Ahead of the Threat Podcast: Episode Three - Chris Cwalina

On this episode of Ahead of the Threat, FBI Assistant Director Bryan Vorndran and FBI Strategic Engagement Advisor Jamil Farshchi speak to Chris Cwalina, global head of cybersecurity and privacy at Norton Rose Fulbright. Chris and his team of lawyers advise clients on how to minimize damage from sophisticated data breaches and cybersecurity incidents. Chris reveals why many companies have a false sense of readiness and security before a breach. He also talks about fostering a security culture and the importance of having clear lines of decision-making when it comes to risk management. At the start of the episode, Bryan and Jamil discuss trending topics like the Fortinet VPN zero-day, the extradition of the Phobos ransomware administrator, and the sentencing of U.S.-based co-conspirators behind the Bitfenix cryptocurrency exchange theft. Listen to Ahead of the Threat episodes, read the transcripts, and find related material at fbi.gov/aheadofthethreat.


Video Transcript

FBI Assistant Director Bryan Vorndran: Hello, everyone. This is Bryan Vorndran with the FBI, assistant director of the FBI Cyber Division. And joining me always on Ahead of the Threat is Jamil Farshchi, the chief technology officer at Equifax. We're going to dive right in today to our top three, which are the extradition of the Phobos ransomware administrator, the sentencing of the co-conspirators behind the Bitfinex exchange theft, and then the Fortinet VPN zero day. 
 
So, let's jump right in.  
 
Regarding Phobos—Phobos ransomware, and there's other names for it—but Phobos ransomware acts as a traditional ransomware as a service variant, which we've discussed here before. But, essentially, your malware developers are Russia-based or in Russia-protected countries, and then, the affiliates are, obviously, throughout the world.  
 
But, in this particular matter, the FBI was successfully able to extradite the administrator of Phobos ransomware. And some other names for Phobos are "8Base," "Banta," "Faust," and "Space Bears." Those are all the different names that Phobos always uses. So, the administrator, himself, was a gentleman named Evgenii Ptitsyn. And, he was—we worked with very specific international partners to secure the extradition of him. And he arrived stateside here on November 1, and—as you've seen on November 18—there's a lot of press around him. 
 
And I've talked to Jamil and others before that, one of the roles of the FBI is to always play the long game, right, amongst other roles. But always playing the long games does mean, to us, pursuing justice. And this is yet another case. It is exceptionally, exceptionally difficult for us to secure the extradition and to present an individual here in the U.S. court system, but that's a goal of ours and will always remain a goal of ours. So, Jamil, starting off with some good news here. 
 
FBI Strategic Engagement Advisor Jamil Farshchi: I think that's fantastic. And it's honestly—one of the things that frustrates me the most is how difficult it is for us to bring these folks to justice. And I mean, look: Maybe I'm wishing on a star here, but my hope is that it's something that as, you know, maybe the new administration could focus on, that we can put more effort behind is to use some, use whatever we have available to us to be able to bring these folks to justice. 
 
I mean, it's frustrating how many incidents, how many breaches we see all the time. And then, these folks just sit away cozy in wherever, whatever country they're in, and, you know, free from any harm from us. And we got to change the incentive structure. 
 
Vorndran: Yeah. And, you know, with all of these, right, we always see these same types of victims that, to us are off limits, right? We have children's hospital, health care providers, educational institutions, and American Indian tribe, right? Very, very specific victims that, you know, I think we would all agree just should be off-limits to suffer cyber intrusion. 
 
Farshchi: Anybody should, though. We should bring these people to justice. I mean: Look at them. Look at the picture behind my shoulder here: the FBI one, the attackers who targeted Equifax back in ‘17. It's like they're still doing their thing. I don't know. It'd just be nice to be able to bring criminals to justice more readily. You guys do all your work, all the hard work of figuring out, you know, out of billions of people on the planet who these specific individuals are. And then, we're just left to just play the waiting game, and, hopefully, they step out of their country into a jurisdiction that, where you can actually apprehend them. Just frustrating. 
 
Vorndran: Yep. No, no, I agree with you. And, as we talk about in here all the time, right, you know, the there's a couple key ways to lower your risk to ransomware. And those are the cybersecurity basics, which aren't easy, but they are the basics of, you know, essentially patch- and vulnerability-management, password management, air-gapped encrypted backups, right? Making sure that the entirety of your organization can do those things at scale.  
 
So, moving on. Another case about the judicial, justice system: so, the Bitfinex compromise. Bitfinex, back in 2016 and 2017, was one of the largest global cryptocurrency exchanges. It was based in Hong Kong. And there was a theft of the equivalent of about $3 billion in cryptocurrency. And through some great work by the FBI, we were able to identify the subjects. And those subjects are U.S. based, actually, which does continue to signal to everybody in our audience that part of the problem is here in the United States. It is not always a "other country problem," that there are individuals here in the United States doing this type of work. 
 
And, so, the first of those two subjects, Ilya Lichtenstein, was actually sentenced last week to five years in prison, a host of different charges that include wire fraud and others. But then, we're able to essentially successfully seize a large portion of the stolen currency, which I think is really, really important so that we can do everything we can to return it to the rightful owner. 
 
So, just another really good job by the Bureau. In this case, we worked very, very closely with the IRS criminal investigative division, who's a great partner of ours in the cryptocurrency space. And, just really proud of the investigators to bring this person to justice. And one more will be sentenced here in the near future. 
 
Farshchi: Two good ones! 
 
Vorndran: Yeah, to start off with good news today.  
 
Farshchi: Great to start off. Yeah, fantastic. 
 
