Adopting a Threat-Informed Defense (with Christopher Frenz)

Christopher Frenz
EPISODE 13: THINK BAD, DO GOOD

Think Bad, Do Good: Adopting a Threat-Informed Defense (w/ Christopher Frenz)

Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy, AttackIQ

Guest: Christopher Frenz

In this episode, Christopher and Jonathan discuss the zero trust security model and look at how to achieve an evidence-based security program by adopting a threat-informed defense in the hospital sector. Hospitals and healthcare organizations are under siege in cyberspace following an increase in ransomware attacks and the broader pressures of the coronavirus pandemic. After decades of work in cybersecurity, Christopher understands how continuous testing and the MITRE ATT&CK framework can help organizations get ahead. “A lot of the metrics used today are not fine grained enough,” he says. “Looking at MITRE ATT&CK, the different tactics and techniques that can be used against us provides an effective way to identify what we need to be protecting, and what we need to be detecting. We use this as a basis for testing and evaluating the security that is in place within our organizations.” He takes a scientific approach to security by measuring the efficacy of the controls through real-time testing and uses data to improve his organization’s overall security posture.

Tune in and listen to one of the cybersecurity industry’s leading advocates of a threat-informed defense. For more on this subject, check out Christopher’s recent article in Healthcare IT News.


Transcript

Jonathan Reiber:

Hey, everyone. It’s Jonathan Reiber. Your host of the Think Bad. Do Good podcast here at AttackIQ. I’m very pleased to have Christopher Frenz here with us today. Welcome Christopher.

Christopher Frenz:

Thank you for having me.

Jonathan Reiber:

Great. So, Christopher, you’re the Head of Information Security at Mount Sinai South Nassau. Is that right?

Christopher Frenz:

That’s correct.

Jonathan Reiber:

Well obviously, the hospital sector and the healthcare sector are under siege, through ransomware attacks and the broader pressures of the coronavirus pandemic. We’ve seen a lot of attacks in that sector. So, we’re especially pleased to have you here today. Thank you for taking the time to join us.

Christopher Frenz:

Thank you for having me, and yes, it’s been a challenging year within healthcare, particularly during the pandemic with the spike in ransomware attacks and other attacks.

Jonathan Reiber:

Yep. Well, we want to hear about it. So, tell us about yourself, Christopher. What’s your role at the organization and tell us about your security organization as much as you can?

Christopher Frenz:

Sure. I’m the Information Security Officer for Mount Sinai South Nassau. I’m probably best known within the healthcare community for being the first person to do, zero trust within healthcare. And number two for my work in medical device security, including the recently released, cloud security Alliance, medical device, instant response playbook, which I helped co-author, which, was one of the first types of guidance to incorporate patient safety risks into the security decision process.

Jonathan Reiber:

Good. That sounds important. Tell us about your philosophy on cybersecurity.

Christopher Frenz:

I’m big on testing security. One of the things that we get wrong as an industry over, and over again, is we consider security too much of an art form, and that as much of a science as it should be taken. We tend to follow too many compliance driven approaches. While checklists can be useful, a checklist approach to security alone is not really an effective approach.

We’ve seen time, and time again, that you can easily be compliant with the security standard and still be pretty insecure. It’s one of the things that we need to begin to change and mature as industry.

I’m constantly looking for ways to make security more measurable. I come from a scientific background. I got involved in healthcare many years ago as a drug designer. I used to develop computer algorithms for drug design. I never really lost that scientific approach to everything I do. I want try to always measure and try to make quantitative based decisions for improving how I approach things, including security. A lot of the work I’ve been doing recently has been focused on finding ways to measure the efficacy of the controls that we have in the organization, using those measurements and metrics we collect around that to find ways of improving security.

Jonathan Reiber:

That’s awesome. That obviously clearly resonates very much with us at AttackIQ, an outcomes-based approach that is data driven. How have you found the MITRE ATT&CK® framework to be helpful in your search for evidence?

Christopher Frenz:

I really like the MITRE ATT&CK® framework. I like the pyramid of pain concept that it is based on. If you look at fences that are higher up the pyramid of pain that target the TTPs, they are more effective than targeting things, like hashes or IP address blocking, which are easy for attackers to circumvent.

Based on my own quantitative testing, I find that holds true. MITRE ATT&CK® provides a great framework for identifying things the organization should be looking for. If we look at a lot of the traditional ways in which organizations try to measure security, one of the things that was often present was they were not fine grand enough. Take a traditional KRI or KPI, let us say meantime to detection. It’s great to have a goal of improving your meantime to detection, but one of the problems a lot of organizations run into is not really a granular enough measurement.

