provide that information back to the ecosystem within that organization or we can give the packet and everything from a log perspective for the analyst to review.

Mike Fabrico is a security expert that worked for NASDAQ, has 20+ years of industry experience in implementing, architecting, and maintain critical infrastructure networks

Brian Contos:                

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Mike Fabrico. Welcome to the podcast, Mike.

Mike Fabrico:              

Hey, thanks Brian.

Brian Contos:                

Hey Mike. Before we get going, you've done a lot in your career leading up to where you are now at TrapX.You've been at NASDAQ a long time and in other organizations. Could you give us a little bit of background about the path you took to security?

Mike Fabrico:              

Sure. Yeah. So I built one of the first security operations center for a very large commodities trading firm a number of years ago. Worked on some significant cases. One that stands out tome is an insider intrusion where they were actually social engineered to give up their password—not once, but twice. And then I got to work with the organization and local state police, FBI on this, handed off to them.

Mike Fabrico:              

I had a really good opportunity to build the first security operation center at NASDAQ. I came onboard at NASDAQ in 2010. And from there it was pretty interesting. I got to work with a boatload of tools and meet some interesting people. And throughout my almost six years at NASDAQ, I had the opportunity to meet very interesting, young, innovative cybersecurity companies from all over the world and obviously the big NASDAQ brand name. So, I found that to be a real opener in my career andI'm very thankful for that.

Mike Fabrico:              

During some testing in the deception space because I was heavily involved with Gartner's web application firewall, Magic Quadrant. A number of months later they asked me to take a look at this deception space. So I did and I found it very interesting. I always liked honeypots. I was looking for solutions that can actually take early warnings and really achieve actionable events within a cybersecurity program.

Brian Contos:                

Mike, we've known each other for a long time and you've somewhat recently got into the deception space, you mentioned a little bit there. But what exactly is deception as it relates to cybersecurity? What's this field all about?

Mike Fabrico:              

Deception to me is trying to eliminate dwell time. Obviously we both know there's no silver bullet. So I want to take average of 197 days to identify lateral movement or a breach and be able to flush those adversaries, attackers, or insider threats to the surface.

Brian Contos:                

So when you think about deception, you think about prevention and detection and response, deception actually does play a role in incident prevention, although I don't think a lot of people intuitively think about that. Do you feel the same?

Mike Fabrico:              

I'm not sure. Because I do speak to a lot of people on a daily basis and everybody's still thinking about,"How do I get my firewall logs correlated properly to my SIEM? And I gotta tech refresh my endpoint solution..." Things like that. So I keep talking about accurate breach detection at almost zero false positive and allowing trigger mitigation actions with your ecosystem, your investment in your cybersecurity tools and programs. Again, deception to me is not a tool, it's a strategy. And I think this strategy can align within the security stack itself.

Brian Contos:                

Sure, sure. Well, a part of deception is discovery. And what is it that you feel deception can do to help in that discovery process?

Mike Fabrico:              

I think building shadow network scan allow the discovery where we can ... somebody, I should say somebody discovers automatically is this IoT, is this medical devices, all of these windows, Linux, Mac. By being able to discover the operating systems within an environment, this will give a deception strategy ability to deploy traps, to automatically camouflage these traps amongst the real assets, to deploy baits, right? So, I send you an email. You click on an email. Automatically without even knowing it I've elevated privileges. I've used that machine that now you've given me access to on your system. Now I can move laterally from there.

Brian Contos:                

Yeah. I know on the discovery side, certainly finding out where attackers are hiding in your network, which systems they're interrogating. What are some of the tactics that you're seeing people use to steal data or do other malicious things that deception is helping to address?

Mike Fabrico:              

Stealing data tactics, I'm trying to think high level. I'm definitely seeing more and more organizations be spearfished. I don't hear much about people plugging in USB drives. People are definitely adopting new technology, IoT, cameras, things like that. And they're being put on the network without being totally tested or hardening from a security perspective and now they're being used as jump points within the organization.