Vorndran: Yep. So, we're going to switch gears here and talk traditional cybersecurity. And, Jamil, I'm going to go to you for this one. But, the Fortinet VPN [virtual private network] zero-day [vulnerability] that's all over the media. You know, certainly I'm just looking at an article from today, actually, from Security Week that talks about the potential links to APT 41 with this Fortinet VPN zero-day. But, you know, these zero-days come and they go. But, from a net-defense perspective—and somebody in your position—what is this cause you to do? 
 
Farshchi: I feel like this is opposite day today where, normally, I'm the more jubilant one, and you're giving the bad news. But it's me that's the pessimist. I mean, this one frustrates me. It's just vendors need to step up. You know, we are—we pay good money to be able to purchase these tools with the intent to buy down our risk. And then, you know, vulnerabilities get released. And, the vendors, in some cases like this, just sort of sit on their hands and don't deliver the patches in a timely fashion. And so, what you're left to do when you're in my seat is put in place compensating controls and, you know, cross your fingers and hope that nothing goes bad until the vendor actually steps up and does their job. 
 
We just have to do better. I know there's been a big push with Jen Easterly and CISA [the Cybersecurity and Infrastructure Security Administration] over the past several years to really laser-in on that one and incent and motivate, and the vendors out there to do a better job because that is a such a critical facet to our security. It's just not there yet. They got to step up their game. And, in the meantime, we're all sort of left holding the bag, doing the best we can to be able to mitigate that risk despite not having a pure-play solve for it. 
 
Vorndran: Yep. Listen, I mean, I'm going to reserve my comments to the broader leadership communication space. And I think you and I have been party to some really, really interesting conversations in this forum about what it looks like to lean forward with your customers. Whether that's because you suffered an intrusion as an organization or in this case, with a supplier. And, you know, my experience has been that those companies that lean in and communicate well with all stakeholders and all equity holders, generally fare the best in all directions. And so I'll leave my, comments to the, that matter on that.  
  
Farshchi: Transparency and sense of urgency. Those are the things that that matter most. But hey, before you transition off, one last thing. This past weekend, we saw Jake Paul fight Mike Tyson. I don't know if you saw that match? I did. Not the best fight in the world, but it was somewhat entertaining.

And this is maybe the weird way that my mind works, but, with weird associations, I guess? As I was watching that—huge fan of Mike Tyson. And like, as a child, you know, you always—I watched that dude and just crush everybody and how phenomenal he was. And you see him nowadays and you're like, "Holy smokes, you know, the years really do stack up," which they probably do for all of us, as I speak, is with my gray hair or no hair. 
 
But the weird thing that struck me was, man: No matter how good you are, how good something was back in the day, you know, time is going to catch up to you. And it just makes me think about all of the legacy assets that so many companies have and how these things used to be, you know, the best things since sliced bread. But, now, we're trying to cobble things together to secure them the best we possibly can. And that they may have been great at one point in time, but they are not anymore. And, you know, it's just—there's so many companies that have so many assets like that. 
 
And it's such a pain point for all of us. Like, we got to do our best to be able to make that transition. And when you think about things like business continuity, disaster recovery, preparedness, incident response, you know, taking those things into account—testing them—is absolutely critical. And, you know, I'm glad in the discussion we have here with Chris coming up in a second here, he talks in depth about that.

But, I don't know: In a weird way, I thought about that when I was watching that fight this past this past weekend. But, hopefully, for everyone out there, we're all testing our stuff and making sure that even the old things are still operating to a meaningful degree and that we've got our all of our bases covered. 
 
Vorndran: Great. Well, with that, we will go to a previously recorded episode. This episode is with Chris Cwalina of Norton Rose. So, let's go join Chris as he helps us get ahead of the threat. 

***

Vorndran: Welcome back to Ahead of the Threat. Joining us today is Chris Cwalina of Norton Rose. Chris, thank you so much for joining us. I'm going to pass it right over to you to give our audience a brief introduction. 
 
Cwalina: Yeah. Thanks, Bryan and Jamil. Great being here, and thanks for having me.

So, Chris Cwalina. I'm the global head of the cybersecurity and privacy team at Norton Rose Fulbright. So, we're a global law firm. We have about 100 lawyers that are on our team.

How I got into the space was a little more than 20 years ago. I was in-house counsel at a company that had a data breach, back when—before data breaches were sort of a known, everyday thing. So, this was at a time when there was only one law on the books from California requiring notice if personal data was was breached.

So, I was in-house when that happened. We hired a bunch of different law firms to handle all the different sort of pieces of what occurred to that company in the wake of the incident, including lawyers to help us with SEC [U.S. Securities and Exchange Commission] investigation, congressional investigation, and a whole host of lawsuits. 
 
From that experience, decided to take my show on the road, as it were, and try to develop a private practice. And that's what I've been doing for little over 20 years now. 
 
Farshchi: So, Chris: You, like the stuff that you've done, is extraordinary, I think. And I'm somewhat jealous of you, that you get to come in, breach after breach, and do all that and see all the most interesting things. I'm kind of like Bryan, in some respects, actually. So when a breach occurs, typically the first call should probably be to the FBI. But I think, normally, it's to you. And, so: Tell me how that plays out. Tell me what kind of questions you get asked. Sort of walk us, in the audience, through the sort of first stages of this whole process. 
 
Cwalina: Yeah, sure. I mean, and I would say, sometimes it's us—not always. We want it to be us. I think, often, you know, companies who have been through this before sort of know the drill and know what to do and who to call and in what order. I think, though, a lot of our clients have never been through an attack that requires a sophisticated level of response, and we often don't get the first call. 
 
And I think what we have found is, when that doesn't happen, a lot of mistakes get made in the early days. And, you know, in the early days of an incident, you know—first 72, call it—that's the most crucial. I think companies who do well are the companies that communicate well—clearly, transparently—early on. And when they don't get sophisticated, you know, experienced teams to help them right out of the gates, that's where they make mistakes.

