[01:29] What Actions in Ukraine Impact Other Parts of the World?
Eric: I have a special guest today, Petko Stoyanov, CTO of Forcepoint. Rachael is on a well-deserved vacation. She will not be joining us. Petko, welcome to the podcast. I know you've been on before. I'm really looking forward to speaking with you.
Petko: Thanks for having me. I think last time we talked about cyber resiliency. This week, one thing that's made everyone realize, COVID made us think about resiliency, but now we have to think about it a little bit differently. What actions in Ukraine impact other parts of the world? How does it impact your organization? Just around resiliency, around tactics, how would you be prepared?
There's tons of things we could do, tons of things we should have done before. But I'd love to talk about, do we see anything new? Eric, you've got some interesting perspective on this, you used to be in the military. How do you want to start?
Eric: Well, I was an infantryman. I was the only guy in my unit to know how to work with a laptop. We had one.
Petko: You had laptops back then?
Eric: We had an old 386 that ran WordPerfect, I think 50. It was an SX by the way, but nobody could use it other than me. So in my last year, I became one of the ops personnel of the three of us because I knew how to type.
Petko: I'm interested in this laptop thing. Was that a policy they implemented because you were special or was this just the training thing that they decided to give you special training?
How Things Are Moving in the Ukraine Situation
Eric: No, we got a laptop to do operational work, schedule jumps, schedule missions, deployments, you name it in lieu of typewriters. It is what we had used prior to probably 90, I want to say 94 was the first time my unit got a laptop. Nobody knew how to type and nobody knew computers. I had about a year left on my enlistment and I saw it as a great way to deploy less, get more time for college, and help out.
So I stepped up and said, "I can use that thing," because I had been building computers for a couple of years at that point myself, but just very different times. But I do want to correct you, the last time we spoke, not on the air, was last night. We put a couple of questions together in preparation for today. I would say three of the four questions are outdated as of two hours after we spoke.
Eric: Clearly today, probably 15 hours after we spoke yesterday because things are moving very quickly in the Ukraine situation. So let's talk about that. Number one question we had was what types of cyber warfare tactics could we see Russia deploying? We know that they had already deployed some in prior weeks, prior campaigns going back to 15, 16, 17.
But let's talk about that, recognizing at this point in the day today on the 24th of February, Russia has overrun a good bit of the Ukraine. Cyber is almost an afterthought due to kinetic weapons that they've taken to airfields. We believe from the free press that we see, they have air superiority.
Eric: We have imagery showing that they've knocked out a lot of command and control, physical radar systems, and systems to detect physical traffic. It almost seems like cyber was overrun before it even got started. What types of cyber warfare tactics did we see leading up to the invasion of Ukraine, but also post-invasion?
Petko: We definitely saw lots of activity around the denial service. The Russians are very good at creating noise. Sometimes, when you're being disrupted to just check your bank account and other things, they're also doing other things in the background. What's really interesting is when you start thinking, if you're going to attack a country, you don't just wake up one day and say, "I'm going to put my troops there. I'm going to make this happen." You don't one day say "I'm going to deploy 70% of my fleet, 150,000 troops and just make it happen."
Eric: We saw months of lead up to this.
Petko: It's months, just for the people.
Eric: On the physical side, exactly.
Petko: Now the nonphysical, we didn't see this today or yesterday, what's really happening is they're preparing the battlefield. They started putting things in place. We don't know, it could’ve been back to the previous time we did this in 2015. They could’ve just waited, collected data. When they had to come in, that preparation of the battlefield is understanding your visibility. It’s having the way to control things when you need them to happen. That could have been out of service, that could have been knocking out comms for certain air fields so they can't see what's coming in or communicate the things coming in.
Moving to the Ukraine Border
Petko: Let's not assume that there's anything new here, but rather it's been there for a while.
Eric: I think we would call or cyber network exploitation, getting in and really understanding, getting the hooks into the system so that you know what's happening on those networks. But also as you need to go to more, I'd say advanced or more direct mechanisms, you have capability pre-deployed. It’s akin to moving 70% of your military to the Ukrainian border.
Petko: We always use the word advanced persistent threat. We focus on the word advanced, we forget about the word persistent. And we talked about, "Oh, what are the new tactics?" No, they're just been there for a while. They're persistent.
Eric: But we really haven't seen anything new, have we?
Petko: We've probably deeper hooks when you think of black energy and some of the things we saw back in 2015 when they took out the power grid. That was unique because it’s the first time that we saw a cyber impact on the physical world. Now they've developed deeper hooks in some of their technology, making them smaller, but not new. The tactics are similar, misinformation and denial service. But they have better visibility in some ways because they've been there persistently.
They've planned for it. It's one of the reasons I think as organizations, as agencies, we've got to be better prepared. We've got to make sure that we've patched, we've mitigated, we've practiced our instant response. We have identified where our supply chain challenges are from software, from contractors, from people.
[07:38] The Source Code May Become Russian
Petko: One organization I'm talking to right now, they have teams of developers in some of these countries. How does that impact their software development environment? Think about it that way.
Eric: In some cases, the source code, which people had access to, may become Russian at this point.
Petko: Yes. We don't know. What do you do with the people? Do you get them out safely or do you give them options? All of this goes back to that cyber resilience as an organization, that cyber risk that we probably need to do. It's definitely constantly changing. Like you mentioned earlier, what we found out just in the last hour or two is probably going to be different by the time tomorrow even, or tonight.
Eric: Or tonight, even. What we did see though was a lead up to this in prior years. But even as recently as a week ago, we did see Ukrainian websites come offline which we've seen before. We've seen data wiping, malware being deployed. We saw that heavily yesterday, Wednesday. The day before the physical, the kinetic action, we saw a significant uptick in wiping technology. That's essentially ransomware without the ransom.
Petko: Fair, but honestly, let's think about it. If I've attacked the system or if I'm robbing something, what am I going to do before I leave the building? I don't want you to know how I got in. I'm just going to blow it up and wipe the data so you can't see any evidence of how I got in. Because I might have been there for months or even years just waiting.
Eric: But we're taking that next step, which is to prevent something from happening. What we saw here on the kinetic side of the activity, we saw air activity. The Russians, it appears, have gained air superiority at this point. We saw early warning in detection systems and radar systems. There's imagery published in Ukraine from the Ukraine where systems are just destroyed. They're burned out, they've been shelled or they've been bombed. We've seen a lot of anti-radar missiles and things like that. They did the same thing on the cyber side.
Petko: Yes. Just to make sure it's not one-sided here, we did give Ukraine some javelins. They're knocking out some Russian tanks. We're seeing a little bit of both sides. But they've definitely moved very fast. That speed on the physical, I think, was aided by the cyber visibility they had before that. So there was definitely some coordination.
What's really interesting to me is when you start thinking about what's going to happen next after this. You're going to see these similar tactics probably get reused by the cyber crime world. There's a lot of collaboration on the cyber side, and this is part of the techniques they do. What they do is not unique, but the way they do it, the stealthiness of it, the persistence of it is special. Whilst the crime groups want to come in, get out quickly, but you're going to see them replicate the tools. You're going to see them replicate the tactics.
Petko: It's going to get harder to say, "Wait, was that the Russians? Or is that someone pretending to be the Russians? Wait, that's coming from Italy? Is that the Italians or is that the Russians or is somehow maybe they're using it as a proxy?" We don't know.
There's going to be a lot of reuse here and one of the interesting statistics I read. I think it was about like a year ago when they estimated that cyber crime. For the definition of cyber crime, let's throw in the word cyber war there, it is going to be a $10.5 trillion business in terms of loss by 2025. We're talking about three years.
Eric: Brilliant also.
Petko: Yes. When I heard that number, I was like, "There's no way. We were a third of that last year before COVID and everything else." I was like, "There's no way it's 10 trillion." Well, honestly, that never just became real with this invasion.
Eric: I think you're right. The other question I was going to ask you is, how might acts of cyber war by Russia coincide with military action? I think we know at this point, we've seen a lot of these things. The piece that's interesting to me that I'd love to talk to you more about, are components like disinformation, misinformation. Almost, they weren't even needed, they were just overrun by the speed of what happened here. It wasn't necessary.
Russia was pretty transparent. In fact, as of this morning, I was watching a CNN report from the Russian side of the border as the Russian military entered the Ukraine. So there really wasn't a need for disinformation.