Brian Contos:                

Yeah. I want to get back to that IoT point because I think it's really relevant. But before I do, I wanted to ask you about the MEDJACK 4 report that came out. I know quite a bit of infrastructure was built up behind that and it's really a pretty interesting read. Can you give us a little background about how that came to be and what it does?

Mike Fabrico:              

Yeah, sure. So I can't talk much about so much of the Dark Web and what we've gained, but somebody has paid us to have access by just simply just throwing out credentials and VPN information on to like a Pastebin and now we were able to look at an attacker coming towards a fake hospital environment. We had a blood gas analyzer set up in there. That blood gas analyzer was attacked. In the same time we were given records of patient information and we worked very closely with the organization to make sure that they knew that there was a problem and we had some of that information out on the Dark Web itself.

Mike Fabrico:              

We always find it interesting when I talk to hospitals and they look at what we've done by creating a fake hospital that looks, feels, smells, and tastes like a hospital, and very easily we can show how much collection of data is trying to be exfiltrated.

Brian Contos:                

When you talk about this, building this fake hospital infrastructure out there to look enticing to the bad guys, how long did it take before people started probing it and attacking it and trying to exfil data from it? Was it what you were talking about minutes, hours, days?

Mike Fabrico:              

So I was told a few minutes after their credentials were set out there on the Dark Web.

Brian Contos:                

Wow. Wow. And do you think that's pretty standard these days? As soon as the credentials are out there, the nefarious groups and individuals move pretty rapidly?

Mike Fabrico:              

I would say so, yes. I don't think this is a 13-year-old kid in his basement drinking Dr Pepper anymore.This is state funded local government. These are teams that are set out to find this stuff. In my opinion.

Brian Contos:                

Yeah. And, of course, time is of the essence, right? You want to get the credentials before somebody else uses them and changes them, et cetera.

Brian Contos:                

Let's go back to IoT. You mentioned that a couple of times earlier. It seems like every time you're talking about cybersecurity with somebody today, IoT comes up. But where does the kind of deception play with sort of the IoT world at this point? Is it a big piece of that deception puzzle?

Mike Fabrico:              

Well, I think the big piece of deception, especially in IT/OT discrete manufacturing is SCADA, PLC, Rockwell Automation, Mitsubishi, Siemens. These are systems, operating systems that work within operational manufacturing that are not protected. You can't install the latest endpoint solution. I think IoT is a big play. And when I think about IoT, I think about red teaming exercises in particular environments that I've talked to CSOs where two hops on a printer, they gain information and now, again, they move laterally from a printer that's not secure, that has a lot of information, especially in human resources. I come. I'm a new employee. I give them a photocopy of my passport, my driver's license, social security, birth event, and so forth. And that stuff is on the machine. And I think that's a good way to gain intelligence.

Mike Fabrico:              

I think by deploying a deception strategy, like access cameras or Ricoh printers and such that look like the real thing, we want to entice the adversary to touch us. I use the analogy a lot in my talks where the adversary is inside a dark room and he or she's trying to find the light switch. There's a hundred light switches. At the same time we have you at hello. So you've touched us, we've gained a lot of information, and now we can provide that information back to the ecosystem within that organization or we can give the packet and everything from a log perspective for the analyst to review.

Brian Contos:                

Yeah, no, absolutely. It's a very interesting approach and I think it adds that extra layer of intelligence and context to things. Let's go a little bit deeper into that. A lot of people are talking about deception and then there's this term full stack deception. What exactly is that all about?

Mike Fabrico:              

Yeah. So deception, again is the strategy. The full stack to me is, I think there's never one good way of luring an adversary into a trap. So if you think about the full stack, you think about breadcrumbs, tokens, artifacts that have planted on a machine. So when the adversary gets in, sees something very juicy, credentials, financial information, it's all fake. That can be proxied to what we call a medium interaction trap. That's an emulation of an operating system, many operating systems. It could be a Crestron remote control system that's inside a boardroom, and we can put a fake one that looks just like it next to it because it has an IP address. It responds just like a Crestron remote.