But when they when they do get to us, how that looks, Jamil—I mean, we, you know, we immediately assess the situation and try to figure out, "What are we dealing with? Is it bigger than a breadbox?" That's a dated expression, but, you know, what do we think we're dealing with?

So, let's take a ransomware—which is, of course, quite common. So, if we're dealing with a ransomware case, first thing we're going to do is figure out what the recovery situation looks like. Have they been able to assess the damage? 
 
I'll just pause here for a minute because I'll say—and let you follow up—but, you know, it's often difficult to know exactly what we're going to do immediately because there's a lack of visibility.

And so, they don't know what's really happened. They don't know what was stolen. They don't know the impact to their backups yet. They don't know what their backups are viable. The bad guys try to destroy the backups, right? Like that's their M.O. [modus operandi].

So, when we first get called in, we're trying to get the lay of the land. We're trying to figure out, "Who have they engaged, and who do they need?" And then, you know, one of the things that, companies rely on me for—in addition to, sort of, crisis management and structure and putting governance over top of the incident response—they rely on us and my team to tell them who else they should call, including folks like Bryan, right? Like. so that's the advice that they're looking for right out of the gate: "What are we supposed to do?" And we help them develop that plan immediately. 
 
Farshchi: And so, who are those? I mean, having been through this myself: There's a lot; you can't do it all. You can't do it alone, right? You're not on an island in this case—or you're not going to be successful, if you are—so who are those key partners that you often times suggest these organizations reach out to, and you would—you presumably would—have hope that they would have established those relationships in advance of the of this bad day?
 
Cwalina: Yeah, but a lot of people don't, you know. I mean, I—look: I think that a lot of people think they're more ready to deal with incidents than they are. I mean, I think, you know, we have a large number of clients who have struggled with incident response, who have done tabletops and tried to prepare, but we found that that sort of thing often doesn't adequately prepare you for what's coming. 
 
But, to answer your question, the types of vendors: I mean, first, you're talking about a forensic vendor, you know, as you know, who's going to help you come in and investigate root cause and figure out what was stolen and what was impacted.

Second vendor, sticking with ransomware, is a recovery assistance vendor. You know, a lot, a lot of times, you know, on business-continuity, disaster-recovery plans, what we have found is: They always fail. They always fail in some degree. They don't always fail completely; there's a wide spectrum there. Sometimes, they just fail a little bit. Sometimes, they fail a ton. But we are quickly going to bring on recovery-assistance folks that—these are tech guys whose job solely is to figure out, "What is the situation, in terms of the ability to get back up and running operationally and develop a plan to recover safely?" That's a huge piece in the ransomware cases.  

We also will often recommend a threat-actor negotiator firm. So, that's another piece that we will bring in. Can talk about that if you like. Comms, communications assistance.

Let me just take a second on that one. You know, again: Most of our clients will have great, sophisticated comms and crisis-management teams. You know, most of them do. Most of these companies that get hit do.  However, comms teams generally—I'm speaking very much generalities here—but generally aren't prepared for dealing with what happens in a cyberattack, and it requires special communications expertise. There are little things there that companies can get wrong that can be very meaningful downstream and very impactful downstream if they don't get it right away. And so, comms is another aspect to this.

Law enforcement—so, I’m staring at Bryan now—so, obviously.  
 
Farshchi: He was waiting for you to say that. He's like, "Come on."
 
Cwalina: So, we're—no, we're big fans of—we, look: I've been working with folks, the FBI, for many, many years and, you know, I think some people less so these days. I think—and, Bryan and Jamil, you could comment this yourselves—but I think less so these days. But, in the beginning of my practice, people were kind of freaked-out about calling law enforcement.

"Oh, they're going to show up with the jackets and the, you know, in the morning, and they're going to take servers and they're going to, you know, do a bunch of stuff." 
 
And that's just not the case at all. That's not the remit. That's not their job.

They're here to help. Yeah, their job is to get the bad guys, yes. But, they're also to help the victim company, and we have found them to be very valuable. So that's just a rough list of the folks that we're thinking about, initially, when we're called. 
 
Vorndran: Jamil, I got to jump in. I’ve got so many questions. We're not going to have time here.

You know, I just want to build off of what Chris was just saying about what I consider these urban legends, right? Like of, FBI black Suburbans, raid jackets—you know, all these things. And that couldn't be further from the truth. 
 
When it comes to traditional cyber intrusion or cyberattack, you know, generally it's conversation over the telephone, a conversation over a virtual platform to understand what adversary you're dealing with. We obviously have threat intelligence we can share, to include, you know, negotiations on ransom demands and reduction rates and things of that sort. And people do still have these fears that we're going to come in and put our hands on keyboards. And, again, you know, I tell people: In my close to four years in this job, I know of that happening one time, and that happened at the direct request of the victim to safely preserve evidence by taking a set of servers offline for forensic integrity. 
 
So, Chris, I appreciate the opportunity to jump in. I'm going to build on this a little bit, though, here: Why is it so challenging for the FBI to get some non-privileged information out of the victim's environment on a timely basis, right?

So we talk about this a lot, right: The things that we need to do our job, right, are non-privileged things—you know, logs; you know, virtual currency addresses; vectors of intrusion— these types of things that, I think, most attorneys—if not all attorneys—would agree that they're facts underlying investigation. Therefore, they're non-privileged. Why is there a time delay getting those out of the environment? 
 
Cwalina: All right. So, this is the first time, like—should I really answer the why I think? Because I don't think it should be. I don't know the answer to that, other than to say, I think, maybe, it's because you're dealing—you know, when that happens, it's because lawyers don't know what they're doing. That's what I really think. 
 
Because there shouldn't be any reason that we can't give you information that isn't, that we're not going to sort of claim over privilege. I mean, mostly, you're going to want IOCs (indicators of compromise) and technical data, as you say, that isn't going to be something that we're going to be claiming privilege over.

