The Picasso of Cyberattacks Has Only Just Begun [Part 1], with Travis Howerton - Ep. 122

Travis Howerton of C2 Labs joins the podcast for an insightful discussion on the global threat landscape through the lens of his more than 20+ years working on the front lines of national security with organizations such as National Nuclear Security Administration, Oak Ridge National Laboratory, and Bechtel. In part one of our conversation Travis shares his thoughts on how the SolarWinds hack was the Picasso of modern cyberattacks, inherent challenges to identifying attacks when you can’t trust the tools you’re working with, understanding the shared responsibility model in cloud security, protecting data with a 20-30 year outlook and the nature of cyberlogical attacks where integrity is critical.

Episode Table of Contents

  • [00:39] Introducing Our Guest, Travis Howerton
  • [09:03] Cloud Is a More Secure Option
  • [13:03] The Adversary Is Smart
  • [15:46] Protecting Information in the Government
  • About Our Guest

Introducing Our Guest, Travis Howerton

Rachael: We have an amazing guest today, Travis Howerton who is Co-Founder and CTO of C2 Labs, which delivers continuous compliance solutions for regulated industries. That's a mouthful, but very mission-critical work here.

Rachael: He's had a front-row seat at the national security and evolving threat landscape front lines, working with numerous government organizations. And we're going to have an amazing conversation today.

Travis: Thanks for having me. It's a pleasure to be here.

Eric: So Travis, you came from NNSA otherwise known as National Nuclear Security Administration to protect all the nation's nukes, correct?

Travis: Yes, I did, Yes. And so we were a semi-autonomous agency within the Department of Energy. And so our goal was the manufacture and production and safety and security of the U.S. nuclear weapons stockpile.

Eric: Rachael, what the heck would that have to do with cyber? But we'll get to that and then also Oak Ridge National Lab, which was involved in the making of the first atomic weapons and energy programs and still is.

Travis: Yes. So the first Graphite Reactor came out of there and they still do all sorts of nuclear research. And so ORNL's become more of an open science lab that does R & D. And then I had a heavy focus in my background on the weapons program side and national security mission. So kind of seeing the full spectrum from a government agency perspective there.

A Good Blend of Private Sector

Eric: And then you also worked at Bechtel prior to founding C2 Labs from a commercial aspect, correct?

Travis: I did. So I led the merger cost-savings transformation sort of group for Bechtel when the government decided to combine Y-12 and Pantex to generate some efficiencies in the nuclear weapons complex.  Then, I ended up going up to DC and working for Bechtel where I had a digital transformation role in strategic programs globally for them.

Travis: And so a good blend of private sector at Bechtel and C2. The Lab I would call sort of in between, and then the federal experience where I was a Chief Technology Officer of the U.S. nuclear weapons program.

Eric: Awesome. Rachael nukes and cyber all in the same show. Let's kick it off.

Rachael: Let's do this. Yes.

Eric: Where do you want to start?

Rachael: I think that's a great question. I mean the evolving threat landscape is one that I'm very fascinated with and you've been doing this a really long time Travis. Let's look at something like supply chain, for example, not an easy problem to solve.

A Beautiful Attack

Rachael: We've seen the whole SolarWind, Solar Gate. You know, we talked a little bit about that before we got on the podcast today. There's no real answer to how to get ahead of that. I mean, what are your thoughts there?

Travis: I've described the SolarWind hack to the folks I know as the Picasso of cyber attacks and it really opened up a new front in the cyberwar. While there have been things that have been done in supply chain security that can't talk about on this call. I mean its been a known issue, but we've never seen it at that scale and level of sophistication before. What made it beautiful and I think if at some point you can't admire your adversary, they're not a true adversary.

Travis: It was a beautiful attack in the sense that there's really nothing we have in place today that could have realistically stopped it. It's going to get in because it's in software that you know and trust and have used for a long time within your networks. So there's not much you can do to stop the attack.

Travis: What you can do is stop what they can do once they're in. So things like Zero Trust architectures, Micro-segmentation. And then part of what we were discussing in the pre-call is deterrence. To some degree there has to be a conversation around deterrence and what's the red line. And how far do you let an adversary go before you get an in-kind or an escalation in response for the damage that you've caused.

A Great Irony

Travis: So I think this is a really good case of pushing where's the line from a deterrence perspective. But it's also challenging all the assumptions of I used to be behind my firewall, we make people log in with two-factor we're good. All that stuff you have in detection and all those things, none of it was going to help you here.

Travis: So only limiting where they can go and what they could do and how they could dial home is really the only hope you had. Because you're not going to stop that getting in. And it's funny, I've been talking to several National Labs and some other customers we have, the only one I know that had SolarWinds that didn't get popped and isn't going through incident response right now is one that was so far behind on patching. That they didn't get the version with the exploit in it.

Travis: So literally not patching is the only thing that helped this customer, which is a great irony. When you look at best practices in cyber.

Eric: Yes. I want to be clear CISO came out a couple of weeks ago, now, Rachael. And said about 30% of the attacks they saw were not related to SolarWinds right? So this was a pretty calculated extensive nation-state level blamed on APT29, at least right now level campaign. It's not just SolarWinds I agree with you, Travis.

Assume the Breach

Eric: I mean, they're going to get in. You have to as we've said so many times on the show, assume the breach. It's what happens afterward and deterrence at the nation-state level is important. Even Microsoft isn't really going to be able to impact deterrence. One of the targets in this attack at the nation-state level. You can start to say, this is acceptable, this is not, but it's really a problem. And it's what happens once they get in.

Travis: Yes. And if you can't trust your tools and what they're telling you, that's the big problem. So the beauty of the attack is they go to tools that everybody has and trust. So rather than trying to go after Eric, then trying to go after Rachael, then trying to go after adversary and sort of selectively targeting them, the beauty of this attack is you can write one, chose many.

Travis: Instead of doing that one, maybe they go for a Microsoft SCCM next time. Or they get into Ansible where people are doing their Linux configurations. They get into something that you trust in the management stack of your network. And then they use it and its credentials to sort of spread violently throughout your network.

Travis: And so when they're in those tools and they're in pre-compiled things, there's not a whole lot of customers in the world that have the sophistication to find those attacks much less detect and respond.

Leveraging the Cloud for Exploitation

Travis: And so I think it's opened up just a new war front. That I think deterrence is the biggest weaponry we probably have in our stockpile to be able to fight back against some of these things. Because once they're in tools you trust they're inside your network.

Eric: Yes I agree, I have been speaking to a customer last week, I think. We were talking about it and I was trying to help them understand. They were asking about the security of the cloud. And was like, well, this isn't really a cloud security question necessarily. It's the adversary in this case, leveraged on-prem systems to gain trust to coop domain and user credentials to then connect to Microsoft ADFS. The Active Directory Federation Services as credentialed users.

Eric: It's no different than a small business where the CFO calls up his buddy Brad, over at the local bank and says, "I need you to wire a million dollars of money to X, Y, and Z". And the guy's been dealing with them for 30 years and says, "Hey, no problem. Send me an email I'll get him right over there". Then the adversary sends the email on behalf of the CFO who they impersonated the whole time. Money's gone and same thing with IP in this case. They took local resources, gain trust, and then leverage the cloud for exploitation and really from what we're hearing now, exfil of data, espionage.

Cloud Is a More Secure Option

Travis: Yes. And I think there's a false choice in the industry that cloud is less secure. If it was on-prem, we'd be more secure. I think anytime you're trusting anything, you're going to have an issue. Because anything can be compromised with the right amount of time, money, and resources.

Travis: And so for most customers, I've said for years, cloud is a more secure option. And there are a couple of reasons why I consistently say that. One, is they started with zero trust and micro-segmentation. Everything's defined in a software layer. So you can really carve things out and limit trust and lock it down if you can get there.

Travis: The hard part about cloud for most customers is they weren't born cloud native-like our company was. They've got a ton of technical debt. A bunch of snowflakes in the data center that are really hard to move or do anything with. It's going to explode cost If you just move it as is versus sort of modernizing and refactoring for the cloud.

Travis: And so it makes it difficult to get there. But once you're in the cloud, you've got more segmentation. You've got more telemetry than you have on your on-prem data center. And then you can take advantage of the hyperscalers, AI, and monitoring. And things you probably couldn't afford for most companies on your own.

A Problem We Need to Understand

Travis: I mean, there are some larger companies and government agencies that probably can do better on their own. But for 95% of the rest of us, you're probably better off in a lockdown cloud. That's micro-segmented with a zero trust architecture than anything you could do on-prem yourself.

Eric: Now I will throw out there a few things, Travis. You said one of the agencies you've worked with in the past said they weren't vulnerable because they didn't patch in time. So cloud gets patched pretty quickly, right?

Travis: It does.

Eric: It's fast. It's easy to use. The vendors typically allow most services by default to be available to people. Even if you don't understand them or take advantage of them. I almost look at it like in some ways they should make it more a firewall. Deny everything and open up ports protocols capabilities we'll call it. And the non-firewall world for the cloud as you need them.

Eric: So, you know what you're opening up. Because I think the cloud is so easy to work with. I mean, hell the adversary used it to stage the attacks to receive the information, to exfil the data. They use it for everything. It was just easy. It's well understood. So that's a problem, I think we need to understand. And then I think there's the shared responsibility model. Even though Amazon and Microsoft and the major vendors have been talking about it for years. I don't know that it's fully understood by organizations and their personnel yet.

What Cloud Providers Do

Travis: I would say it definitely isn't. And a good example of that, we'll go back to yours we should start with everything default turned off. That's pretty much what cloud providers do. So if you stand up a new VPC and AWS or a resource group, and Azure, it’s pretty much locked down by default. You have to turn things on. And what happens is you get a lot of people turning things on that they shouldn't turn on.

Eric: They don't understand.

Travis: Right. It's easier to put it in any role or to make everything open inside this area than it is to precisely lock it down. So a lot of what you see in exfils and other things are things like open S3 buckets. It’s a great common example. That's on you as a customer. Once you make an S3 bucket public and then you put a lot of sensitive stuff on that, that's not really Amazon's fault.

Travis: And they say in the Ts & Cs but it requires a level of sophistication. When your infrastructure people don't know how to code and things are moving much more into software than they are in the traditional hardware world, you get a little bit lost in translation in skill sets. And so if you have the right skill sets and the right team and the right expertise, I would argue cloud is much more secure. When you try to move into cloud without that you can open up problems for yourself, but you do the same thing on-prem.

The Adversary Is Smart

Travis: The other thing I would say that's important is I've got a lot more confidence in the Microsoft and AWSs and the Googles of the world to be a harder target to hit than the SolarWinds. And most importantly, they'll respond better.

Travis: So if you're in their cloud and they're hit with something that's in their core infrastructure, they're built on zero trust already. They've got better isolation and they're going to have better recovery than anybody else. Because nobody else is spending at that scale to have that level of expertise. So I think you're still better off for most players to be up in that space with the skill set limitation aside.

Eric: I would agree with you. Understand the tools you're using. Though for years customers talked about me, the big threat was someone's going to take Microsoft down or Amazon Web Services down. I think the adversary is smart. Why do that? Because to your point, they're very good at what they do, resiliency, understanding who's attacking them.

Eric: But if you come in through an attack like we saw here where you're using the organization's own trust and systems against them and leveraging the cloud. It's really a brilliant play.

What You Can Find in Private Data Centers

Travis: Yes. And I'll give you a good example and I'm not going to share where this happened. But we were a customer of a cloud provider. We had just signed a contract. We were just starting to explore the usage of the cloud. And we hadn't really turned anything on there, but we connected some things.

Travis: And so for this client, when they started seeing exfil stuff, going through the Microsoft cloud, Microsoft notified us that we'd been breached. And everything we had missed it. All of it missed it. Just by that function of being there they saw something and reported to us. Because we were a paying customer they were watching our stuff.

Travis: It's pretty amazing what they can do at that scale that's very difficult. Folks do worry about it going down. But the reality is how many people have that many data centers at that scale with that much redundancy built. I came from a world where you’re looking to have a data center that wasn't leaking water. Or had some problem where I'd been underfunded for 30 years. It's only got one HPAC system.

Travis: You know, all of those sorts of things you find commonly in private data centers and other things. You won't find those vulnerabilities and risk in the commercial cloud providers. So I think there are still upsides there. But everything's sort of risk quantification and where you at now and where you're trying to go.

Protecting Information in the Government

Eric: So let's transition then to protecting data. You spend a lot of time in the government as a practitioner policy setter. What's unique in protecting information in that space. Obviously, we have classified and unclassified material, but how do you look at that?

Travis: One of the unique challenges in the weapons program was that we have some of the only and maybe the only data that doesn't declassify. So nuclear weapons' data will never become declassified. Or at least most of it will not. Because we don't want people knowing how to build our nuclear weapons. That's obviously a bad thing for the world for that to happen.

Travis: So you have to worry about problems 20, 30 years from now, not just in the next five to seven. When things would typically declassify for normal types of information. So that was a little different. But I think everybody faces their own data challenges. For a long time it was around espionage. They're just going to get into your network. They're going to exfil and they're going to steal stuff. I mean, that's certainly something we worried about in the Labs.

Travis: We did billions of dollars of R & D on behalf of the government. So either you can spend billions of your own dollars to try to compete. Or you can just try to steal our stuff for pennies on the dollar and just take it right. There are nation-states that exist that do that sort of thing right.

The More Concerning Thing

Travis: But I would argue you have the same problem in other areas. The Stuxnet attack was really the one where you went from SOP. Purely cyberspace to cyber-physical where now you can weaponize an attack based off an SOP and purely cyberlogic attack. And where you see that, I think it's a unique problem is anywhere where integrity is very important.

Travis: That can be the grid. If you can't trust what's coming across the grid, in terms of reading settings, you can basically cause things to explode. The same thing in healthcare. It's not that they necessarily steal your healthcare data. The more concerning thing is if you're a terrorist. What if you got into a database on the backend of the hospital, changed everybody's allergies, changed everybody's blood type? You'd have mass casualty events just by scrambling data.

Travis: And then increasingly access to data is becoming the new threat with ransomware and other things locking whole cities out of access to their own data. So it's a multifaceted thing that used to start more on the espionage. There were kind of roles to that game. You could steal stuff, they steal stuff, we steal stuff, everybody's stealing stuff. But you don't break anything while you're there. Increasingly people are breaking things while you're there. And then the worries that terrorism breaks into that space and they start weaponizing some of those things. We discussed a little bit the attack in Florida on the water system.

A Low Sophistication Attack

Eric: Near the town of Oldsmar, the dam where. If one guy hadn't luckily seen it change in the data they would've flooded the water system with a lot more lye than was required.

Rachael: I think he saw the mouse actually moving on his desktop. As the person was perpetrating the attack. And he's like, "This doesn't look right".

Travis: Yes. And that's a low sophistication attack where you get in and basically hijack somebody's computer. But your chances of being detected when you're hijacking and moving the mouse are pretty decent.

Travis: But if what they'd done instead was getting into the instrumentation network and change all the readings where everything looked good, even though it wasn't, that's the sort of attack that keeps me up at night. It's the sort of thing that the SolarWinds thing is opening. When you get into the supply chain and you can change readings and you're that deep into it, you can get some pretty sophisticated attacks and damage.

Rachael: And with that, we're going to pause our conversation for this week. We are having such a great time speaking with Travis. We're going to continue the conversation in next week's episode 123 where we continue looking at the global threat landscape. And how do you move forward with such a complex challenge ahead. Look forward to seeing you then, and until then have a great week.

About Our Guest

After executive leadership roles in some of the largest public and private sector IT organizations in the United States (to include the National Nuclear Security Administration, Oak Ridge National Laboratory, and Bechtel), Howerton joined C2 Labs in March 2019 to drive product development and corporate strategy. With over 20 years of experience in delivering "no fail" missions, he is a trusted advisor of our largest clients,  thought leader for our product strategy, and focused on delivering sustainable long-term growth for the company.