If we look at why organizations fail to detect stuff, it is because they are not detecting the proper TTPs. There is a more fundamental question that needs to be asked. First, do we have the ability to detect all the things we need to detect? Figuring that out first will go a long way towards improving that meantime to detection metric.

A lot of the metrics we use today are not fine grand enough. Looking at MITRE ATT&CK®, and the different tactics and techniques that can be used against us provides us an effective way to identify what we need to be protecting, what we need to be detecting, and use that as a basis for testing and evaluating the security that is in place within our organizations.

Jonathan Reiber:

How has it changed your approach to management for your organization?

Christopher Frenz:

We have become really big on not just assuming controls work. One of the things anybody who has spent a long time in industry has come to realize is that, you cannot just check a box and assume you are safe. For example, a compliance framework might have a requirement to deploy a firewall. It is one thing to deploy a firewall, check the box, but having that firewall there does not mean you are secure. It does not say, do you have proper egress filtering policies in place, is DNS locked down properly, are all the various other features and controls that should be built into that firewall there?

A lot of the breach and attack simulation and other tools are great at helping to identify that you have not just checked the box, but they have all the configurations, and setups within the device are done properly to protect your organization.

Jonathan Reiber:

Yes, that is awesome. You know, one of the analogies I like to use is imagine if you built the best Navy in the world, which the United States has, we got the best Navy in the world, but then you left it in the port for a year. Would you expect to be able to go toe to toe with the people’s liberation Navy? I do not think you would because they would not have exercised. But that is not what the military does. The military’s training constantly. And we expect our military to do that.

The interesting thing about cyberspace is it has given nation states, nation state actors, criminal groups, anyone all over the world, the ability to target a civilian organization or a large commercial or civilian organization, not to mention critical infrastructure or military organizations. There is a bit of a cultural delta that is changing. Largely, thanks to the advocacy of folks like you, who believe in a threat-informed defense to say, we need to prepare for what we know, we need to prepare for what the adversary is going to do against us.

I wonder if you could talk a little bit more about some of the practical changes you have made as a manager of your cybersecurity organization as your security team to wrap around the philosophy of a threat-informed defense, and if you can talk a little bit about what that means from a zero trust standpoint, that would be great too.

Christopher Frenz:

Sure. The best way to answer that question is how I got involved in zero trust originally. Back in 2015, the hospital I worked at the time, we became concerned that the writing was on the wall for the hospital to eventually suffer from a mass malware attack. It had not happened yet at the time. It was not until 2017 that the first ransomware attack at the hospital occurred. But back in 2015, we became really concerned with the possibility. One of the things we decided to do was simulate a ransomware attack at the hospital. And what we did is we took the eicar test string, which for anybody unfamiliar with, it is a harmless string of character that years and years ago, the antivirus makers all got together and agreed to treat as a virus. It provides a safe but effective way to test, antivirus and other security configurations.

What we did is we wrote a pro script that took that test string and attempted to copy it from one PC to all of the other PCs and the organization to attempt to, quote unquote, infect the PCs and, you know, trigger the antivirus alarms. We kind of wanted to mimic malware spreading through the organization. And we learned a lot from doing that exercise. For example, we learned some really simple stuff like the VDI desktop configuration, and the physical desktop configuration were done by two different engineers, and some of the settings in the VDI desktops made them more resistant to the attack than some, the physical desktops. We were able to, you know, move some of those changes over and take advantage of that. But one of the controls that really stood out at the time was network segmentation. Now as a hospital, we had a segmented network, but it was segmented by department.

To go back to the compliance point, we checked the box. We exceeded what most hospitals had at the time, because most hospitals did not have a segmented network at all. Even with that control in place, one of the things we learned from doing the simulation was that the control was not meeting the required efficacy to protect the organization. Because as a hospital, if we were to lose our entire emergency department or radiology department, because we were segmenting by department, it was still going to be disastrous operations. So, simulating the attack really showed that the control we had was not fine grained enough to meet our needs, and that got us going down the path to zero trust. And that was my entry both into, I guess, breach and attack simulation and threat-informed defense, as well as zero trust.

Jonathan Reiber:

That’s so cool. You’re really at the cutting edge of, I mean, theoretically I remember in 2010, when I first started working in cyber, I was like, we need to prepare for certain kinds of malware proliferation entering the wild, right? Like that was the thing, but you in 2015, you were like that scenario you envisioned is a doomsday scenario for a hospital. How did you find within your team, as you were doing this exercise, can you talk a little bit about some of the resistance you encountered and how you overcame it?

Christopher Frenz:

Sure. I did not get much resistance from leadership. That was one of the interesting things we did when we ran the simulation, it was only me, the CIO and the CEO who knew the simulation was going on. So, it was a real test for security and IT teams as well. That also identified some other areas I guess we could have improved upon. Because I was happy to see that the team was able to track down the machine that was infecting all the other machines, the one running the script and pull it from the network. There were things that could have been done to improve the response time. So even on the people side, we were able to make a lot of improvements to the instant response process, how we train staff and we used as an opportunity to test and evaluate that as well.

Jonathan Reiber:

That’s a great point. One of our colleagues, Louis Honour, has talked a lot about the human performance factors in cybersecurity operations. He is really a great strategist on this front. He is over at Bupa. In this narrative, the example he says is like, you could train an individual, if you are running a breach and attack simulation platform against your program. You may find that there is degraded security control. The question then becomes, why is it degraded? And you investigate, you dig in a little bit further and you find low and behold, the person that was supposed to clear on an MSSP contract has left their job and that is okay, they left their job. The question then becomes why?

Theoretically he is like only by investigating, would you find that they are potentially, this is a theoretical example, based on the former interviews that he did. Folks in the security organization were not getting paid enough. He could then call all the Head of Human Resources and say you need to elevate the salary. That is an interesting reveal from a human performance side for your organization about how testing elevates certain kinds of business value.

I wonder if you have any similar stories, in your mind, from your experience as a threat-informed defender that come to mind. It could either be that or could be about technical innovations or negotiations with contracts that the data has allowed you to leverage.

Christopher Frenz:

Sure. More on the technical side than on the HR side. But testing reveals all kinds of stuff that you would not expect. For example, I’m a big proponent of bringing testing on boards to the product evaluation standpoint. For example, if you are evaluating a new antivirus solution or whatever security control happens to be and run some of these tests on it. To see what products work, see what products do not work, see how they perform under real scenario. You’ll often reveal a lot about the products that you’ll not get on the vendor pitches. It makes it nice to compare products as well. That is another angle to take is involving simulations in some of the evaluations we do before we purchase a product.

Jonathan Reiber:

Yeah. That makes great sense. At AttackIQ, we’ve recently in response to Vladimir Putin’s war in Ukraine, we have built adversary emulations in scenarios and assessments to test your security program against Russia based threat behaviors from MITRE ATT&CK® and more broadly. And you, I know have, have been using some of those. Can you talk a little bit about the benefits you have seen, if any?

Christopher Frenz:

Yes. We did run through a number of the AttackIQ scenarios, dealing with the war between Russia and Ukraine. They were really interesting because they clearly showed us what controls work, what controls did not work. But one of the things that we gained out of it is we figured out some ways that we could improve our security further. We have done a lot of compensated controls around our EDR (Endpoint Detection & Response) and other stuff. For example, some of the controls that we have identified through constant AttackIQ simulations, not just related to the Russia one, but in general is one of the EDR products that we use for example, was having a hard time consistently picking up PowerShell to downgrade attacks. One of the security improvements we made is we disabled PowerShell to support on all our endpoints to eliminate that as a threat vector.

That’s an example of some of the work the testing revealed. More recently we’re adding detections for things like PowerShell scripts or Python scripts, downloading executables from the internet. One of the things that we noticed is it’s consistent in a lot of malware, threat actor playbooks is that they will often have their initial infection of a machine seek to download further payloads. We’re setting up detections and preventions around that behavior to further improve our security. Those are all ideas that came about through a lot of the testing that we were doing with the platform.

Jonathan Reiber:

That’s wonderful to hear. Can you talk a little bit about why you think it’s important or what in terms of a quantitative approach to measuring your security control performance?

Christopher Frenz:

It’s really time for security to become less of an art and more of a science. We’ve seen the benefits of measuring security. If you take, for example, the well-known example of the common NIST (National Institute of Standards and Technology) password policy for years, and NIST was recommending constantly changing your password, to improve security.

When somebody sat down and measured it, the current thinking has now changed that you are much better off having your users have a long passphrase that gets changed a lot less frequently. Because it turned out the constant password changing, which makes people pick pretty poor password. Something that was designed to make security better actually made security worse. That’s far from an isolated incident. The more we begin as professionals to measure security, the more we are going to find that some advice might have been a common way to do things is not necessarily as productive as we, you may think it is.

Other examples, I’ve seen take example of a hypothetical public facing server. Let’s say that that server’s a potential compromised target because of a zero day exploit or other stuff. If you actually measure security around it though, you discover that the zero day is not as big a problem as the fact that the rules of what that public facing server can communicate with internally to are not locked down enough. There’s always the potential for another zero day. Yes, you should patch and close that zero day, but it may not be the big problem. The bigger problem may be, as I said, unrestricted communication with other stuff internally or some other issue that is also there and the more you attack and try to exploit stuff like that, the more you identify those issues and be able to better lock them down.

Jonathan Reiber:

That’s awesome. What advice would you give to an organization that’s thinking about whether to adopt breach and attack simulation or just getting started with a breach and attack simulation platform? What advice would you give to folks trying to maximize a threat and form of defense as you have?

