Of all the security threats that face IT, phishing stands out because it is not an attack on the technology – it is “social engineering,” getting incautious users to click seemingly innocuous links or visit seemingly harmless websites and allowing hackers to steal user names, passwords, financial data, or other information they can use. Today, phishing is usually a “gateway crime” – hackers often use it as a way to get the credentials to gain entry into the broader IT system and launch other attacks, such as ransomware.
Speaker 1: On behalf of FedInsider and Carahsoft, we would like to welcome you to our mini-series headlines in cybersecurity, which aims to translate the years hot buttons cybersecurity news stories into actionable steps state and local governments can take to protect themselves from attacks and recover when disaster strikes. Today's podcast brought to you by VMware is focused around blockchain security. Journalist John Breeden will moderate as Gerald Caron III, CIO for the Office of Inspector General for the US Department of Health and Human Services Valecia Stocchetti, Senior Cybersecurity Engineer at the Center for Internet Security, Michael Watson CISO for the Commonwealth of Virginia, and Karen Worstell, Senior Cybersecurity Strategist at VMware, discuss why users continue to fall for phishing schemes, how to protect government or employee data to prevent phishing, and strategies to keep users from taking the bait.
John Breeden: And hello, everybody. Thank you for joining us. I'm John Breeden and I will be moderating what I know will be an interesting and lively discussion about phishing. And no, I don't mean the fun kind of fishing that some of us will hopefully be doing this weekend. But instead phishing with a giant P-H, which is the technique where an attacker uses social engineering through email or other communications channels to trick users into performing some action, often with the goal of compromising security, but have no fear, because we have four of the leading experts in this field. To break it all down for us. They'll explain how phishing works, as well as some of the good tactics and techniques that government agencies can use to stop it. So let me introduce them and then we can get started. First, I want to extend a warm welcome to Gerald Caron. He is the Chief Information Officer for the Health and Human Services Office of the Inspector General. Gerald, it's an honor to have you with us today to talk about this really important topic.
Gerald Caron III: Great. Thanks for having me.
John Breeden: And let me also welcome Valecia Stocchetti. She is the Senior Cybersecurity Engineer with the Center for Internet Security Controls. Valecia, it's an honor to have you with us on the show today.
Valecia Stocchetti: Thanks, John, and hello, everyone.
John Breeden: And I also want to welcome Mike Watson, the Chief Information Security Officer with the Commonwealth of Virginia. Mike, we really appreciate you taking the time to talk with us today about phishing.
Mike Watson: Happy to be here and thanks for having me.
John Breeden: And we are also joined today by Karen Worstell. She is the Senior Cybersecurity Strategist for VMware. We appreciate having such an experienced expert on the show today, Karen, welcome.
Karen Worstell: It's my pleasure. I'm glad to be here.
John Breeden: So thank you all for being here. I want to dive into this topic of phishing. But you all have such impressive backgrounds and credentials, I thought we should first take a moment to let the audience learn a little bit more about you and to get a better idea of your duties and responsibilities, and also your experience in this area. So Gerald, let me start with you. Thanks, again for being here. I know you're a frequent guest on these FedInsider webinars. And we really appreciate having you back. For those who may not know you quite as well as I do. Maybe you can tell us a little bit about your role as the Chief Information Officer for the Health and Human Services Office of the Inspector General.
Gerald Caron III: Certainly, yeah, let me put away my tackle box and rod here. Since you clarified which phishing this was I thought I was getting ready for the other one. Yeah, so my name is Gerald Caron. I am the Chief Information Officer and Assistant Inspector General for Information Technology at the Department of Health and Human Services Office of the Inspector General. Been there since May, when I officially became the CIO. I have 20 years of experience before that at the Department of State where I acquired my senior executive service. I was director for enterprise network management and the Bureau of Information Resource Management there, where I was director and basically, I was the infrastructure person. So I have been an operations pretty much most of my career in it. But I was very much involved in cybersecurity. And when I was at the Department of State, I was usually the eviction and remediation person for the department if there were any events that occurred. And from there, I came over to HHSOIG and happy to be here and doing a lot of implementation and security improvements around Zero Trust.
John Breeden: Excellent. Thank you, Joe. Appreciate your background. And Valecia, you are also a returning guest. It's always great when we have an expert of your caliber join us for these technical discussions. So can you introduce yourself to our audience by telling us a little bit about your background and also what you do now as the Senior Cybersecurity Engineer with the Center for Internet Security Controls?
Valecia Stocchetti: Sure. So I've been with the control team for a little over a year now, originally, I started working out on our editorial panel on the development of version eight of the CIS critical security controls. Most recently, I've been working on our community defense model. That's where we take data from sources like the Verizon DVIR, and our own MS-ISAC data. We drive it into models like the MITRE attack framework, and then translate an action to create and prioritize those controls. And previously, I also worked as the Computer Emergency Response Team Manager for the MS-ISAC serving SLPPs.