Now, is there proprietary data or business confidential information in certain data sets that you may want? Possibly. But, in my experience—and that, could that be a concern? Possibly. But, in my experience, what the FBI has asked for and what they need is stuff that we should be able to provide—and do provide, in my cases, as quickly as we have it.

Now, there are some cases where we don't have IOCs or we lack visibility or we lack logs. 
 
This conversation could take so many turns, right? I mean: There are consistent evidentiary problems that we have in the cases that we investigate. From a gap perspective, you know, logging that we—I mean, Jamil, I mean—well, no: I can't ask you a question; I'm being interviewed.  
 
But the point I'm going to make is: I can't—it's hard for me to think of a case that we've had where we were completely thrilled with the complete visibility picture. I mean, there is typically gaps in that case. So, is that sometimes an issue for giving information to you? Possibly. But, to answer your question, I think it's mainly because it's people who are perhaps worried about something that they don't really understand what they're worried about. 
 
Vorndran: Yeah. So, I'm going to jump in and build on this. I mean, I'm looking at the list right now, as we have this conversation, right? The things we're most interested in, right?

Relevant log files on the network host, virtual currency addresses: Those two, I think we would agree, are time-sensitive.

Some of the others are not: attack vectors, accounts, and comms attributed to the threat actors—not the negotiation, by the way; IOCs [indicators of compromise]; TTP [tactics, techniques, and procedures]; and endpoints [physical devices that connect to and exchange information with a computer network]; number of endpoints affected.

And so, any of those—and I'm not trying to put you on the spot, Chris, but do any of those jump out at you as where an attorney or a victim would claim privilege, or do you think they're generally all considered facts underlying the investigation? 
 
Cwalina: You know, inserting any, you know, stupid lawyer caveat, you know, here, you know, maybe, or it depends, but no, the stuff that you just rattled off, I mean, by and large, we're not going to have an issue sharing that information. And in fact, look: The FBI can be helpful to us. It's not just, you know—it's not just about, you know—again, understanding your job is to collect, to have collections and files on the threat actors and go after the bad guys.  
 
But, I've had many occasion where the FBI has been helpful to us.

You have relationships with third-party hosting providers that the bad guys use and have been able to give us information about data theft that's been valuable, helped us get information on servers that was sitting there, being operated by, you know, the threat actors, and those servers get seized. And we've had good cooperation with the FBI in getting information about that. So, I view it as a bilateral, mutually beneficial sort of relationship. And that's my view. 
 
Farshchi: Bryan, I didn't realize you had such an axe to grind with the cyber lawyers out there.  
 
Vorndran: Well, Jamil, I mean, I've been an agent for 21 years. And, in this world, we get a lot of direction from attorneys. Right. And so... 
 
Cwalina: Well, I think that the way the lawyers grew up in this space, too, I think is part of the issue because I think, you know—going back to what I was saying in my intro—I think, you know, a lot of lawyers are sort of, you know, more privacy-focused, more sort of privacy lawyers, right? So they're they're focused on, "What data was potentially exposed, access stolen, and what are the laws that require you to notify?"

And, I think, because of the state breach laws that started and GLBA [Gramm-Leach-Bliley Act] and HIPAA [Health Insurance Portability and Accountability Act] and all the, sort of the framework in the U.S., it's sort of been privacy-oriented. And the lawyers were, sort of grew up, I think, by and large—with exception, for sure, but by and large—are privacy lawyers who sort of then dabble in—or, perhaps, in some cases, even pretend to be cyber lawyers. And I think cyber is a different thing and a different skillset.

You know, in our team, we have people who are privacy-focused, who are privacy experts and know all the privacy laws. But then, we have people who are more cyber-focused, cyber-trained, incident-response lawyers and just have a different sort of view.

So, when things like TTPs and IOCs are mentioned, they're not freaked out. They know exactly what that means, and they know that we're not going to assert a claim of privilege over a TTP, because there is no such claim. And so, we provide it. And I think it's, I think that might be part of it, is the difference between lawyers in this space. 
 
Farshchi: So with all due respect to privacy lawyers—
 
Cwalina: Who are great, and I have a lot on my team. 
 
Farshchi: Yep. And you do wonderful work. This is why Bryan and I wanted to have you on this podcast, because you truly do understand the nuts and bolts, bits and bytes of cybersecurity. And so like when you go into these, when you deal with these events, what are a handful of the things that you wish these companies had done in advance, had focused on that would help make this process (A) easier or (B) would have potentially allowed them to avoid the incident to begin with? 
 
Cwalina: Wow. Gosh, man. Great question. And you're going to have to probably cut me off, but I'll start with, it would be, if we had, you know, if I could pick, I would start with really thinking through self-critically where their gaps are and really trying to plan advance for a ransomware attack–but not just a tabletop. 
 
Like I said before, tabletops to me don't adequately prepare you for what's going to come, but what will is really kicking the tires on your BCDR [business continuity and disaster recovery] plan, really understanding what an eradication event is, and how are you going to go through that over the course of a weekend, for example.

Have you ever done full enterprise? A lot of companies have, I know, and a lot of people, if they're listening, will say: Don't we do that? And we've done that, and we've done it all the time. But if you're in the heat of the battle and you have to reset all creds, all service accounts, what's that going to do to your business, and do you know? How quickly are you going to be able to recover from backups? 
 
So, we have a case right now where the company thought it was doing all the right things, had backups. And one of the cloud providers, immutable. Not, they weren't impacted. They weren't touched by the bad guys. So, all is well and good, right? We feel like we're going to be able to recover. We don't need the decrypter tool. Well, when we got into it, we realized given the size of those backups, we were going to be recovering for months if we didn't use the decrypter. Now, you translate months to a daily loss of business, which translates to millions per day. Well, now you've got a different decision on your hands, right? 
 
But that company didn't realize that. They did not realize that it was going to take that long to fully recover if they got hit by a ransomware attack, which they did. So I guess to answer your question, for starters, but there's a lot there that you asked, because, you know, I have a general, I have a lot of general use, but one of them is I think companies think they're more ready than they actually are for an incident. 
 
I think they have a false sense of their readiness. I think companies generally, again, I'm speaking generally, I keep saying my theme song is generalizations, but I think companies also generally have a false sense of their capabilities and their cyber capabilities. And I think that's part of the, that hubris is part of the problem. I think people taking a real self-critical look and not being so worried about the scores that they have in their maturity assessments and what they present to the board and that sort of thing. They need to be able to take a real self-critical look at their program and be honest about it so that they can start tackling some of the gaps. That's how I look at it.  
 
And I think that, you know, the companies that do really well in response, everybody has incidents. You guys both know that. Everybody. Nobody's immune. You spend $1 billion on cybersecurity, you could still have incidents. It doesn't matter. The folks that have really thought through things, self-critically are the ones that respond like that and minimize the impact. 
 
Vorndran: Chris, I'm going to jump in here. I mean, you hit on, a lot of the valuable things there, but Jamil and I have interviewed, Aron Ain, who's the CEO of UKG Kronos. And obviously they went through a major ransomware incident, but Aron talks about this exact theme about trusting the audit committee versus really testing the judgments of the audit committee and the organization’s readiness and, Jamil, I could get this wrong, but, if memory serves, Aron talked to us about not having backups for the service layer but having everything else backed up. And that was a critical, organizational miss on behalf or that led to that.

But, you know, your comments are spot on. I'm just looking at my notes here in terms of, you know, Jamil and I have heard repeatedly, and I hear repeatedly in my line of work, that we thought we were ready. We thought we were ready. We thought we were doing all the right things. And I don't know why that false sense of security is there, but it is thematically relevant and continues to be mentioned in these types of recordings. So really, really powerful stuff, and I'm sure Jamil, you have some thoughts. 
 
Farshchi: But isn't it? I think, I think Bryan isn't, and Chris, too, I think part of it is the dark underbelly of cyber. Where we love tabletops and stuff like that, but I think most people that are in the know really recognize that, oh man, we haven't actually really tested this. And so this we probably have a meaningful risk here. 
 
People are just afraid or unwilling to raise their hand and say, you know what? This this is a problem. And then I think when you get up to the board and executive level, oftentimes those folks don't necessarily know the ins and outs. And so they're just taking the word of the security leadership or whomever and assuming that, okay, there must be we must be in a good place because they're telling me that we've done the testing, not knowing that a tabletop isn’t equivalent to doing a live test on a recovery. 
 
Cwalina: Well, I think CISOs [chief information security officers] do have a tough job because, you know, on the one hand, they need to come to the board and come to the C-suite, and they have to justify, their work and their progress, and they have to demonstrate that they've made the place a safer, more secure shop. It's their job. And they need to be able to communicate that which, by the way, I don't think CISOs, by and large, do a great job of communicating that. 
 
But we can talk about that, too, if you like. But on the, so they have to do that. And then on the other hand though, they have to be able to convey risk. And I don't think they do a good job of conveying risk very well. Then you do the flip.  
 
So, you talked about the underbelly. I mean, then you talk about the board, right? Like you said. And I think it's, what's, I've noted in my career is that or what I, what I mean is what I've seen is that, you know, boards are really, really good at holding management’s feet to the fire on every major risk in a publicly traded company. They're really good at it. They know the company in and out. They know the finances, they know all the risks, and they can really, really, they have a harder time with cyber I think. Again, I'm speaking generally. There are some boards that knock it out of the park. I'm speaking generally for sure. All my clients of course, knock it out of the park. 
 
But what happens to Jamil, to your point, like what happens though is like, so the CISO will come, you'll present, and the board has done a little bit of digging. Maybe they're on a company that's been hit before. Maybe they have some experience from, from prior matters. But generally speaking, you present, maybe you get a question or two, but when you give that answer back, you probably aren't getting too many. 
 
Well, I shouldn't say, individually, I know you're, you've spent years and years building your program. But the point I'm trying to make is generally CISOs present to a board. The board will ask a question here and there. How are we doing on vulnerability management? Okay. That's a thing. They've heard that. So they and then the answer is given. 
 
And then that's it. Right. And so and that's what I think is missing is that more deep dive, more deep knowledge so that you can really, so the board is really equipped to really press on some things. On the flip, on the flip side of the coin, I think CISOs can be, should be more comfortable saying what's really going on at the organization, to the boards that they're reporting to. 
 
Farshchi: I think you hit the nail on the head. I also would say that the difference, at least in my experience, between the boards that go multiple layers deep and the ones that don't, really boils down to almost exclusively one thing: Have they been through it before? Because of the companies that I work for, I tend to get ground to a pulp because I, you know, because they've experienced it, they know how painful it is and they know the space now. 
 
But the organizations that haven't gone through that typically aren't nearly, at the board level at least, aren't typically as adept. And therefore, there's not as much scrutiny necessarily. Again, I'll use your term, "generally speaking." But I think that that largely applies. 
 
Vorndran: Hey Jamil, you know, with you're experience and what you just said, when you look at placement of individuals on boards, do you see an organization or a trend, I should say, across perhaps multinationals or fortunes, where there are better questions being asked by boards who have not been through it because they have brought the right skill set into board director positions, right? Or does that remain a gap? 

Farshchi: I think, well, yes and yes. I think yes, you do see that. But it is slow coming that people with cyber expertise are being are being placed on boards as directors. It is happening, but I mean at last count, I was talking to someone the other day about this. I think there's 10 CISOs that are on boards of directors within publicly traded companies in the in the US, at least right now. 
 
Now, that's a big improvement over, I don't know, three years ago where there was probably maybe one or none. So there’s improvement. I think the SEC regs have helped sort of push a little bit more emphasis in this area. But, man, we have a we got a long, long way to go on that.  
 
Vorndran: What does that say to like, okay, so we're talking traditional cyber intrusions here with this kind of conversation with the board. But what does that then do to all of us when we start overlaying AI, ML, quantum, post-quantum in terms of preparation? I mean, I would think that the situation just gets a little bit worse and worse. But what are you seeing kind of in the trenches with companies from an AI perspective? 
 
Cwalina: Yeah, I mean, I have the same, I say the exact same thing, Bryan, I think AI is just going to continue to make things more challenging and worse for companies, not better, at least not immediately. Maybe that changes over time. But right now what we're seeing is AI is challenging. I mean, we have a case right now. Well, of course, this is quite common now, but the AI wire fraud is becoming increasingly sophisticated, increasingly good, and increasingly difficult to stop and spot. 

Farshchi: Is this the AI voice cloning you're talking about? 
 
Cwalina: Yeah, exactly. Exactly. I mean, we have one recently. Now, one of my clients actually recently did stop it. They did spot it and did stop it. And it was voice cloning of the CEO. They were able to catch it. But we've had others not so lucky. And I think we're seeing just the tip of the iceberg. I mean, if we know anything, right? If we know anything, we know the bad guys are well-funded. And, they have a lot of time to develop things and, they continue to develop over time. Right? We've seen the bad guys continue to do this over the last 10, 20 years, and they're going to continue to. So I think it makes it more challenging, at least out of the gates. 
 
Farshchi: We talked to Kevin Mandia just recently, and he said that risks that you just highlighted, the voice, the AI voice cloning is the number one, in his mind, the number one emerging threat that all companies face. 
 
Cwalina: And, well, I think I… 
 
Farshchi: It’s hard for me to argue with him. 
 
Cwalina: Well, I think the too, is this again, you guys are smarter than me on this topic. But I mean, to me it's like our last bastion is this sort of, is identity. So, we're all relying on identity, right? What does that mean with, with AI development and circumventing, I mean, we know the MFA [multifactor authentication], MFA, MFA 
 
Well, I mean, I still have clients who can't get MFA right, by the way, and can't configure it right. And don't enforce it and still have problems there. Okay. Much less the fact that even properly implemented, it can be walked around. And so and isn't that going to become more, more difficult and challenging? And so, you know, I when we're talking about an arms race, it seems like the bad guys keep winning. And that goes back to, okay, that goes back to this issue, I think, which is and I don't know exactly what you meant about ‘underbelly.’ I would love to explore that more because I am certain I am going to agree with you.  
 
The, one of the problems I see so much is cyber is an expense. It's an expense and it cost a lot. And CISOs again, generally, this should be our theme song ‘generally speaking’ should be the title of our thing. Generally speaking, CISOs aren't great at saying I need X, Y and Z. I need this amount of dollars. And this is why. It's hard for CISOs I think, again, generally to do that. 
 
On the flip side, it's easy for CFOs to say, ‘ncan't give you that. We've got tons of insurance. So, we're mitigating our damage anyway. We think we're doing pretty good,’ you know, that kind of thing. And this is the this is the sort of disconnect, I think that happens at that level when we're talking about what's really needed to improve and secure a program. Because, Jamil, you'll know, if you put the time, effort, resources and money into it, at a significant enough level, you are going to be at that up level for an attack and an intrusion. 
 
Are you ever going to be 100%? Never. We know, of course, no one would ever say something so crazy. But you know, though, that if you do put that effort there and time and resources, you're bringing down the odds a lot. And I think companies struggle with that. 
 
Vorndran: So, Chris, you're talking about AI there for a minute and Jamil mentioned the voice cloning that Kevin Mandia raised. On our side, we saw an explosion, I think the number of spear phishing attempts we've seen have gone up by over 4,000% in the past year, because when you look at the capability of ChatGPT and these other engines, right, you know, non-Native American speakers, right, can now generate spearfishing through those bottles at a much more precise and efficient level. And so, you know, the old is the new again into in terms of tried-and-true vectors of attack. And the scalability of them is higher. And so it is a, you know, from a business perspective, it's a fascinating ecosystem to understand about how all these things tie together. But it's a brutal ecosystem to try to collectively defend against, and in my world, to disrupt, at scale. 
 
My question, my next question is in more building on the same. We've talked a lot here about organizational culture, and that's something that Jamil and I continue to hear more and more about. And so one of my analogies would be, ‚Äòhey, buying a Lamborghini is fine, but if you don't have a road to drive it on, it's going to be kind of useless, right?’ And, you know, we hear in the industry tools, tools, tools, right? EDR (endpoint detection and response), EDR. But it seems, from what we consistently hear, without the right security culture in place, the value of those other tools is vastly diminished. Just can you talk to us about your experience, about the right culture, what you've seen? 
 
Cwalina: Yeah, totally. And EDR is not a panacea, right? I think that's a great example of companies who rely on EDR, solely, or I shouldn't say solely, but way too heavily. I mean, how many cases we've had in 2024 that have been lit up with ransomware, where EDR and the well-known very good EDR was in place? Lots. So EDR is not a panacea.  
 
That culture thing, what I would say is, you know, I would agree with the other folks you've talked to on that. I mean, I always talk about the problem at sort of a macro and a micro level. And, and the macro level being that governance, that governance issue. And it's almost like you have to have leadership that's found religion and buy off on this, because if your CEO, though, isn't that… like everybody takes command from the CEO and everything funnels down. Right? So if your, it's really basic, but if your CEO says this shall be and this is our focus and this is what we're going to do, then it'll happen in a company. And that's what's needed. So by culture, that's where it has to start… board, CEO, and then funnel it down and make cyber a priority. 
 
One of my theme songs is it's a team sport. It requires a lot of different people with a lot of different areas of expertise. Like folks like us, from the legal side, folks like Jamil, from the technical side, Jamil is a CISO who has both sort of the governance side of things nailed down, the communication things nailed down. But he's also a tech guy. You know, those CISOs are a bit of a unicorn, I think. Yeah. You like that, Jamil? 
 
Farshchi: I just love it, man. You can just keep talking. Yeah. Oh, my ego is... 
 
Cwalina: So. But those CISOs are hard, right? Because some CISOs are on the communicating political sort of side of things but don't have that tech job. But yeah, listen, governance failures, let me just make one comment, Bryan, sorry. Let me give you an example and bring it home a little bit. So what do we mean? Sure. Buy-in, culture, CEO, this is important. This is important. Yeah. Everybody gets that. But what's another thing I'm talking about? I'm really talking about risk management. And how is that dealt with and communicated and who's accepting? And that's one of the biggest problems, I think, for companies because historically, you know, the information security team in a sort of in a pillar, somewhat isolated, maybe IT is over top of it, maybe a CIO, that kind of thing? 
 
But if you've got… so here's, let me give a practical example to bring this example home. If you have a server sitting in some part of the world with an application that's end of life and you're not patching that system because you're worried about the application breaking and you're worried about what that's going to do to the business and the business impact.  
 
Well, who's making that decision? Who's making the decision? We're going to let that system go, and we're not going to patch it because we're worried about it. Well, I've been in front of boards where they will say to me, ‘wait a minute, you're telling me that this server that was sitting there was that was a part of a business that we don't care about and was only X dollars And you're telling me that somebody made a decision somewhere to say that that's going to remain unpatched? And now you're telling me we have an incident that's cost us north of $100 million? Is that what you're telling me?’ And so that sort of, how are risks dealt with, communicated, adjudicated. And who gets to sign off is critical. You cannot have fox guarding the hen house. So how you set up that structure-- I think companies, generally speaking, could do better to evaluate how they're set up there. I hope that makes sense. 
 
Vorndran: Oh, yeah. 

Farshchi: Very much. Yeah, very much so. You and I, Chris, you and I, I know we're both passionate about communication, and you have a ton of experience speaking. I mean, I know you speak to boards all the time when you do your just day to day. What advice would you have for CISOs to be able to up their game and be able to be more effective in the boardroom, which would then lead to a lot of the stuff that you were talking about, which is being able to get the budgets that they need, being able to articulate the risks that the organization is truly facing, and so on and so forth? What would your advice be on that front? 
 
Cwalina: Gosh, that's a great question. And I think, you know, we provide training for our, you know, we provide training, for CISOs and, you know, but generally speaking, that was a little plug there, I guess. But generally speaking, I think, they got to be more willing to be honest, and upfront about stuff. 
 
I'll give one example. You know, if well, I don't want to give brand names, but if I see another, you know, CISO, go to the board and give an external score, from some company that gives external scanning and gives a score and uses that to say that they're good with cyber and compare themselves to industry, and say, well, ‘look at we are... where we are with this external score. Look where we are.’ I mean, that person should be walked out the building, in my view. That is not and they should know that. They should know that that is not indicating risk for our organization. That's not telling us anything.  
 
And so let's start there. Or let's start with, you know, the NIST (National Institute of Standards and Technology) assessments or other assessments that are done in the maturity score rating, which again, I'm not anti-NIST assessments. 
 
In fact, I'm a big proponent and supporter of companies doing those assessments, because I think to me, yeah, you need to have those frameworks. You need to have controls you're measured against. You need to do that. But let's not rely, over rely, on what our score is from one vendor who came in and gave us an assessment of a 3.2 as an average over all of the domains to say that you're good, like, let's not do that and let's not communicate that way. 
 
And so I think let's use those things as what they were supposed to be for and intended for, which is to communicate where you are, but more importantly, where you need to improve. And that's I guess that's my advice, JamilI mean, I'm just tired of seeing there's so much B.S. in this space that makes you makes you crazy and that to me is one of the biggest‚Ķ 
 
There's so much misinformation and people saying, you know, everybody's an expert. It's so… and I think people just need to take a breath and be like, all right, this score that we're showing you, you've asked for it, because sometimes I've talked to CISOs and they’re like, well, our boards ask for it because they were at another board and they saw this score and they were asking us to give it. Okay, give them the score and then tell them how meaningless it is. 
 
Farshchi: Yeah. I, you know, I'm a fan of the, the maturity scores. But here's what I use them for. I always use them right at the beginning when I first start at an organization. But I use it as a mechanism to be able to help visually articulate my strategy based on where our gaps are and say, okay. 
 
And then it also helps you from a temporal standpoint to be able to highlight, okay, these preventative controls typically take longer to implement, more expensive, and they're harder. And so this this we're going to lag a little bit here guys. But you know what? We're going to bolster our detection and response aspects early on because this is easier. It's not intrusive, and we'll get it, We'll get a good lift here. But then later on we're going to be able to bolster these areas. For me, it's a, I use it more as a communication tool and sort of a culture building one as well because if you continue to ratchet up the score, it helps build morale of the team as well. 
 
So I think there's some there's some good uses for it. But unquestionably, if you're going in there and you've convinced the board that this is the end all, be all, and this is the basis for how you're making decisions around risk, then that's a huge fail. 
 
Cwalina: And I think… 
 
Farshchi: The ones that come in and say, hey, ‚ÄòI have an external that..’ I know exactly who you're talking about here… 
 
Cwalina: Yeah. 
 
Farshchi: ‘I have this external scan that's done, and here's my score. I must be fantastic.’ Also, just…well, and you got on me earlier. You said, ‘hey, I’d love to hear more about the dark underbelly of security. What you meant, Jamil.’ You already started to highlight a lot of those things just in that alone. 
 