Mike Fabrico:              

And then the third piece of this stack is our full OS honeypot. This is the actual real system. Emulations can have a hundred commands, but maybe the adversary is looking for the 101 command. It's not there. They think something's wrong, they move on. But at that same time, we can proxy the adversary to a full OS honeypot. That's when an organization's much more mature for deception strategy. And that should be able to be facilitated between many different systems, be it physical, be it software like VMware, Hyper-V, KVM, AWS, OpenStack, Google, Microsoft Azure. So the deception strategy should look identical on-prem or in a cloud or virtual environment.

Brian Contos:                

So who's investing in this? Is this government organizations? Is it Fortune 500? Is it a mix? Is it mid-size companies? Where do you see the most rapid adoption of deception solutions?

Mike Fabrico:              

This is an interesting question, Brian, because I'm out there, like I said, a lot, speaking to a lot of people from hedge funds all the way to hospitals. I'm finding manufacturing adopting this. I'm finding small little banks, commercial banks, large banks, hospitals are definitely adopting this. So I think it's a mix. Where I would have thought like the big Fortune 500 companies and the big banks of the world would adopt it, I'm finding little asset funds are adopting deception faster in my opinion than some of the big guys.

Brian Contos:                

That really is interesting because when I think of deception, and I could be completely wrong, so correct me if I am, but to my mind comes scalability and there are so many other security tools. You mentioned earlier in the conversation, some people are just trying to get their firewall logs to their SIEM for God's sake. But with so many tools out there to consider, where do organizations find the resources to engage with deception technologies?

Mike Fabrico:              

Yeah. And that is some of the issue. When I go in and I talk about a deception strategy, people are concerned. They think about this multi-stack environment. They think about how many people is going to take to deploy this. And I think you hit something on the head there when you talked about at scale. I've talked to a very large university in Boston that has many networks and their concern is scale. So if you think about a deception strategy and a platform such as ours, we give you the ability to scale at ease. So if you want to deploy one Cisco voice over IP phone or 255 literally on one subnet or VLAN, we make that very easily. It's pretty much one click and seconds later they're all deployed on that subnet and they're all responding. And now you have a plethora of camouflage or commingled fake medium interaction traps amongst your real phones as an example.

Brian Contos:                

Yeah, that's really, really interesting. And I think, I liked the way you phrased that because I think everybody goes, "Okay, this deception stuff makes a lot of sense, but do I have the time? Do I have the resources and people that can actually make use of that?" And to your point, yeah, there [are] ways to approach that. So that's great to hear.

Brian Contos:                

Mike, as we kind of wrap up here, there's a question we'd like to ask everybody that comes on the show. And that's who's your favorite superhero or super villain and why?

Mike Fabrico:              

I got both. So my favorite superhero is The Incredible Hulk. Growing up in the '80s, I always watched theHulk on TV. And I've always found it interesting and—

Brian Contos:                

Oh yeah.

Mike Fabrico:              

—I've followed Lou Ferrigno all my life. But yeah, no, so the Hulk is some superhero near and dear to my heart. It's almost like what we do in security when we really get pumped up. It's like, "Mr. McGee, you won't like me when I'm angry." So you won't like us security guys when we're angry either. And then the super villain it's Lex Luther. I always thought Lex Luther was that classy guy, doing his thing. So I kind of have both.

Brian Contos:                

No, I love it. It's funny you mentioned Lou Ferrigno. The very first autograph I ever got from a celebrity was Lou Ferrigno. And I was about, I think I was probably five or six years old. I was with my dad and we were in Connecticut and I don't know, we're at some convention. There was a picture of Lou Ferrigno in the newspaper and he signed it. I still have it to this day, but I just think it's funny and I remember getting a Hulk Stretch Armstrong. I don't know. Do you remember those? The stretch Armstrong guys?

Mike Fabrico:              

I do.

Brian Contos:                

And they were filled with that like mystery green gel or whatever.

Mike Fabrico:              

Yes, I do.

Brian Contos:                

That was probably radioactive and toxic like 50 different ways. It would never be able to be sold today. But yeah, yeah. That's awesome.

Brian Contos:                

Hey, well, thanks so much Mike, and thanks to our listeners for joining. And be sure to check out other Cybersecurity Effectiveness podcasts, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog