Ex-FBI man spills on why hackers are winning the security game

BSidesSF Comfortable illusions about how security is working are crippling the ability of government and industry to fight the threat, a former member of the FBI’s netsec team has told the BSides San Francisco 2017 security conference.

Society is operating under the illusion that governments and corporations are taking rational choices about computer security, but the fact of the matter is that we’re drowning under a sea of false positive, bad management, and a false belief in the power of technology to save us.

“The government is very reactive,” said Jason Truppi, director of endpoint detection and response at security firm Tanium and a former FBI investigator. “Over time we’ve learned it wasn’t working - just being reactive, not proactive.”

Truppi said we need to puncture the belief that government and industry are working together to solve online threats. In reality, he says, the commercial sector and government are working to very different agendas and the result is a hopeless mishmash of confusing loyalties.

On threat intelligence sharing, for example, the government encourages business to share news of vulnerabilities. But the subsequent investigations can be wide-ranging and lead to business' people being charged for unrelated matters. A result companies are increasingly unwilling to share data if it exposes them to wider risks.

The fact of the matter is that companies don’t get their own infosec problems and don’t care that much. Truppi, who has now moved to the commercial sector, said that companies are still trying to hire good network security people, but bog them down in useless false alerts and management panics.

Threat lag

A single false alert can take up days of time, he warned, but upper management - who don’t understand the issues - can tie up days of team time dealing with an alert that isn’t a serious issue. Stock market fraud is a case in point, he said.

The traditional view is that hackers will try to fake stock trades, but Truppi argued that tactic is old hat. It’s much easier, and more profitable, to use insider trading to extract money than trying to fake stock trades that can be checked before the payout.

All it needs is one unsecured endpoint, he said. After that the keys to the palace are open. Compliance rules don’t help much, since they are dealing with yesterday’s threat.

But IT department's incident response (IR) are getting drowned out with false threat information. The result is incident report fatigue, whereby you get so many false positives that the IR team is overwhelmed, and that means they burn out and move to other roles.

Computer security teams move in groups, he opined, and once you lose a key team member you’ll likely lose the whole team. That means you lose all your intellectual reserves, since infosec people seldom share information outside teams.

The big picture

The biggest illusion in computer security is that firms, and government, know what they are doing, Truppi said.

Five years ago everyone assumed that big finance houses knew what they were doing to lock down bank accounts. Now they are playing catchup.

But at least banks are better than most, Truppi opined. Far too many companies think that if they have a disaster recovery plan in place then they’re sorted. But it doesn’t work that way.

We’re only at the start of the distributed denial of service attack stage, he said. We’re going to see major internet outages thanks to botnets of things taking down sections of the internet. How we deal with that will be a deciding factor.

A Mirai-style botnet is coming that could take down the internet for serious periods of time, he warned. And don't expect those fancy AI systems we keep hearing about to have your back. Truppi said they are mostly bunk. ®