John Breeden: Excellent. Wow, very technical background. Thank you for explaining all that to us. It can't wait to talk to you about phishing today. And joining us from Virginia is another longtime favorite guest here at FedInsider. Mike Watson, the Chief Information Security Officer for the Commonwealth of Virginia. Mike, we are happy that you could join us today to help your state and local government colleagues come to grips with the challenge of phishing. Can you tell us a little bit about your background in technology and some of the things that you do now as the CISO with Virginia?
Mike Watson: Sure thing. And it's, you know, every time I talk about how long I feel like, I don't realize quite how long it's been that I've been in the field, I was working in general technology for, you know, about 25 years total. And then of course, 15 of that has been cybersecurity, and had been in Virginia for Oh, since 2006 or so. So I guess about 15 years at this point. I actually moved to Virginia, because they were one of the public sector entities kind of putting a focus on cyber and it was a kind of a great, you know, a new thing at the time, it was one of those things that wasn't quite everywhere yet. Yeah, I was able to kind of grow my cyber chops in Virginia. And just as a general note, we work really closely with our friends at Center for Internet Security MS-ISAC, you know, lots of lots of great stuff that comes out of there. And of course, you know, I've been at the CISO at Virginia for about 10 years at this point, you know, I enjoyed being here. It's one of those things where every day there's, there's something kind of new, you know, coming out and we see new creative tax and lots of new and interesting situations. COVID was, you know, one example of the crazy stuff that kind of comes up, that you got to, you know, figure out how to deal with and roll with, we do a lot of focus on our risk management and threat management and governance in my group and trying to figure out, you know, creative ways to stop some of the types of attacks such as phishing that we that we see every day. So yeah, that's a little bit about what we do.
John Breeden: Thank you, Mike. Really appreciate that. Karen, we are happy to have the Senior Cybersecurity Strategist and Howler for VMware with us today. In addition to that, I know you're also very well known as an industry luminary who speaks at many different events. For our audience who may not be completely familiar with your work. Can you tell us a little bit about your background in technology, and I have to ask you about being a howler what that is, as well.
Karen Worstell: Sure, I got started quite a while ago. And it really actually started by accident in the 1980s, when my grad school professor, professor at the computer science department, encrypted our final exam, you know, the only way to pass the exam was if we had written the code breaking tools that were assigned as homework all throughout the semester. And so I was completely hooked on cybersecurity from that point forward. And I was professionally hired out of grad school, into the Boeing company where I did work for them on their classified projects for cybersecurity, and then went on to develop their first ever computer security policy manual. And I worked on their behalf through research and engineering on the standards developing the early days of cybersecurity, I guess we call it information security standards, then, through NIST, and other organizations. And that eventually led me to a consulting role at Stanford Research Institute in Menlo Park, serve many, many, many large companies and federal agencies along the way, and then move from there into operational goals and had the very distinct opportunity and privilege of being a CISO for multiple iconic brands like Microsoft, AT&T Wireless, and Russell Investments. So that's kind of it in a nutshell, and the Howler team is, you know, the team that stands up but to represent security strategy externally facing and to help all of our customers in the industry on behalf of VMware.
John Breeden: Excellent. Well, thank you so much. I really appreciate that. And thank you all for your explaining your impressive backgrounds. So today, many people in our audience are tuning in from state and local governments, where the threat of phishing is becoming an increasingly large concern. So let's see if we can offer them some good advice and some information about it during today's show, I'd like to begin by level setting the situation about phishing. And, Gerald, I'd like to start with you on this one on a previous web webinar where you and I were talking, I believe you were the keynote on that webinar, I asked you what you thought some of the greatest cybersecurity threats were to government agencies today. And you immediately without even a pause brought up phishing. So can you give an overview of the phishing threat for our audience? And tell us why it makes your top 10 list of the most dangerous threats out there today?
Gerald Caron III: Sure. Yeah, it's definitely a concern. I think I was reading somewhere as of in 2020, I think it was by far the most common attack performed by cyber criminals. The concern is, is usually in our in environments that we're trying to secure, it's our humans are usually our most common weakest point of attack. And you know, with phishing, it's kind of a social engineering type of attack, where they tried to spoof email, and try to look like a legitimate email get you to click on the link, sometimes it's embedded in an image or some sort. And by doing so, sometimes you give up control credentials, or they can start mapping and watching what you click and, or send you to some site and get you to give up sort of information because they're trying to get some kind of information or either gain some persistence to get additional information and things like that. And, you know, some of these emails look very legitimate. And it's kind of scary, because, you know, sometimes, you know, it's like, you click on it, and boom, that's the end of it. If you don't have good security controls in place, the concern is, is usually our humans are our weakest link. Sometimes, you really got to educate them on how to recognize and identify and not click on things, without thinking first.
John Breeden: Makes a lot of sense. And Valecia. It's, it seems to me, you know, and Gerald kind of touched on this, but it seems like phishing attacks, a phishing attacks are in some ways more successful these days than they've ever been in the past. I mean, looking at the news, they seem to be at the heart of a lot of different attacks and breaches that you hear about, and who knows how many they are at the heart of that we don't hear about why do you think that phishing campaigns are more successful these days than they have been in the past?
Valecia Stocchetti: So, I think phishing has always played a role on our emotions. But I think given the state of current events in the past year and a half, it suffice to say that people are more stressed, more tired, more vulnerable, and they're just falling prey to phishing and other scams. Unfortunately, I know, just like Gerald says, like, personally, I've had, you know, personal and professional people who have encountered phishing and thought that it was really, truly legitimate only to find out that it was completely fake. I mean, we're all human, we're not perfect by any means. And attackers are using these current events to refine their own emotional intelligence, in an effort to gain more traction. I was actually reading a news recently, but it happened a while back about a phishing test that was involving holiday bonuses. I mean, who doesn't love a bonus, and the click through rate was through the roof, it was I think over 500 people clicked on it, which doesn't surprise me, right? Because, again, plays on your emotions. Thankfully, that was a test for their company. But it just shows if it's crafted pretty well, that people could fall for it.
John Breeden: Wow, that's a lot to think about. Thank you. So Mike, Virginia is a very large state, and you have a distributed government system for the most part, I'm assuming then that phishing must be a constant threat there. But have you seen an uptick in phishing attacks over the past year compared with maybe the number of attacks happening before that time?
Mike Watson: Yeah, and I think we have just thought from two we got 67+ agencies, right, with all with different lines of business, everything from, you know, retail, of course, you've got, you know, the well-known things like the DMVs, and the V dots, and some of those, but you know, we've got museums and hospitals and all sorts of different industry types that exist out there. Which means, of course, that we see all different types of, you know, attacks, phishing attacks, structured out there. Now, a lot of them are the same kind of stuff you see at home, right? Trying to figure out ways to get a user to click, like Felicia said, what plays on emotions of what's going on? And over the last year, we've seen that uptick associated with people really wanting information and wanting to know what's going on with COVID and wanting to know, you know how to respond, whether there is something new news about vaccines, they all they do all play on emotions, and all of these types of attacks playing on this need for immediate or current event information. We see relatively frequently it could be from a hurricane or an earthquake or a major pandemic or something else, but the folks that are that are involved with this have a really great knack for understanding what it is that's going to be effective. And I'll, I'll echo what Valecia said about the attack that that she was mentioning about bonuses, we had run a similar phishing, you know, exercise within the Commonwealth. And it was a year that our one of our higher education institutions was in the Final Four. And our best most successful phishing test ever was for free tickets to that to that game, you know, our click rate went up through the roof because it was personal and meant something to that, that party that we were they were looking at. And, you know, as we see those things that are personal, and like I said, the emergencies tend to be that, that type of personal we'll see these types of texts go up just because they they're successful.
John Breeden: Wow, lots of think about. Thank you. And it's good to get a state perspective on things. We'll dive into that in just a little bit as well. Mike, thank you for level setting the situation. So Karen, what is your take on phishing as part of the threat environment these days? It seems like it's kind of a frustrating threat from a cybersecurity standpoint, because it uses human users to kind of get around whatever defenses you put in place, it kind of reminds me of the old physical world attack where somebody would pick up a package and pretend to be a delivery guy to get buzzed into a building type of thing.
Karen Worstell: Yeah, absolutely. And in fact, when we did the global incident, response and Threat Report threat research report, this year out of VMware, one of the things that we noted was that the attack level has gone up 300% since last year. And part of the reason for that is that she works. I mean, it's been around forever. It's not a real new technology. But what we're seeing is the attack surface has increased dramatically as people have been going home to work. And they're using their phones and their computers to kind of live life online. And so it has opened up so many more channels for us to have these interactions where someone sends us an urgent message that says, Oh, my gosh, your account is about to be shut down, you must respond within the next 15 minutes. And you know, human beings are wired to respond to urgency. That's why phishing is so effective, it really takes advantages of two things. And one of them is our desire to be helpful, and our desire to solve problems that will always be present. And it's always going to be part of our human nature to respond to these. And a question that was raised is like, what does phishing look like. Phishing looks like every notice that you ever got on your phone or your email, even SMS? That is an alert or a notification, phishing, or an email, a simple email, they make them look very legitimate now, so yes, this is really frustrating. But it's going to be with us. And so how we respond to it is going to assume that phishing is going to be successful. And move our some of our defenses into the insides of the network where we can mitigate, you know, mitigate those successful phishing attacks.
John Breeden: Yeah, no, absolutely. You bring up some really good points, Karen, I mean, the phishing these days, it's really good. I mean, I get them all the time. And I'm very security aware. And there have been a couple that have almost got me to click on them, you know, you got to really stop and think about it to get it to be stay above it, stay a step ahead of it. So Valecia, you brought up a really good point about the environment for phishing, and about how it's we're kind of primed to almost be taken advantage of right now given everything. But I also wanted to ask you about the channels for phishing. Normally, we think of email as the primary phishing gateway, but there are other channels, or are there other channels that agencies should consider when looking to try and curtail phishing activities?