Christopher Frenz:

I’d say start small. There are some things that are easier than others. For example, testing things like egress filtering policies, things like that. They’re relatively easy to go about and test, there’s lots of different scenarios, lots of different TTPs. Start with some of the, the smaller ones get comfortable at doing the types of simulations, but once you develop some comfort level, then it’s time to look at some of the MITRE ATT&CK® maps for the threat actors that are likely to target your vertical.

For example, healthcare, ransomware is a big one. It makes the most sense to focus on the threat actors you’re most likely to see. Once you’re comfortable with doing breach and attack simulations, I’d spend the bulk of the time focusing on the attack scenarios that are most relevant to your vertical.

Jonathan Reiber:

Are there organizations that you recommend folks partner with to understand that? Or let us you don’t have a big security team and limited resources. Maybe you’re going to go back in time to the beginning of your career at this point. What advice would you offer to smaller organizations like that?

Christopher Frenz:

You could reach out to other organizations to partner with. I’m also a big component of some of the breach and attack simulation platforms, because while partnering somebody for a pen test is nice. Pen test tend to be one off point in time type things. Where it might not be a year before you get results again. The nice thing about incorporating a breach and attack simulation platform is, you can continually do these tests. The tests don’t have to be a one off. You can keep verifying security, you can check new scenarios as they come out. You can do that on a more continual basis. If you are a big organization, it’s great to also supplement that with some of your own internal red team capabilities. But, for smaller organizations, breaching attack simulation platform can go a long way towards helping them meet those goals, that need to have a red team explicitly.

Jonathan Reiber:

That’s super helpful. You’re such an advocate for the approach because you have maximized it. I appreciate that very much. I’m wondering more from like the initial threat planning standpoint, right? Let us say you’re not a hospital, right? You’re in a different sector and trying to identify which of the threats you should focus on the most. MITRE ATT&CK® and the enterprise matrix, give some indication of that, right? That’s one way for you to get started. You can go into ATT&CK, and you can use it. If you are using a breach attack simulation platform, you can be strategic about the assessments you might use.

But I’m thinking are you a part of the H-ISAC, those kinds of organizations that can help folks gain and improve their threat perspective. There’s a little bit of threat planning and threat being threatened formed, or you’ve to sort of be thinking about threats on your own. I’m wondering if you have any comment on that issue.

Christopher Frenz:

Sure. It does pay to be a part of the H-ISAC and other things to get knowledge of threats. It also pays to look at a lot of the breaches a lot of organizations face. For example, in healthcare, as I said ransomware is a very big threat vector. If you look at a lot of the hospitals that suffered ransomware attacks, one of the things that has really hit them is a lack of network segmentation.

One of the things, I’d be a very big proponent of is, going back to that 2015 simulation I did. Is looking at how effective your network segmentation actually is. Until you sit down, and measure that, just as we did in 2015, we had a network that was segmented, segmented better than most hospitals at the time. When we tested that, we found out it wasn’t granular enough, and for healthcare in particular, that’s one of the big ones. I’d start with that because that’s the commonality in a lot of the ransomware attacks that health organizations see.

Jonathan Reiber:

That’s wonderful. The phrase that I wrote in an article in Lawfare with a guy named Matt Glen, who at that point was SVP for Product at Illumio, which is an old employer of mine. So, he and I are friends. But this argument was, we called for validated zero trust. You know, zero trust, but validate right. To build off Reagan’s aphorism to Gorbachev in the first part of the cold war. Zero trust but validate. We wrote a guide. We are going probably to rebrand it as zero trust and MITRE ATT&CK. The CISO’s guide to zero trust and MITRE ATT&CK. But you and I are on the same page. It’s great to have you. Are there any further thoughts before we let you go back to fighting bad guys in cyberspace?

Christopher Frenz:

I would say to reiterate that never assume that your security is going to work always take the time to test and validate.

Jonathan Reiber:

Yeah. I mean the triumvirate that I have been repeating heavily is assume breach and plan for known threats, invest in best-in-class defense capabilities, including people, processes, and technologies, and then exercise to validate your performance. That’s the rule of three. If you have four, you forget the fourth one every time. That’s why I stick to three. Does that land with you? Do you like that triumvirate?

Christopher Frenz:

I do. Yes. Very much.

Jonathan Reiber:

Great! Well, it’s a pleasure having you on for listeners of the podcast. They may not know my mom was born in Queens, so I have a special residence for New Yorkers and I have been really looking forward to having you on. You don’t disappoint, sir. You are leading the way philosophically and operationally and, I wish you well in all that you’re doing to defend your hospital. They’re lucky to have you.

Christopher Frenz:

Thank you.