Time to Tell

Time to Tell


>>ANNOUNCER: Please welcome
Senior Vice President and Chief Technology Officer
McAfee, Steve Grobman.>>STEVE GROBMAN: I’m
excited to be here. As CTO of McAfee, I’m the geek
that gets to write code on a plane and give it to
my team when I land. They love that. But I’m also one of you. After twenty years on the front
lines fighting cyber threats, I now have McAfee’s CISO and
CIO teams reporting to me. So, like you, I worry about
defending my organization every hour of every day. I’m also a recent Texan. In 2017, along with my wife and
two dogs, I moved to the Lone Star State. What I didn’t realize at the
time is that Texas in general, and DFW Airport specifically,
is known as ground zero for infectious disease
in the United States. DFW is the crossroads of 65
million passengers from every corner of the planet. But we don’t have to look to
Dallas for the largest threat to global health because there’s
one threat that reliably kills hundreds of
thousands every year. The flu. Last year alone, 45 million
cases of flu led to 60,000 deaths. Why? Isn’t the answer simple? It’s a called the flu shot. Of course, we know if the answer
were so simple, we’d simply inoculate everyone with the
flu shot and call it a day. But like cybersecurity, our
defense against influenza is an imprecise science. There are many factors. The effectiveness of the
vaccine, the transmissibility of the strain, its lethality. Factors vary year by year with
very different outcomes as you see in the five years
that we simulated here. Last month, the NIH announced
that this year’s outbreak is on track to be the
worst in a decade. Now, we decided to use the flu
as a metaphor for cybersecurity back in December, clearly not
knowing that the Coronavirus would impact friends and
colleagues around the world. The point being that infectious
disease requires a spectrum of actions from sophisticated
technology to fundamental, simple, basic principles
like, as you just heard, washing hands. Consider the challenges of
some of the most fundamental principals in our world. Are we being aggressive enough
in the way that we share threat intelligence? No. We must move beyond the hash and
move to higher fidelity threat sharing paradigms. Are we patching fast enough
to resolve fundamental implementation flaws in all of
the components that we count on? No. We’ve been dealing with patch
Tuesday for seventeen years and patching for much longer. We recognize the criticality of
patching, but the data suggests we’re collectively not moving
fast enough to patch known vulnerabilities,
including those that can have significant impacts. Take BlueKeep, a 9.8
out of 10 CVSS score. It was announced last June. This is a vulnerability that
takes advantages in flaws in remote desktop protocol that can
allow an attacker to have remote code execution. Today, eight months later, we’ve
addressed only 60% of internet facing systems. Take another example. EternalBlue. The underlying vulnerability
that WannaCry used to spread around the globe to impact
nearly a quarter of a million machines in 150 countries went
from an epidemic to a pandemic in one day. Almost three years later,
McAfee’s threat sensor array detects exploitation of
EternalBlue as its top network exploit, making EternalBlue
truly eternal because significant populations of
machines are still not patched. And this January 14th, once
again we’re racing to patch. It seems like every Christmas
or New Year’s our industry gets some sort of special present,
whether it’s Spectre/Meltdown or Grizzly Steppe or this
year’s literal Curveball. What makes
Curveball so dangerous? It destroys trust in the
building blocks that we rely on for everything that we do. Abusing Curveball, an adversary
consigned files and made them appear as part of
the operating system. Or impersonate a secure website. What does it take
to abuse Curveball? Download and run
ten lines of code. That’s right, just ten lines. Which is why just days after the
vulnerability was made public, multiple proof of concepts
were readily available, many incredibly simple to use. And social media enhances rapid
collaboration of these POCs and makes it such that once they
become viable, the recipe is spread around the
world in seconds. This lowering of the barrier to
exploitation exacerbates our challenge, even
for complex attacks. In 2017, the SHAttered
team created the first SHA1 collision. It took 6,610 years
of processor time. Today, their collision can be
used to create two documents with the same SHA1 hash not in
6,000 years but in less than 60 seconds. It took us less than a minute
using a public script from the internet to take these two
documents and collide them, so they have the same SHA1 hash
which, as you can see, documents from both RSA 2020
and 2019 would be shown as being identical. Now of course, if you want to
create our own SHA1 collision, that will cost you about $50,000
of Cloud compute resource. That’s a bit expensive for a
keynote demonstration, even here at RSA. But it’s a true bargain
if you are a nation state. So, if we can’t trust our
digital signatures or trust that hashes are unique, how
do we protect trust? How do we mitigate risk when we
know critical vulnerabilities will continue to be found
at an accelerated rate? With every patch, we expose
our organizations to risk. Patching means change and change
can be destabilizing, which means that we have
incentives to defer and delay. We want to know how a patch is
going to affect our environment because we know that
making changes can have adverse effects. Things can break. Performance can degrade. Your business can suffer. Yet the risk of not patching,
especially as the attacks become more sophisticated, is
unacceptable, especially as the attacks surface grows. So, to patch now or patch later. We’ve answered this question. McAfee, like each of you, is
moving to the Cloud, a paradigm where we now delegate the
onerous task of software updates and patches. But lifting and shifting
outdated architectures does little to solve the problem. The value of Cloud only
kicks in when we move to a Cloud native architecture. Cloud native solutions use
foundational building blocks that snap together to build
sophisticated capabilities. But with Cloud comes new
threats, Cloud native threats. Some of these are related
to configuration errors. Configuring the Cloud is
difficult because Cloud requires inherently more sophisticated
policies which add complexity and are subject to error. This is made worse in that
often, things default access to the internet, a public network. So, it’s easier to make errors
and when you make those errors, they’re exposed to the world. And new paradigms have nuance
that if not comprehended can expose your organization
to catastrophic outcomes. For example, all of the major
public Cloud providers have capabilities to manage
credentials for cloud native applications. Used correctly, these
capabilities allow you to not pass credentials in the
clear or store them in source code repositories. One of these is called
Instance Metadata, but if not comprehended can
set an organization up for complete compromise. Let’s look at a
typical scenario. With Cloud’s low barrier to
entry, a team of epidemiologists set up a public dashboard to
show information on their progress in analyzing the genome
of a critical virus, say, Covid-19 as shown here. The challenge they have is many
of the resources the dashboard requires are not accessible to
the internet, only their virtual private Cloud. The solution is simple. They can use a reverse proxy
which acts as a middleman to pull the data that’s
not directly exposed. So, a fast online search shows
they can do this with a few lines of code. Their basic solution is elegant
and functions perfectly, but it set up their organization
for a massive breach. Why? What they didn’t realize,
they’re epidemiologists not RSA attendees for goodness sake, is
that their reverse proxy will access both intended
and unintended data. One of the pieces of unintended
data that they didn’t even know exist is Instance Metadata
which is a cloud native feature exposed to the compute instance
to provide data about the instance, including sensitive
information such as credentials which the reverse proxy can
also access and return to the attacker. With the credentials, the
attacker may well have access to highly sensitive
Cloud resources. Let’s walk through this from
the attacker’s perspective and look at exactly what it would
look like to execute this type of attack. Okay, so here we are on
the attacker’s machine. The first thing that we’re going
to do is validate that we don’t have access to
anything by default. Next, when we looked at the
epidemiologist’s dashboard, we noticed that they referenced
the reverse proxy. So, here we’re going to
simply confirm connectivity. Now let’s see if the reverse
proxy can access the special URL where Instance
Metadata is stored. Specifically, we look to see if
access privileges were granted. And we see that they were. It looks like this instance
has full S3 access. So, this is promising. Let’s go ahead and see if we can
actually pull those credentials. We can. We have the credentials. This is the Holy Grail that
the attacker is looking for. At this point, all we have to do
is set our attacker machine to use the credentials. We can do this by setting the
Access Key ID, secret key, and session token
environment variables. Once we have those, we can go
ahead and see what information we have access to. For example, can
we see any buckets? In this case, it looks like
there’s this Santa genome top secret thing. I don’t really know what that
is, but let’s go ahead and exfiltrate it with
a simple S3 sync. We have now stolen the
top-secret data with that simple of an attack. This insidious attack is
just one of forty-three Cloud-specific techniques
on MITRE’s attack matrix. Now, insidious threats aside,
Cloud brings us access to new technologies that
organizations would otherwise not have access to. One exciting technology holding
great promise and that will fit well into the Cloud model
is quantum as a service. But for our industry, as with
Cloud, we know that quantum is a double-edged sword. Quantum computing will allow
us to achieve breakthroughs in biology, chemistry, physics,
and, of course, cybersecurity. On the other hand, I’m realistic
enough to know that nation states will use quantum to break
our public key crypto systems. Now, I know what many of you are
thinking; quantum is not coming any time soon. But we can’t think of quantum in
terms of eventually or tomorrow, because quantum is
a real risk today. You must assume that adversaries
are already accessing your most sensitive data. It’s encrypted but they
still find it valuable. They’re not worried about
decrypting it today. They’re counting on quantum
to do that in the future. Over 70% of all network traffic
is encrypted, much over an untrusted network. We call it the internet. Our most critical data
lives in the Cloud. Cyber criminals and nation
states can siphon off that data today and unlock it tomorrow
when quantum cryptanalysis becomes practical. So, let’s ask: Does it matter
if your data can be unlocked in five, ten, fifteen
years from now? Consider this. Even in 2020, documents in the
national archives related to the Kennedy assassination nearly
sixty years ago still retain redactions for current
national security concerns. Now, think about the
data in your environment. Two things matter. Number one, of course the
sensitivity of the data; how important it is. But also understanding how
long it must be protected. We plotted a handful of examples
on a chart to make the case. We place social security
numbers more to the left. Clearly, we never want to lose a
social security number, but we must be realistic that 60% to
80% are already compromised. At the same time, they act as an
identifier across a lifetime so we placed them
higher on the chart. Contrast this with prerelease
earnings for a public company. Given their importance before
they’re released, we plot them far to the right. But given the brief time between
quarter and close and public release, we plot
them near the bottom. Finally, think about
national secrets. Many will be at the top right. A short story about an
ultra-secret project makes the case. When the British cracked
Germany’s enigma code in 1941, it provided critical information
to allied land, air and sea forces that ultimately
shortened and won the war. Yet the sensitivity of that
project was so great that even people working on it
weren’t necessarily aware of the objective. And even after victory,
we kept this story secret for three decades. The core of our future, a post
quantum ecosystem, requires critical work from NIST. We need quantum resistant
algorithms as soon as possible. NIST is already doing amazing
work but we must help them move faster. They require more funding. The quantum research
budget is $30 million. That’s 0.0006% of the federal
budget to solve a problem that’s a threat to national security. And this is not an easy problem. Selecting the right algorithm
is a critical decision. Of the initial sixty-nine
replacement algorithms that were proposed, twelve were broken
or attacked in three weeks. And after three years, we’ve
still only narrowed the field to twenty-six. What about the rest
of us in this room? We can move our network traffic
to TLS 1.3 right now, and while that won’t prevent the traffic
from being decrypted by quantum at some point, it does make it
significantly more difficult for an attacker to execute at scale. Let’s all commit to build
post quantum action plans that measure time and impact
sensitivity so that we’re ready to migrate the systems at the
top right of our charts as the post quantum
ecosystem is ratified. Finally, together,
government and industry has much to do in partnership. Let’s pledge to start the
technical work beyond just the mathematical algorithms, to
inventory, understand and retool all of the systems
that are based on quantum vulnerable attacks. Whether it’s driving changes
through IETF to support a post quantum TLS or testing new
ecosystems for quantum secure code signing capabilities,
we must begin today. I’m confident we
can do these things. With quantum, the
potential is limitless. Immunologists one day will
discover the Rosetta Stone for a universal vaccine, putting the
flu and countless other diseases out of commission. But progress isn’t
waiting for quantum. Our current Cloud computing
architectures allow scientists to tackle the problems of today
to fight disease, to explore the universe, to power
human progress. Let’s not hinder our future by
remaining blind to the threats that target these platforms. Are we up for the challenge? We can’t wait for time to tell. Thank you. (Applause)

Leave a Reply

Your email address will not be published. Required fields are marked *