Article

The best cyber-defense? An analyst who understands offense

Lurene Grenier knows how to build a cyberweapon. Good thing she’s on Cisco’s side.

As one of the world’s largest security vendors, Cisco relentlessly defends the world’s networks.   

But to thwart attacks, you need to understand of the weapons, strategies, and mindset of the attackers. 

That’s where Lurene Grenier comes in. With an extensive background in penetration testing and offensive cyber research, she knows exactly how to build a cyberweapon — and how attackers will use them.  

In a wide-ranging interview, Grenier, who works for Cisco’s Talos Intelligence Group, explained how the best cyber-defense starts with a good understanding of the offense.

 

Thank you, Lurene! You’ve actually built cyberweapons. How does that deep understanding apply to a company like Cisco, which is all about cyber-defense?   

Well, let’s imagine that you are defending a castle and you build moats and ramparts with arrow slits. But your enemy suddenly rolls in with helicopters. Those arrows are not going to be helpful. Your intelligence about the attacker’s weapons is very important to how you defend yourself. 

How do you understand what the attacker might bring to the table next time?  

The attacker brings to the table exactly what needs to be brought to the table. You’re not going to see the attacker’s entire hand until you force it. They are only going to play the card they have to play; they are not going pull out the expensive cards unless they have to. 

So, if you set up walls, the attacker brings higher ladders. If the walls get high enough, they bring a helicopter. You define, as the defender, what the attacker is going to do and bring. If a network is weakly defended, attackers don’t care how much noise they make. And they will bring low-level attacks. If your network is well defended and they need to be quiet or stealthy, then they’ll bring high-level attacks. If you are an attacker, your question is what's the highest wall I can get over? 

So, the attackers need their own reconnaissance, to find out what defenses are in place?  

Your developers are developing your weapons. But to inform those developers, there are a lot of techniques required, like persistence mechanisms, moving through a network, collecting data in a network.

There is a big difference between the resources of an individual or ransomware gang and a nation-state actor. But overall, is the cost of an attack getting lower?  

For an individual or ransomware gang, it’s extremely low. Essentially a lot of the tools they’re using are off the shelf, not their own custom software. So, their initial vector is generally going to be some sort of phish. They’re going to look for weak links in the human aspect. They’re not going to be bringing big Zero Day exploits to the table.   

And then moving up a bit, you’ll probably see persistence mechanisms that are still relatively cheap, off-the-shelf things; maybe they’ve run them past a bunch of endpoints that they purchase themselves and found that they could bypass two or three of those. And so that's good enough.   

And what about with a nation state?  

A nation state is looking to attack a higher-level target. So, we’re talking Zero Days and true remote, where I could take control of your iPhone, things like that. You’re looking at $2.5 million to enable me to get all your data without tricking you or interacting with you in any way.   

That’s still pretty cheap, given a nation-state budget.   

If you want to compare that to a cruise missile, it’s no contest. And one of those remotes can potentially turn off the electricity just as effectively as the missile.   

But there are other factors and costs. It’s hard to train and pay a very sophisticated force. So, there is speculation that Russia turns a blind eye to a lot of their ransomware actors. And then, if something should come up, like a land war, they can then turn to all these people they’re allowing to work in the black market and say, “hey, we’re letting you work, but right now you have to turn over all of the networks to us.”  

But if they can’t get into the power plant, they will turn to their A team. A lot of that A team is employed in espionage though, not necessarily as attackers. The primary cyber investment for a nation state is espionage.   

How prepared are most organizations for a cyberattack? 

Right now, many companies are coasting along in an extremely vulnerable state. It’s because of the state of security and operating systems these days, and how the quarterly business cycle does not incentivize people to go back and fix their technical debt. Instead, they’re incentivized to add, add, add to their software without actually fixing the underlying vulnerabilities. 

How is Cisco helping? 

Cisco has an end-to-end solution, all the way through the chain. We put it all together into a system that can look across products, across your network, to make sweeping statements about what’s going on. If you have a patchwork of different products none of them can interact properly together, so you don’t get a full view. You get a bunch of individual views, not a holistic view. The fact that we have all these options in one system is a big advantage. 

So, a lot comes down to observability, across distributed endpoints and networks? 

Yes, you can get a full picture from our product suite and that is very important to tracking attackers through a network. 

What is a typical day at Cisco like for you?  

Often, I’m meeting with product teams to explore gaps that could potentially make attackers invisible to us in certain circumstances. And we discuss what sort of changes we need to make to our products to constantly watch and stay ahead of the attackers as they become more sophisticated or their techniques change.  

What’s the biggest contribution you’ve made towards Cisco’s capabilities?  

It’s the understanding of the offensive mentality that I’m bringing to the defensive team. So, if we need to decide where Secure Endpoints is going to evolve next, in terms of what sort of visibility it needs into the operating system, that’s on me. And at Talos, we have this complex set of telemetry coming in from a wide variety of main security products. I put those together to make meaningful statements for the customer about what’s going on.  

And you’ll keep anticipating the attackers’ next move?  

It’s not that I’m trying to guess what they’re going to do. It’s more that I built all the kinds of things they’re going to use, so I know how they work. If someone puts up a higher wall, I’ll figure out how to breech it, and then I will know exactly how the bad actors will try reach it in the future. 

###

Related content: