Kevin Mandia’s 10 Boldest Remarks On Thwarting Cyberthreats

Mandiant CEO Kevin Mandia discusses why implants are fair game for cyberespionage, why criminals have more access to zero-day attacks, and why he expects fewer ransomware attacks five years from now.


Light At The End Of The Tunnel

The frequency of ransomware attacks will be lower a half-decade from now as victim nations limit the ability of hackers to get paid via cryptocurrency and successfully apply pressure on Russia to stop harboring cybercriminals, according to Kevin Mandia, Mandiant’s CEO and board director.

Zero-days are increasingly in the hands of cybercriminals rather than just nations as hackers invest part of their proceeds from ever-growing ransom payments into coming up with new and more sophisticated attacks, Mandia said during an interview with CRN as well as a keynote address to the more than 4,000 in-person and virtual attendees of the Mandiant Cyber Defense Summit 2021 in Washington, D.C.

As large enterprises get better at quickly detecting zero-day attacks, Mandia said adversaries are turning to implanting source code in the software they obtain from third-party suppliers as an alternate point of entry into the business. From why implants are fair game for cyberespionage to why enterprises must scrutinize the risk profile of their suppliers, here’s what Mandia had to say about the threat landscape.

Sponsored post

10. Everyone Will Eventually Get Hit If There Are No Repercussions

If there’s no risk or consequences for the folks doing it, your day will come where you’re sitting in that chair. It happened to FireEye at the end of 2020 when we were in fact victims of an intrusion. And then you look at the ransomware increases; we’re getting to a moment that has urgency to it.

I think General Nakasone said it very well in his testimony in May [before the House Armed Services committee about building cyber capabilities at the Department of Defense]. He said, ’Cybersecurity is national security.’ I think he’s got that right, and all of us have a role in defending a nation.

How do we all align to the urgency of the moment? How do we take technology process, diplomacy, private sector and public sector and create a coordinated response to start showing real deterrents, real risks and repercussions, so that our daily lives as practitioners aren’t just playing goalie?

So I feel the urgency of the moment; I’m actually excited about it. And for those of you who have heard the security calling, you can feel it as well, and we can collectively change the game.

9. There’s Finally A Coordinated National Response To Breaches

For the first time in my 28 years, we’re going to see more of a coordinated national response to security breaches. And that is important because that will impose risks and repercussions to the criminal actors in a big way. And on the cyberespionage side, they probably have far greater visibility into what’s going on when.

And now we take a huge leap of logic right now to tell you what happens after a coordinated national response. It is the coordinated global response. That warped your minds, but I’ll tell you why it matters. The internet connected all of us. We all have to defend it. It’s that simple. And we have to get international relationships and make that happen.

You will see a national response to breaches and incidents because we’re solid in 2020 and 2021. And you’re going to hear from the people over the next few days who are going to make sure we have a coordinated national response, and we’ll work on a coordinated global response. I thank all of you for hearing the security call, and for recognizing that defending cybersecurity is defending a nation.

8. Companies Must Scrutinize The Risk Profile Of Their Suppliers

We’re a supplier. We have to answer those questions. And it’s gotten harder … we have staff that only answer questions when we get them. Prior to COVID, people started showing up and saying, ’OK, we’re going to walk the halls. We want to meet your people. We want to check things.’ And that was the financial services, we had a couple of banks that literally showed up.

I don’t think we’re there yet for a lot of folks. The questions that the suppliers are going to get is, ’Are you thinking about security? What are you doing about it?’ It’ll start the same way it started for us, where you may have to answer three pages of questions, then it goes to five pages, then it goes to nine pages, then you can’t answer one of the questions and you have to research it.

And then people start showing up. That’s the progression, and we got to the showing up and auditing us probably three or four years ago. If a company wants to secure its supply chain, and their risk profile is of that height, I think it’s worth it, because then they know their suppliers. A lot of folks don’t even know their suppliers.

We did the drill at FireEye a long time ago, we tried to figure out who our suppliers were. We just had to go into the financial office and say, ’Hey, who are we paying?’ just to figure that out. In fact, most companies never meet their suppliers face to face. You buy from them. You use their stuff. And it’s important to meet your most important providers face to face. Understand their risk profile.