Cwalina: Yeah. And I think how you articulated how you use scores is spot on. That's…they're meant to be communication vehicles, and they're meant to sort of show what you should be focused on and where you can get that bump. So I we're in agreement there.  
 
Let me give another example where I think this might bring it home is, you know, vulnerability management is an area that everybody struggles with. It's hard. It requires, you know, it's not just a CISO, right? You have a whole team, whole a technology department. That's going to be you're going to be reliant on, you got third parties you're relying on for scanning. It's a big thing and it's a problematic thing. But I don't think again, generally speaking, CISOs are not conveying well enough what their challenges are with vulnerability management. And I think they could do a better job of that, you know? Explaining to a board what authenticated and authenticated scans are and why, you know, if we don't if we don't look at this level, we're only going to see part of the picture.  
 
By the way, these are just the assets that we know about. We have a problem with assets we don't know about and like explaining that stuff instead of just showing green on a screen. 
Green for we're doing great. That's where I think CISOs, back to your question about what I think CISOs should be doing, they should be really, really pulling that threat and stop being so worried about presenting such a great picture of progress. I get that CISOs need to do that, that’s their job. They need to show that they're doing… and the team morale, by the way, not unimportant. You've got a team that you're in charge of. That's the hardest job in show biz. I mean, you've got folks, you know, your front lines of folks that are on that's in that SOC (security operations center) and your Threat Intel people and all that stuff. I mean, that is hard, grueling, 24/7 work with folks that aren't getting paid a fortune. And they are the frontline. So that morale is important, too. I just think that, CISOs being more up front, about where they are is the best place to start. 
 
Vorndran: So I'm going to jump in here and bring this to a close, because we're out of time. Chris, some of your statements there at the end are fascinating to me. Spot on, by the way. And I wish we had more time, to be honest with you. One of the things you ended there with, which is: here's the assets we know about, here's the assets we don't know about, right? What is our technical debt within the assets we know about? What is, you know, the variability in the technical debt on the things we don't know about? It doesn't even bring into the conversation software bill of materials and perhaps persistent vulnerabilities, the complexity of patching, right? I mean, I go back to Log for Jay, right? And I do believe that the majority of America sees these vulnerabilities as the equivalent of putting a band aid on, and we're good to go. But when you look at the operational disruptions to, essentially, effectively remediate, and patch. Righ? I mean, there's huge impacts to downtime. And I feel like we could have a whole another 40 minutes on that, but we don't have that time. 
 
So, Chris, I just want to really thank you for your time and your insight. It's just obvious to me and to our audience how deep you are in your understanding and just want to say thank you for allowing us to get ahead of the threat with you and, wish you good luck in the future. 
 
Cwalina: Yeah, thanks very much. And I'm always happy to come back. Feel free to… 
 
Farshchi: Chris, before we go, I just want to reiterate three quotes that I literally wrote down from you. Just from this discussion that I think are really important. ‘Hubris is part of our problem.’ ‘We all have a false sense of readiness.’ ‘And BCDRs always fail.’ 
 
Cwalina: Great. 
 
Farshchi: Three quotes from Chris. But I think– 
 
Cwalina: Well, at least I didn't curse. 
 
Farshchi: They are spot on. So hey, I really, really appreciate your honesty and candor. And enlightenment, throughout this discussion. Huge thanks, Chris. Thank you. 
 
Cwalina: Thanks, guys. All right. Bye bye. 
 
Vorndran: Well, Jamil, the more and more we go through these types of interviews, in these conversations with people like Chris, the more I realize that perhaps the biggest beneficiary of this endeavor that we've taken on is me. Just learned so much from Chris. What a great communicator. What a person with great perspective. You know, I'll let you talk through some of the key takeaways, but to me, one of the key takeaways continues to be how important it is for people in the technology stack of an organization to be able to communicate in a way that people understand. 
 
And we heard this from Kevin Mandia as well. You know, these questions about how do we know we're good at cybersecurity, how good are we? And asking the right questions are just so important. So what are your thoughts? 
 
Farshchi: First, I love Chris. I mean, the guy is just a consummate pro, and he knows. his space backwards and forwards. And I love how transparent he is. I just love people like that who are willing to say it how it is, I mean, and to that end. Let me just list off some of the a couple a few of the quotes that he laid out on us. 
 
Number one, hubris is part of our problem. I couldn't agree with him more. I mean, it's spot on. We oftentimes feel and espoused that we are far better than we than we actually are. Number two, we all have a false sense of readiness. I mean, this speaks to the point you were just making there. But the fact that Chris calls it out directly and he sees it day in and day out, like that's his role coming in there and feeling like looking at the stuff and going, man, you were not ready for this event. And then finally, BCDR: business continuity disaster recovery plans, always fail. I don't know. 
 
We talked a little bit about the, you know, the dark underbelly of security and some of this kind of stuff, but the net of what he's saying there is completely true. You know, it's one thing to go through and do a plan and exercise on the on paper, it's another thing entirely to go through and actually test your systems. You know, shift over traffic to be able to test that if it actually works. And the sad, scary reality is that many organizations do not go to that length. And so when the bad thing does happen, they're often caught very, very flat footed as a result. 
 
Vorndran: So what you're saying on that last one is paper practice versus real practice. Right? Paper practice is going to fail you. The real practice will help you. 
 
Farshchi: It’s true. And look, one of the key things I think that I've learned throughout my career is that you play how you practice. And so if you, if you practice in a, in a very poor way, ineffective way, then you can expect that's exactly what's going to happen when you actually get on the field against the competition. 
 
Vorndran: Yep. Well, listen, everybody, thanks again for joining us on “Ahead of the Threat.” We hope you've enjoyed your time with us. We know we certainly have. And we'll look forward to seeing you next time. 

Video Download

Video Source