When Ukraine Was Part of Russia
Eric: There wasn't a need to take Ukrainian systems offline. I'm sure they did, and I'm sure it helped, but to the extent you would think because of this sheer speed of the attack. It reminds me of the German Blitzkrieg that kicked off World War II.
Petko: Not to get into that, but I also think about the Cold War and when Ukraine at one point was part of Russia. In 1991, they separated, but ultimately Russia felt like, "Hey, you're part of us." So in some ways, Russians are viewing Ukraine as their own and they're liberating them. So I think it's a really interesting context around World War II and some of the Cold War. In a lot of ways, the Cold War never ended. It ended for the US, but it didn't end for the Russians or they just persisted in waiting and just took it to a deeper level.
Eric: Yes. I'm with you and now they have these tools. So what did we see? We've seen a decent amount of wiper software is being reported in the news, additional capability. Certainly the distributed denial of service attacks were reported pretty well so we believe that to be the case. We're still getting some data out of Ukraine, primarily Facebook, Twitter, and the internet does appear to be up.
Petko: Let's make this a little more global. For those of us who are not in Ukraine, does this matter to us? What should we be worried about? I would imagine a lot of viewers will say, "Oh, that's just Ukraine. I'm over here so I'm not going to worry about it. They're not going to attack me."
[14:17] Ukraine and Russia on Google Trends
Petko: But again, the cyber side, the things they saw there are going to get reused. You're probably going to see campaigns in other parts of the world that are replicating that type of news because we're now on. I just did a Google trends look on this. If you go to Google trends and just look up Russia and Ukraine, it's through the roof in terms of trending topics.
Eric: It's the query, Russia, Ukraine.
Petko: Russia, Ukraine trends.google.com. It went from barely being a search on January 15th to now like being one of the top interests. Imagine how an adversary or cyber crime group would reuse some of this news inside from a business email compromise. Or something else where organizations just have to be more resilient, more ready for potential misinformation coming in. That will try to either capture remote access systems, capture cloud systems, or just test some of their instant response capabilities.
CISA has published some great reports. I encourage the audience to make sure they read some of these CISA.gov that are around what foreign activities are happening. What should I be prioritizing? For years, most organizations are like, "Where do I start?" Well, they've got a great list here of the common vulnerabilities you've got, to make sure you patch.
Here's the order you want to do them. It's a very simple order, with COVID and everything else. The first thing they tell you is start with remote access, make sure you've validated. You know where it is, you've patched it, you know who's got access. Do they have the right access? Make sure that remote access solution is patched because that's one of the areas that they're targeting now.
Eric: Remote access meaning we can access corporate resources remotely from somewhere other than the corporate infrastructure inside your house or inside your business.
Petko: Absolutely. So I'm at home. I might VPN in, or I might log into some web-based environment that's using some application on top of it to virtualize my desktop. All of those need to be fully patched. The user accounts you have, just double check them because they might not be the users you think you have, if you know what I mean.
Then the second thing is just go through all your applications that are exposed to the internet, all the ones you do have. Start asking questions, do they need to talk to the internet? Does that database that's sitting behind a web app really have to go directly to the internet?
CISA recommends making sure you turn off unneeded applications from the internet, harden it, double check it. Start remote access, then go through the firewall, check your apps.
Third is to check your cloud. They literally have multiple steps on how to harden your cloud environment. One thing the Russians are definitely doing is attacking EMO solutions like 365 and others where critical data is. They’re hoping that people make a mistake. They've done it a couple of times through email accounts they've created through remote access, they got then created in the cloud.
We live in a hybrid cloud world where not everything's in the cloud, but there are things on prem and there, they're dependent. There's a dependency there. Ultimately, once you've done all that, you've checked your remote access, you've checked your apps, you checked your cloud, just be resilient. Practice and test your instant response backups.
We’ve Seen COVID Hit Us
Petko: Just make sure you honestly have enough people because we've seen COVID hit us. It most probably held off testing some of these things and it might require more people than we realize. Those are the three, four things. If you read two or three pages of theirs, those are the top four items that I would say so we can definitely do today.
Eric: I think the other thing to think about is you're not just looking for activity coming from dot RU domain or IP addresses. As you and I have spoken about in the past, these attacks, whether it's intelligence-gathering or it's an actual attack at some point will likely be launched from servers within the country that the resource is in or what would be perceived as a friendly country.
Petko: No doubt about it. I would just use another cloud vendor. You wouldn't even realize it. I'll use a cloud vendor region in your environment that you have access to today. You don't even realize that it's happening.
Eric: Right. Just makes it easy. So let's get personal for a second. I don't know if everybody knows, but you're originally from Bulgaria.
Petko: Yes, many, many decades ago.
Eric: Couple hundred miles Southwest of the Ukraine. What do you think about that? I don't know if you have family and friends there, but what would you tell them? They're near the border. Are they next or are they not? What do they do from a personal perspective and from a cybersecurity perspective? Do they need to worry? What are your thoughts?
When There’s Noise, There’s Opportunity
Petko: They're definitely close. I think anyone in Europe, I would go back to the cyber crime conversation I had earlier. You're going to see some of these tactics, some of these being reused, because when there's noise, when there's chaos, there's opportunity for them. I had a recent friend of mine I talked to this morning. This is a friend of mine who's very tech savvy who lives in the US. He loves tech, and anytime I text some stuff, he's obsessed with technology.
I texted him something this morning and he's like, "I don't have time. My home country's getting bombed." That's the only thing on his mind. He's been here decades, but to them, that is very personal. In a lot of ways, any country that is close to Ukraine is going to say, "What's next?" We've already seen them previously go attack Belarus, they've got posts there. When you start looking at the map, you've got Belarus on top. You've got Ukraine, then you've got Moldova and Romania.
Eric: Poland, Bulgaria.
Petko: You start wondering, how far are they going to go? Is this the start of something? I don't know where it's going to end, but we know where it started, it started here in Ukraine.
Eric: When I think like your journey, your family's journey too that ended up originally or eventually in the United States, borders are not like they used to be. I think the cyber security activity we are seeing will impact Europe. Absolutely. But it will also impact the United States being the Western world, plus Japan and a couple of other nations.
[20:36] Attacks on Critical Infrastructure
Eric: As we look to sanction the Russian government, I think a likely recourse could be attacks on critical infrastructure in the rest of the world.
Petko: I think they'll definitely do that, but they'll attack ones that don't impact their revenue stream. You have to remember what Russia is known for.
Eric: Oil and gas.
Petko: They're not going to want to impact anything that's impacting their gas lines and other things, at least because it impacts their revenue.
Eric: I did read a report that gas was flowing this morning. I think it was a CNBC report. Gas was flowing through the Ukraine pipelines into Western Europe, at the highest rate of anytime recently, today.
Eric: Yes. You don't want to, but also I don't think Russia wants to kill that source of income. So you're a global company now. We know that cyber has no boundaries. How do you take defensive action against potential Russian cyber activity? You could be a US, a UK, a French, a German, whatever company that is doing your business as you normally would and you find yourself a target now. How do you take defensive action? What should you do or what should you expect from a Russian cyber activity outside of the Ukrainian area of responsibility maybe is the way to put it.
Petko: I'd go back to what CISA recommended. They literally just released, I think this week, around foreign activity by Russians. One of them was literally the remote access. But I think as a global company, we have remote workers, we have remote sites. I think of it as when we had COVID, we had a lot of great things happen out of COVID.
Petko: We started deploying technology at a speed we've never seen before. But at the same time, we deploy at a speed we've never seen before. We are not sure if we're complete with all the projects, all those deployments.
Eric: I would say we deployed accessibility, not necessarily secured that accessibility. A lot of VPNs extend the corporate boundary beyond the corporate firewall, if you will, into the home. But we're not necessarily inspecting that traffic any better than we were.
Petko: We probably lost some visibility because of that quick extension there in terms of what's happening. I think CISOs would go back to that list and say, where are my users and what are they doing? Where are my devices and what are they doing? If we can't answer those questions, we can almost assume that at some point there's something else there. As a global organization, I think at Forcepoint we're in, I forgot how many countries, but we're global, we've got folks all over Europe.
Eric: Hundred and whatever, we're all over. We have Russian employees. So yes, I'm with you.
Petko: We've definitely got a global workforce and we've centralized. As an organization that does software development, one thing I would say is you have to make sure you centralize your code development from a storage standpoint. If you do have folks in Europe and other places, they shouldn't be downloading intellectual property. They shouldn't be downloading it to the laptops like source code.
Eric: You should be able to turn access off.
Petko: Turn off access, but what you do want is to give them access to the repositories so they can come into a secure environment that's centrally located. They can do the work when they need to, and they can check out but leave the code there. Leave the testing there so it's not residing in them because of what we've seen again with COVID.
The new normal we're used to is data's gone from your offices that used to be safe and sound because the laptop, it was still on a laptop. Now, it's gone everywhere. It's not just on the laptop at home, but it's also in other cloud services that IT might not be aware of.
Because the employee was looking to be productive and just said, "Hey, I'm just going to deploy this because it makes my job easier."
Developers are really well known for that, and they're not trying to circumvent things, they just want to be productive. But I think as a CISO, you start asking a question, what are my critical assets? If the critical access are source code as a software development, if the critical assets are corporate data, start asking a question, where is it? Is any of it in personal laptops or in areas that could be directly affected? How would they be affected by cyber attackers, regardless of where they are, because there's no bounds anymore? I'm going to say a country at this point.
Eric: Right, there are no borders. So CISA put out a notification to the critical industry about a week ago. I think it's certainly in the month of February here to talk about escalating risk and attacks.
What Are You Doing Differently?
Eric: If you are in a critical infrastructure sector organization, let's say a power plant, a water treatment facility, a bank, it really doesn't matter. You're the CISO, Petko, what are you doing differently? How are you thinking differently if you are today than you were a week ago?
Petko: I think we would all be at this point operating in an elevated state. We're assuming things are going to happen.
Eric: What does that mean? How do we think differently? We're in an elevated state, obviously there's some risk in the world that wasn't here a day or two ago.
Petko: CISA puts it really well. On their website, they call it shields up. In a way, it's kind of the model that you've got to start looking at. Before we might have said, "Hey, employees, come here." Now it's like, shields up, make sure you check everything. Apply more zero trust. Make sure you understand your essential services, where they are, and how they impact in terms of critical infrastructure.
How do they impact your employees, your public safety, your commitments to your partners? I can't help but think of SolarWinds for some reason. The reason for that is, in a SolarWinds example, they affected the supply chain, how the software was actually compiled and delivered. I would not be surprised if we see that taken further in the next year.
We see more things getting hidden deeper in source code because the development environments are not centralized. We're not controlling the ins and outs of that development environment. We are not hardening or putting shields up on our email systems and our users to make sure they're protected.
[27:23] Security by Design
Eric: As Sudhakar, the CEO of SolarWinds said, it was on the podcast back in December of 21 I believe. It was an excellent show. If you haven't listened to it, go back and listen. It’s security by design, building it up front, knowing and understanding the risks.
Petko: I think a lot of us have said we've practiced it for years. We've argued that we do security design, we're patching, we're securing, we're checking our codes. But, very few of us had it in a centralized manner. We always have it distributed. We're focused on the code, not to make sure what goes in is trusted, but we never said what comes out is trusted. Now, it's definitely a changing world. I think organizations need to start looking at it from the standpoint of, it's not if, but when. Definitely, the when is coming closer it feels like.
Eric: Do you think this will change things? Do you think people will recognize that the vulnerabilities are greater than they thought, and that it's time to do something?
Petko: I want to say they will, but I think the biggest challenge is, it's gotten to the point where there's so much noise, so much of this go fix this, go fix that. How do you start? What do you prioritize? That's one of the reasons I recommended going back to what CISA's list was.
We'll definitely provide references about those four little high-level things like checking your VPN, your remote access, checking applications, checking your cloud, and just double checking your backups. That's a short list you can start with. But if someone says, "Go patch everything," where do I start? That's too broad.
We Have This Conflict Going on Between Ukraine and Russia
Eric: Right, you'll never get it done.
Petko: Go fix my cloud. Be more specific.
Eric: Is there anything a CISO or a CIO can share as she's looking at the business with the employees? I'm not talking about training necessarily, but we have this conflict going on, I want you to be extra diligent. You should be on heightened alert right now. If you see something, say something. Would you go that far or do you think it's probably just wasted breath?
Petko: I would expect us to have more business email compromise. Someone pretending to be the CEO or an email that says, "Hey, I text you, respond back to this." You'll think it's your CIO or your CEO and it might be someone else. I think it might start with something like that. Just double check identity at this point. Double check who you think you're talking to is the right person, either via email, via text, or the supplier you're dealing with. Give them a call sometimes and just make sure that's really what they want.
I think at this point, you gave the example in the beginning of the show about your 386 and your SX. How before everything was on a typewriter, we've added cyber so much where we trust it to the point where we forget about integrity of the actual code. What if someone changes something? Ransomware, it was all about impacting availability and making it difficult to access the data. But I worry most about what if someone changed the data in the middle of it, would we know?
Eric: Tweak, almost like we saw with the Iranians centrifuges. Just a slight change, not a wiper where we're destroying something, not ransomware where we're saying we're holding you hostage. Not exploitation act or exploitation activity where we're in the networks, but really looking at just a slight tweak to throw something off and change it.
Petko: Spin it a little faster, or spin it a little slower. When you're looking at it, you might not notice that extra account in your email. In your global address list, you might not notice that extra account, active directory service account that's accessing applications. But I think now we need to start checking those and asking the question. Let's revisit all our users who have left. Organizations definitely need to be looking at their offboarding policies. There's definitely a lot of accounts that get stale and just left there for various reasons. How many of them really turned off all accesses?
Eric: Very few. We saw the Russian military and government blow through the need for cyber to a great extent. We've seen an increased use of wipers, disinformation really wasn't in play here. I believe as this campaign, this effort continues, wherever it should end up, we will probably see enhanced cyber activity on the backside. We’ll probably see enhanced disinformation on the backside of the kinetic, the physical piece.
I suspect we'll have a puppet government in the Ukraine shortly, probably before this airs if you ask me. But I think we'll see more cyber on the backside. I say that disinformation, misinformation, and the like, plus potentially critical infrastructure attacks where I personally expected it upfront. Agree, disagree, what are your thoughts?
Misinformation, Disinformation, Malinformation
Petko: I think it was already there, first of all, in the beginning, we just never realized it. The Russians definitely have a history of misinformation, disinformation, and malinformation.
Eric: It almost wasn't even needed. It wasn't used.
Petko: But in order for them to stay in Russia, in order to put that government in as you put it, they're going to need the support. They're going to need the misinformation they're going to start producing.
Eric: Just like we're seeing on Russian state-led news, we'll see more. But prior to this, and I've written about this publicly, we expected more cyber. I certainly expected more cyber activity in leading up to any kinetic attacks.
Petko: I think what you mean is more detectable cyber activity that's new right before an attack.
Eric: Longer duration of prepping the battlefield. Misinformation, malinformation, disinformation, things to really change public perception and raise questions about what's really happening, we really haven't seen that. The Russians just blew through. I think we're going to see more on the back end now.
Petko: Yes, absolutely. I would agree with that. We're going to see much more misinformation and more media control at this point. The Russians will focus on the message. For them, it's all about saving face if anything that happens. So they want to be able to control that.
Bolster Your Defenses
Eric: Well, we're going to stop the show there. I really appreciate your time. I'd love to follow up with you in the coming days here as this situation evolves. It's rapidly evolving. I really appreciate your time, Petko.
To all of our listeners, hopefully this special episode is helpful to you. Take what Petko said, what CISA says to heart. Bolster your defenses. Be more aware, more cognizant of what's going on on your networks, on your systems with your data.
More coming from us as these days evolve here. To our subscribers, thank you for listening. Please hit the subscribe button. If you have any comments or questions, get them over to us, ideas for this show. Petko, thank you so much for your time. I hope you have a good day.
About Our Guest
Petko Stoyanov serves as Forcepoint's Chief Technology Officer for Global Governments. He focuses on strategy, technology, and go-to-market for enterprise-focused solutions across the government verticals in Australia, Canada, New Zealand, United Kingdom, and the United States. Petko is an experienced cyber security leader who specializes in establishing information security programs and driving security maturity in technology through experience specialized in aerospace, technology, and cloud. He has prior experience as an Information Security Manager and Security Architect leading and designing secure tamper-resistant security systems and advanced multi-level security systems.