Valecia Stocchetti: Yeah, so I think Karen definitely had a few. I mean, certainly phishing via email is an easier way to obtain their credentials and access, you know, an organization's systems appear to be authorized. But it doesn't always have to come in the form of email though. Sometimes, like Karen said, it can come through a phone call, or an SMS message, or the attacker found they're on the phone, they'll try to get the user to capture their credentials verbally, or they could have some kind of remote desktop software, where they can then you know, install the software and track all their movements. And speaking of social media, I think it's important in good cybersecurity practice to be careful what you share, because sometimes over sharing that information can make you more susceptible to an attack, especially when posts and information are made public rather than private. But I mean, anywhere that an attacker can try, they will try. And in general, they'll use the easiest mechanism, which happens to be phishing most of the time. To get access to their credentials. The other thing too, to keep in mind that, you know, when phishing is successful, to keep in mind that other defenses are important to put in place, which I'm sure we'll talk about in a little bit. But to make sure that, you know, you're, you're cutting down the success that having an actual full blown attack.
John Breeden: Yeah, absolutely. And thanks for bringing up some of these other channels, I had actually not considered actually getting a call voice call from somebody that has thankfully never happened to me yet. But that's an interesting one to consider. You got to look at the really old school attacks, I guess, as well. So Gerald, many of the phishing attacks these days that we see our blanket or shotgun attacks, aimed at lots of people, and just hoping that someone will follow their link. But others and Valecia kind of mentioned this a little bit. They involve highly targeted efforts where the attackers try and get a lot of information about their targets prior to an attack. Do you think it given that that government agencies should worry about the kinds of things that their employees are posting on social media? Or maybe what public information is made available that these fissures can kind of mind for intelligence for their attacks?
Gerald Caron III: Oh, absolutely. Yes, I was thinking about that, you know, as some of the other answers coming in, it's like, one of the things that makes the phishing attacks such a, you know, a widely used thing now is because especially to be more targeted, is because of we have more information out there about ourselves, you know, a new generation posting things Instagram, TikTok, Twitter, nobody uses MySpace anymore. But things like you know, things like that. And, you know, there's a whole wealth of information to learn about somebody, if they're very active on social media, you know, and you start learning like, alright, what is it that they likes? What are their likes? What is what is the, their, their thoughts, and some of the things I find on Facebook, you know, sometimes people are very transparent and personal with what they post and, you know, you can target those heartstrings like we've been talking about and things like that. So yeah, it is very important to understand. And also, you know, there's, of course, you know, US government rules about what we are allowed to post or not, you know, most agencies, I think, do have some kind of guidelines on what is good to post what is not good to post, what is official business, what is not official business, things like that. So, if you don't have such kind of guidelines, I would suggest agencies do such because, yeah, it can be pretty damaging. If you're too transparent with some things, you're just given some ammunition for them to have an easier target, and focus in on something that somebody can easily fall for. Like I said, we can't be over everybody shoulder, you know, we'll try to, you know, be we have mail filters, and firewalls and things like that, that are trying to filter some of these bad things out. But you know, you can't filter everything out. And we can't be over everybody shoulder to check every email. So definitely, I would suggest if you don't have policies for your agency, now, you may want to write some that articulate what is official business, and what you can post on social media.
John Breeden: Absolutely. Thank you so much. So Karen, when you look at these phishing threats, is the point of the attack, almost always something beyond the initial intrusion? I mean, is phishing really dangerous on its own? Or is it only dangerous because of whatever payload or campaign is coming up right behind it?
Karen Worstell: I would say the number one reason for phishing is to gain information or access. And typically, what they're looking for is the credentials that will enable them to get a toehold into a network. And one of the things that we know for certain from watching these and measuring these kinds of attacks through the internet through the carbon black cloud is that we can see it takes between 24 and maybe 72 hours on the outside, from the time a phishing attack is successful until an attack has been launched, like ransomware with an environment. So there's a very limited amount of time once a phishing attack, that may take a person on a on a on a set of connections, to build credibility and build their confidence so that they actually get to a final, we call it a watering hole website where it's been rigged. And the code malicious code is built into the website that tricks the user into providing their credentials or some kind of a login. And once the attacker has gained that, that's immediately turned into an attack on the infrastructure using those credentials. So yes, it's absolutely just the entry point. It's just one technique that is unfortunately very successful for harvesting either data or credentials necessary to break into your network.
John Breeden: Excellent. Well, thank you, Karen. Appreciate that point of view. So, Mike, on a previous webinar, we had a guest from Virginia, and they were talking about the rise of ransomware in your state, and especially attacks aimed at local governments and even public institutions like hospitals and schools. Do you think that the rise in phishing is related to that as well do most ransomware criminals also partake in phishing?
Mike Watson: Yeah, I think Eric did a really great job of kind of explaining it, that initial entry point on the ransomware side, or on the on the EFA. Ransomware is coming a lot of times from phishing, because, you know, if we've learned anything from what we've seen, related to, you know, phishing activity over time, is that it's been in place for many, many years, like over, you know, 1015 years. And they continue to use it because it works. And what's happening is, they're also starting to chain those techniques of using entry gathering techniques like phishing with other attacks, payloads that work like ransomware, right, they know that it's effective, because you put the organization in a position where they can't respond or can't function without something that are taking some action to repay the or engage the attackers. So I mean, there's they're just, they're using these two things together. And unfortunately, they're seeing some really great success. And of course, like anything else, right, if they're making money out of it, and they're, they're finding that it's successful, they ramp up that production in this case, that means, you know, many more phishing types of emails isn't the only way in, but it is, like Karen mentioned, it's a very successful way in, and I expect that we'll continue to see it. I also know that the techniques and such in the methods for implementing phishing have been refined to the point where there's lots of different tools out there for folks to be able to operationalize, and repeat where basically, you don't have to know a lot about technology in order for it to function, you know, you're able to provide them what you want to use as the campaign, which then they even have suggested templates for things like credit cards, or shipping or whatever else. And remember, criminals are lazy, right? So they like to use a lot of the same types of, you know, phishing attacks over and over again, in general, they're successful. And those are available for them to just, you know, procure off the internet, just like any other service.
John Breeden: Great. Well, thank you, Mike. Appreciate that. And I appreciate all of you all kind of level setting the situation for us. So now that we've talked about the threat and what it is, let's get into a little bit about how to deal with it. So let's start with the technical aspects of the defenses, and then we can get into the more human centered techniques. So Mike, continuing my discussion with you from the previous question. Do you think that state and local governments should look at phishing defenses? As a two-step or two pronged process? Do they need to look at both preventing and minimizing phishing attacks the same way they do any other type of threat, but then also consider resilient strategy if that phishing gets through, especially since they're so successful these days?
Mike Watson: Yeah. And that's exactly right, we've got to look at this from a perspective of, it's not if but when right we are human, we are going to make mistakes, some user at some point in their career is going to click on something that they weren't supposed to, or submit something they're supposed to or not recognize that the person calling them is somebody that's impersonating somebody else. Some of the best ones I've seen that are look like they're coming from, you know, people that that they know, right, we see a lot of people see, I'll say equivalent phishing types of things where people are impersonating others on Facebook or TikTok, or other things, right, where you've got your aunt, I've got an aunt who's consistently getting her Facebook accounts hacked, and sending out new friend requests. So every other week, it's a, I've been hacked. Again, please don't respond. It's those types of things that, you know, you're going to see consistently and see over and over again, so you've got to structure your security program in that fashion, you've got to prepare for the fact that your users are going to make mistakes, or they're going to end up allowing that compromise that initial entry point and compromise to happen, and then structure your defenses where when it does happen, that you're able to both detect and prevent, you know, additional spread within the environment. We call that within our information security program. We call it lateral movement, we want to make sure that we identify any lateral movement that would indicate that a an attacker was spreading from the system that's been compromised by the user, because they clicked on the link or responded to the question or provided account information to any other system within the environment. So by structuring it in that fashion, you're preparing and you're and you'd like you say you're establishing resiliency, to prepare for the types of scenarios where your controls don't work, your user control doesn't work. And your user just plain makes a mistake.
John Breeden: It'll happen. Thank you, Mike. Appreciate that. So Karen, have you been asked to help any of your customers combat phishing in their environments? And in your history? I mean, have what kinds of things have you seen deployed to try and block the fissures or blunt their effectiveness that that's actually been very successful?
Karen Worstell: Sure. Well I could tell you that But then I'd have to shoot, you know, just kidding. The situation is that when you have a successful breach and someone has come into the network, then you need a way to be able to identify an identity as it traverses the network as it moves laterally in the network, that lateral movement, it may be something like one time, we had a breach many years ago, and it was actually a technical writer who was using the credentials, we thought it was. No, it was an attacker who was using the credentials of a technical writer. But when we saw that they moved into the UNIX environment and was doing an SU to root, we realized that that was not a typical behavior for that technical writer, that we had an intrusion on our hands, right, that's an example. And so being able to track these identities across the network dissing move laterally, is essential to being able to identify an attack in progress before the payload is deployed. And we have been very successful in actually stopping ransomware attacks before the payload is released on some of our customers’ environments. So I'm pretty excited and know that this is actually possible to do so. Here's the deal, we have to assume that were breached today. That's the whole idea behind Zero Trust, right? The critical element that everyone needs to figure out how to implement is a mechanism that gives them vision throughout the environment. And, and that includes workloads, applications and network. And then be able to minimize the dwell time, identify an anomaly and minimize, stop it in progress. And if it's an attack under something like the, the framework, they attack the MITRE attack framework, then identify it, stop it, and then go, you know, figure out how they got in and do the post mortem later. That's critical right now, everyone needs to be focused on how to do their own threat hunting, and to do and minimize the dwell time of intruders once they're in the network and to track them. Excellent.
John Breeden: Very well said. Thank you, Karen, appreciate your thoughts on that. So I want to move into the event side of the equation, some of our speakers are already kind of doing that, because it's so important on the response side of the equation. So Valecia, what kinds of defenses should be in place to help an agency maintain operations and resiliency, should a phishing attack land?
Valecia Stocchetti: Yeah, so I think it's important to look at the cause and versus creating the symptoms. So often, you know, people are so focused on treating the smaller things, so they're not looking at the bigger picture of why it's happening. So for example, if you get successfully phished, but you have no multifactor authentication, no backups, no logs to provide evidence to determine the root cause, or even symptoms for that matter. Those things need to be fixed to prevent a future attack from happening again. And most importantly, if you are successfully finished, or you're not even sure if you are finished, but you can't determine that make sure that you're changing your password immediately after, it's better to be safe than sorry, because in the end, it's only hurting one person or multiple people or the company in itself in and of itself. And then repeat attacks are common, right? So especially among organizations where there's a lot more to lose, and depending like if you're a government organization, you may have a lot more to lose, especially, you know, we're dealing with the facts, yes, and critical infrastructure, also, depending on the magnitude of the attack. So if it's one user that was compromised, their password is compromised versus multiple users, if it was a lot of successes versus all failures. Having an incident response plan, regardless of what's happening is important. So the failure to plan ahead of time I've seen can result in a greater risk of disrupting operations for longer periods of time, can cause more chaos. And it just, you know, it never leads to a good road when we're not prepared.
John Breeden: Excellent. Well, thank you. And that gave us a lot to think about, really appreciate that. So, Gerald, what kinds of things have you found to be the most effective in helping to maintain resiliency? Should a phishing attack get through your initial defenses? Does it come down to something like having Zero Trust or good identity management to prevent attacks with stolen credentials from actually being able to do damage?
Gerald Caron III: Yes, being a co-chair for a couple of working groups with the federal government on Zero Trust I'm a big advocate Zero Trust been doing it for years. I like to say that I was doing Zero Trust before everybody else became cool. Identities a big part of Zero Trust. So I roll it into that right. That's one of the main pillars of Zero Trust, but it's not all about identity. When we talk about a ransomware attack when we talk about what is it that these people are trying to get, even with a ransomware? Attack, it's data, right information, there's some kind of information, even if it's a ransomware attack, yeah, the, you know, monetary value kind of thing, because they're holding, but you know, if they're holding my bologna sandwich, you know, hostage, you know, with a ransomware attack, I'll make another bologna sandwich. But if they hold my crown jewels, I got a problem. You know, that's important information to me. And that's one of the kind that gets out in public, that's going to be very embarrassing to the federal government kind of thing. You don't know how to protect your data? What is normal look like? You want to know what normal looks like. So you need to be able to baseline know where your data is? Is it categorized properly? Where's it flowing? And then all right, what are the different ways that you're allowed to use it? What applications mobile applications? You know, what kind of applications? What how can I harden those applications? They sit on some kind of device? Isn't a managed device is an unmanaged device, what can I do around those kinds of things? And then yes, identity, we want to get the right information to the right people at the right time. So definitely, you know, that's, you know, Zero Trust in a nutshell, moving back from data all the way back to the user. I'm a big advocate for that. But still, we have to educate, educate, educate, it's great to educate the users what to look for, you know, internal phishing exercises are very important. We have a little icon, hey, if you think this is a phishing email, click here. So you can report it, and we can take a look at it. So there's, there's a number of things, you know, there are emails, scanners, things like that, by going to the cloud, we've empowered users a lot right? Now they can share without having to go to the System Administrator, a bunch of files, they share their mailboxes, all kinds of things, educate them on what they're what they're doing, because sometimes some of them struggle, and they don't know, yeah, I'm sharing with that person. But I really share him with a whole group of people all of a sudden, kind of thing. So it's very important. And as we move to the cloud, if you're like, you know, your emails moving to the cloud of some sort, know how to monitor it, you're still responsible, yet, maybe FedRAMP by the vendor, of some form. And you know, they're responsible for security, but you're still responsible for your data, know how to monitor that cloud, know how to do your conditional access policies is very important. Because at the end of the day, you're responsible for the data. And you got to know how to monitor in those types of environments. So those are just a few things that I would say.
John Breeden: Thank you for sharing that. So we talked about the technical side of things, I definitely think we need to talk about the human side, because it involves humans more than other attacks for the most part. So Gerald, I've heard a lot of different things on the subject of user training, some people think it's a waste of time. Other people say it's the one thing that you can do to stop phishing. So in your experience with phishing attacks, is user training something that works and can be successful in reducing the threat?
Gerald Caron III: Yeah, yes, I think so. I know, you know, doing phishing exercises, when they first started, you know, you would see how many successful ones, you know how many people clicked on it, when you did it. And you know, you keep track of those numbers. And the general trend I've seen is those numbers go down as people start learning, you know, what to look out for, because kind of what happens, they click in, hey, you've got caught by a phishing attack. And here's why. Here's the things you should have looked out for, you know, it's readily available information. So it kind of gets them thinking for the next time around. And of course, we do annual system, you know, security training as well to learn. But yeah, I do see the trend going down, where you see less now, it concerns me, you know, you still see people falling for it. But, you know, you do see it trending down. Because to me, again, as I said, I think early near the beginning, users, usually our weakest security point of contention. And the more we educate them, the better because some of those users they have access to some pretty important things. And if they get compromised in some form, or fashion, you know, it becomes about what did they have access to? And is there exfil? Or you know, is it you know, ransomware is taking it over some kind of fashion. So yeah, education and getting and educating your humans is very important to me.
John Breeden: Excellent. So Mike, in Virginia, I believe you and I were talking about this a little bit before the show, you actually have a method to deal with for your users. If they suddenly say they respond quickly to a phishing attack, and then they realize, oh, my gosh, I just fell for a phishing attack, you've actually put a method in place to help them deal with that.
Mike Watson: Yeah, we have a several different ways that we, we kind of approach this problem. I mean, obviously, you know, we've, we've got some great tools and such in place to be able to help with them to report anytime they report, you know, a phishing attack, it ends up going to our incident response team, who then goes through and starts purging and identifying anybody else that may have received the information and then Go back and pull that out from anybody that hasn't clicked yet on the link. In addition to that, we do a lot for training to encourage, like Joe was saying, you know, to encourage folks to be able to identify what those different phishing emails and such are going to look like. And we've started putting together and we did this last year and put together kind of a framework for what types of training and the topics that are necessary, you know, for any organization to work to make sure they work into their actual end user awareness training, then once those are done, and once the agencies have implemented each one of those and has the training plan together and execute those, we then start on our own, you know, campaign to continually phish and make sure that their users are actually seeing some, some real live instances of what these are the types of phishing that we're seeing at the time throughout the environment, will leverage the same types of things that we that each, you know, users are reporting, so that they, you know, we see how effective those are going to be without actually ever user receiving them from the malicious party, of course, right, they'll receive similar emails from us. But we do have a lot of different, you know, approaches in there to both monitor and make sure that we're seeing, you know, what the users are doing with their clicks? And, and I know that, you know, there's a lot of different approaches to dealing with that. And I know that there's we do, we are, as Gerald mentioned, seeing better and better success with filtering out some of the more common ones, right, a lot of people don't fall for the user account ones as much anymore. But at the same time, I just, you know, started getting it was interesting, I started getting some reports just this week from some legitimate accounts that are coming through, right. So accounts that are expiring, they send some email saying, hey, you're about the accounts about to expire, because you haven't used it in two years. And it turns out, it was it was a legitimate actual request. Users don't know necessarily how to identify between them. But it is better we get people trained to report and check versus click and think about it later is oh, maybe I shouldn't have done that.
John Breeden: Excellent. Well, thank you, Mike. So Valecia, sticking to the prevention side of the equation for now, what are some technologies or tactics that you've seen be successful when employed to reduce the impact of phishing against agencies?
Valecia Stocchetti: Yeah, so I mean, like Mike said, training is, obviously number one, I think that is a really important area to focus on. And I really want to emphasize that it's engaging training or engaged training, because so many times you know, we take a course or watch a video or whatever the training is, and if it's not engaging, then that employee might not be getting as much from it as they can. And so you know, if a person is falling prey to these tests, like these phishing tests that you're putting out, then it's a good opportunity to teach them the type of threats that can be real and what to look out for next time. It doesn't necessarily mean that they're a bad employee, or, you know, necessarily. I've seen phishing exercises, like where you pick out red flags, and a phishing email. So I think anything you can do to raise that emotional intelligence or awareness of a person and just one area, it's just a greater chance that they have it avoiding falling victim to a real attack. And you know, it's important to invest in technology as much as you're gonna invest in people. Great. Both are equally important.
John Breeden: Excellent, no, it's good to have that balance. I appreciate your thoughts on that. So Karen, what has been your experience with the user training programs? Can they be effective, and what aspects of them kind of make them more accurate or helpful?
Karen Worstell: I have some very interesting experience I'd love to share with you. When I was at Stanford Research Institute, we had a policy within the organization that we could never deceive a client, a customer, which meant that we couldn't do testing using things like phishing emails or social engineering in any way that misrepresented ground truth. So we had to come up with ways that would engage people and get them watching and looking for things without ever tricking them. And one of the things that worked incredibly well, we actually did it another company, when we sent out a notice to the entire company that said, in the next 48 hours, we're going to be sending out a message that looks like this. We want to know if you see it. And that message went out to all of UNIX system administrators and a number of other different kinds of groups. And the amount of engagement employee engagement we got by enrolling them in looking for what we were wanting them to see was enormous and it had a long lasting effect. It had a halo effect because people were looking at it saying hey, I'm part of the security program. I can actually make this work it would became almost like we He had deputized the entire organization as opposed to sending something out that might deceive them. And I realized lots of programs use that technique now. But that was just not available to us. And we had a social anthropologist on staff who divide a number of other tools that we could use with our customer base, so that they never had to get something from us that they couldn't assume was the truth. So I think that's another way of looking at things.
John Breeden: Yeah, definitely. That's a great story, there's more than one way to get at the problem. That's, that's amazing. Thank you for sharing that. So Karen, we covered a lot of ground today from prevention to resilience, and even user training. But it's a big topic and a critical problem for our state and local audience who are really trying to combat this threat. What are the key takeaways that you want to make sure they come away with from the webinar today?