7. Hackers Will Increasingly Hit Small Suppliers Of Large Enterprises

If you are a large defense industrial base or large system integrator, you have a security staff, and you have folks on it that are very experienced that over time, they will diagnose that they have a problem. You hit some of the smaller providers down here, they may not have the infrastructure to detect or respond to anything. If you hack some of the supply chain, they won’t have that infrastructure.

If a supplier is compromised, you may never figure out where the real intrusion came from. You never get to systemic cause and that’s why regional providers of IT support and security over time will be targeted more frequently because you just build your way up. If you want to hack the 1A enterprise, just start here and work your way up. And it will be effective.

FireEye may have shortened the SolarWinds attack out by several years by detecting it when we did. But imagine you’re hitting somebody that doesn’t have those resources. How long would that zero-day remain undiscovered? A very long time, if not forever, until it’s used somewhere else, or somebody finds it over time but it’s wholly independent from its use years earlier.

If you’re on offense, understand your target’s supply chain. Pop it at the bottom and work your way up. That’s probably the best way to stay under the radar and have more odds of success. Start at the bottom of the pole and work your way up. I think it’s real hard to go straight at a major defense contractor. They’re going to have a whole bunch of safeguards in place.

6. Hackers Turning To Implants As Zero-Days Get Detected Quicker

When you look at zero-days against 1A enterprises that have security resources, they may detect the zero-day. They don’t stop it, but they detect it pretty quick. What I can tell you with implants is that’s the end-around. So it was something that we hadn’t seen people except nations focus on, but then we see things like the Codecov breach that happened.

If I were out there, I’d recognize we’re a startup nation, quite frankly, and you have all these companies building software, and they’re trying to get it out the door fast to market, first to market, and they’re not going to have huge security teams.

We’re all getting better at security, we really are. That means [hackers are] not getting in the old way, so they are starting to implement newer ways. I think that tools and tactics will incorporate implants. It’s already started. It’ll get broader adoption because it’s easier to hack that small startup, and maybe get an implant there than it is to hack the companies they serve.

And the reason it hasn’t happened sooner is there’s just a ton of attacks that worked in the first place. And we’ve always seen it in the defense industrial base. If you talk to them, they always say, ’We have a supply chain. It’s a lot easier to hack our suppliers than us,’ and they’re basically right. If your suppliers for software have an implant, you may be in harm’s way.

5. Implants Are Fair Game For Cyberespionage

First and foremost, my conclusion was these [implants] are fair game for espionage. I don’t think you can come up with rules for cyberespionage that are collectively agreed to. And the reason why they should do espionage is because there’s asymmetry somewhere. If we win on land, we win in the air, we win at sea, then what about cyber? Do we win there?

And other nations may be copying us and recognize, ’That’s the domain we’re going to create the best talent in so that we can have supremacy in cyber.’ So bottom line, implants are fair game, and you’re going to see them again because they're fair game for cyberespionage.

What we’re observing with ransomware attacks is that somebody breaks in, somebody buys the access, and then [there’s] the third person who writes the ransomware that people are using. So we’re up against a group that knows how to break in, sell the access, do the extortion, and bring the pain. They know the Western bloggers, they know the reporters, they know how to find sensitive data.

They drive you to pay, or they drive you to pain. And then we have the ransomware actors that have literally crafted ransomware that’s so articulate in its capability that you can say, ’You know what, I want the key that decrypts everything that you’ve encrypted on my network. Can I decrypt this file? Yes, that’s $5,000. Here’s a key for it. They can decrypt by file, by system, by campaign.

4. Criminal Groups Can Now Access Zero-Days, Not Just Nations

There’s a whole market for zero-days, and the amount of profit you can make by breaking in right now is so high. It used to be zero-days belonged to nations, they developed them, or they bought them, and they used them. Now we’re seeing far more criminal activity using zero-day attacks because of how lucrative ransomware can be.

Earlier in my career, it always felt with zero-days that there has to be a nation behind it. It was very, very few exceptions, and I usually remember them. And now, it’s still more government. It’s not like the criminal element has passed it by, but it’s shockingly high that we’re seeing zero-days deployed, and it’s obviously to make money. And it’s a different zero-day.

There was a criminal group that hit a file transfer company and Kaseya, that was a zero-day. However you look at their VSA servers, that was a zero-day that I don’t think you find very easily, and the criminal element got to that. They’re making so much money, and in an effort to continue to make that much money, they’re buying zero-days.

3. Minimize Impact Of Zero-Days By Detecting What Happens Next

How do you say it’s reasonable for Kaseya to stop a zero-day? Folks that build complex software recognize the complications of securing complex software. We all can get better. Look at SonicWall, it is a security company. We found two or three zero-days in that this year. Pulse Secure is a VPN company, it’s all about security and privacy; they had zero-days.

These aren’t companies that are negligent. These are companies trying to build secure software. Microsoft, same thing. These are not companies that are like, ’Shipped it, might be a zero-day in there.’ They are running ways to test for that kind of stuff. It’s just the interdependencies between libraries, between code, [and] between updates is a very complex equation.

The zero-day is the first inning of a breach. What happens next doesn’t really change. Get on the endpoint and detect what they do when they hit command-level access, that doesn’t change. You go for lateral movement, so detect all the means for lateral movement. You’re going to get a hall pass for missing zero-days, because you will miss them. But that’s OK.

Because if you detect the very next thing they do, it should not be an incident of consequence. What can we stop and detect in the rest of the chain, including right up to stealing data? If there’s only one way to get data off your network and the attacker doesn’t figure that out, what did you lose? Nothing. That’s why you have to start doing more of a comprehensive security program.

2. Pressure On Russia To Stop Harboring Cybercriminals Will Rise

There are nations that are acting as safe harbors, and what are we going to do about it? You don’t have to do just cyberdefense to influence behaviors. You can look at trade embargoes, look at other levers of diplomacy that you can apply. That’s why you’re getting 30 nations together so that all 30 can band together and maybe change the economics through diplomacy.

I think a consortium of nations that decide it’s no longer time to tolerate the excuses of the actions of the nations harboring the ransomware actors can economically bring pain and/or economically bring the carrot. It’s their choice. If there’s one nation behind a lot of this, you have some arbitrage you can do, and I think that’ll do it.

Tech’s going to get better. People are getting better at it. We may make it harder to get the ransom payments so you can’t monetize it. We’ll never get the perfect, but when nations hold other nations accountable, it’s better. Some of these guys actually getting arrested would be a fascinating thing in the host country that used to be a safe harbor.

I don’t think it’s off the table for them [Russia] to someday say, ’Yeah, let’s help quash some of this. Nobody really likes it; it’s just they don’t allow it to happen in their own country. There’s probably a way to have dialogue and have puts and takes to get people to cooperate on criminal acts that really are unsupportable. There’s nobody that thinks, ’Hey, that’s fair game.’

1. There Will Be Fewer Ransomware Attacks In Five Years

I think there’s going to be less [ransomware in five years]. I do believe with technology getting better, you’re going to stop ransomware better. Identifying when ransomware is being used to do money laundering or fraud, I don’t think that’s very hard to do. The hardest part of that is diplomacy and law, not technical. I think the exchanges in the United States largely follow AML [anti-money laundering] rules.

If you get other countries to abide by them or try to enforce them, you’re making it easier to find the exchanges that are being used for extortion. The things that we’re doing are not making ransomware easier. It’s making it harder. And over time, it’s going to be hard enough that a lot of people can’t do it effectively. Or it’s just really hard and maybe there’s another way to make money that’s easier.

Instead of in isolation companies just dealing with the ransomware, you are seeing what I refer to today as a little bit of a coordinated national response, and we’re going to get better at it. I think the ways and means by which things happened [payment and encryption key recovery] haven’t necessarily been shared or are not known, but I’m sure they impacted the tradecraft of the ransomware actors.

If there’s a nation harboring a ton of ransomware actors, if they can make all that money some other way, does the ransomware go away? Maybe. Maybe there’s a way to offer a carrot. Maybe there’s trade-offs that you can do to eliminate the problem or lessen it. I don’t think you’ll ever eliminate crime. But fast forward five years, we’re going to be responding to less ransomware.