Karen Worstell: I think state and local organizations have a very unique situation because they have to be so public facing. And you're going to have a number of opportunities for these kinds of threat vectors to come into the environment. My suggestion is to pay very close attention to the you know, do user training, but also pay very close attention to backend defense, and to have in place, the best kind of threat intelligence and threat monitoring that you can have in order to evaluate what is the traffic that's getting through. And is any of that likely to deploy a payload in the near term? I think that's your next line of defense besides having the normal cyber hardening, you know, hygiene and vigilance.
John Breeden: No, that makes a lot of sense. Thank you, Karen. Really appreciate that. And Mike, from everything that you've told us for genius seems to have a pretty good handle on the phishing threat for state and local governments that might want to improve their own defenses and maybe follow in your footsteps a little bit, do you have any advice or things that they can do or plan for to help them mitigate the threat of phishing in their own environments,
Mike Watson: I think we've done a really good job, all the presenters today have kind of covered on some of the key components that need to be implemented. So I think this whole webinar did a great job of, you know, pulling up the major points, like Karen said, you know, threat intelligence is a big deal on state and local, you've got a lot of folks that are willing to help out in a lot of different ways. You have your partners, you know, that you work with every day, plus, you've got some of the information sharing organizations like MS-ISAC, through the Center for Internet Security, you know, make sure you're leveraging those people to get whatever type of intelligence and information you can find out about what's going on. In the threat landscape. At any given point in time, it's important to understand that you don't necessarily need to know, you know, what the content is for something that's happening, but you do at least need to be able to say, hey, look, all of a sudden, my peers in my different organizations are seeing, you know, an uptick in a particular activity or particular types of events. So, you know, leveraging those connections, leveraging the people around you, I keep, keep close contact with a lot of my peers in the in the other states, making sure you know, when one of us seeing something, we're all you know, trying to let each other know that we're seeing what's going on, you know, in the other part is planned for failure, right plan for something that is not going to work, because, you know, nobody wants to be caught when, you know, caught off guard. And as long as you're prepared, even when, when something bad happens, you're able to respond with some meaningful method.
John Breeden: Excellent. Thank you so much, Mike, appreciate you being with us here today. So Valecia, as you pointed out, the advantage is really what the fissures right now in that all of us humans that are kind of grinded down by world events and the pandemic and all the stress that we're under. So are there any steps that agencies can take right now to kind of get started with a better phishing defense? Are there any first steps that if they haven't done much, is there anything they can do to kind of get an immediate advantage and to start to get ahead of this problem?
Valecia Stocchetti: Yeah, I mean, to echo what Mike said, I couldn't agree more to join the MS-ISAC, they have some great intel that can be shared with SLTTs, on, you know, threats that are applicable to their sector and to, you know, common phishing scams that are going on. So it's immediate, and it's timely, which is really helpful. And then also things like MS-ISAC, you know, as the MDBR, which is the malicious domain, blocking and reporting. Or if you're not an SLTT, you could do something like quad nine to help mitigate those malicious domains that might be contributing to phishing attacks, any kind of DNS filtering service. And then, you know, there are things like the malicious code analysis platform or the MS-ISAC where you can submit emails to have them analyze automatically to see what are they coming up on a on a list where the domain is actually, you know, hitting a red light, so to speak. So there's a lot of things that you could do that are free quick, easy, win. And then you know long term, I would say the CIS critical security controls, or, you know, if you're trying to benchmark or harden your systems, a cis benchmarks are a great place to start. But there's just a lot of resources there for both technical and training mitigations.
John Breeden: Excellent. Well, thank you. We appreciate you being with us here today. I think you brought a really unique perspective to the event. And we're glad you were here. So Gerald, it looks like you get the last word today, I saved the last word for you, because I know how much you hate phishing. So what words of wisdom can you offer our audience to help them get better prepared to face this terrible and increasingly pervasive threat?
Gerald Caron III: Oh, so I get to hold everybody on a Friday afternoon for as long as they want.
John Breeden: For the next minute and a half anyway.
Gerald Caron III: Oh, I'll hurry then. No, thanks for having me today. A lot of great points. You know, it's hard to go last because everybody takes all the good points away from me already. But you know, I echo everybody's everybody what they've said, definitely, phishing is something that keeps me up at night. But education, I can't stress education, Can't stress, getting a good understanding of I recommend, you know, people start looking in if they're not already into Zero Trust, architecture and node I said, architecture is not a one thing, solution that you get off the shelf. Because if you do true digital trust, it really takes care of a lot of the things, not just phishing, but a lot of the things that we've referenced today, but really get a good understanding and education of your users understand how to manage the cloud. If you're going to the cloud, I find that there's things that people don't understand of really how what they're monitoring and what they're managing. Just because it's FedRAMP doesn't mean that you're don't have a big responsibility and doing that, you know, outside of what everybody else said. That's all I can add at this point. And I really appreciate being here.
John Breeden: Excellent. Well, we're glad you're here. I wanted to thank Valecia, Mike, Karen, and Gerald, all of you for being with us here today. All of your insights made this an amazingly productive session focused on a critical and complicated topic.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft or VMware can assist your state or local government agency, please visit www.carahsoft.com or email us at VMware@carahsoft.com. Thanks again for listening and have a great day.