Unmasking Cybersecurity with Dr. Zero Trust: A Conversation with Chase Cunningham

Transcript

John Vecchi:

Hello everybody, you’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. We have an amazing guest today, Chase Cunningham, the one and only. Welcome to the show, Chase.

Dr. Chase Cunningham:

Hey, thanks for having me on.

John Vecchi:

Dr. Chase, welcome.

Brian Contos:

Dr. Chase.

Dr. Chase Cunningham:

Yeah, [inaudible 00:00:43].

Brian Contos:

We’ve been trying to get Dr. Chase on the show forever.

John Vecchi:

A long time.

Brian Contos:

Your schedule is quite busy, so we’re glad that you made some time for us today.

Dr. Chase Cunningham:

Yeah, glad to. I try and carve time out, but lately it’s just been go, go, go. It’s feast or famine, right?

Brian Contos:

Right. Exactly.

John Vecchi:

Exactly. Yep.

Brian Contos:

All right, buddy. So for those folks that don’t know, you’re pretty well known guy, but for those that might be new to the industry, maybe you could give everybody a little bit of background about you and how you came up and what it is that you do today.

Dr. Chase Cunningham:

Sure. So I’m a retired Navy chief. I was a Cryptologist in the Navy. Then after I got medically retired, I went and worked for NSA for a while. I did some other work at other three letter agencies. I was lucky enough to get over to Forrester Research. John Kindervag kind of handed me the torch for Zero Trust, created the ZTX framework there and kind of launched that into I guess you’d call it a broader market initiative. And then follow on to that, I was the Chief Strategy Officer at Ericom Software that was recently acquired by Ericsson. And then I’ve just been kind of doing my own thing along the way, trying to stay as engaged in the space and get into every spot in cyber I can. I mean, I think a lot of people aren’t as lucky as I am to find something that they genuinely enjoy and that they think that they’re doing something somewhat valuable. And for me it’s cyber all day every day.

Brian Contos:

Yeah. Well, and you’re a writer as well. Maybe you could talk to the folks about some of your both fiction and non-fiction works.

Dr. Chase Cunningham:

Yeah. Well, my really good friend who’s like my sister from another mister, Heather Dahl and I wrote to a couple comic books on cyber called The Cynja, C-Y-N-J-A. I have a written three fiction books now. One with partnered up with General Greg Touhill, and then I’ve also written, one of my novels is an artificial intelligence novel called gAbrIel, which I’m currently writing a second one because I actually had people tell me they wanted to read more. So I had to start that. I’ve also got a cyber warfare book in the, I didn’t even know we had this, but a Cyber Security Hall of Fame, which is kind of cool.

John Vecchi:

Wow.

Dr. Chase Cunningham:

And now I’m working on another book on leadership with Wiley Publishing. So I like to write, even if people don’t read it. It’s just cathartic and you get to put your thoughts on the page.

John Vecchi:

Wow, I look forward to that. That’s a lot of stuff. And I know you’ve been busy, like you said. People can see you on a lot of places. And you also do quite a bit with another very good friend of the show, Richard Stiennon. So I know you do a lot with Richard and people can see some of those products and podcasts and things. And Richard has books as well, so you two together are quite a force to be reckoned with there.

Dr. Chase Cunningham:

Richard’s awesome. He’s one of those guys I want to be like when I grow up.

John Vecchi:

That’s awesome.

Brian Contos:

So Chase, when we look at the cybersecurity landscape, and I know this is a question you get asked a lot, but I’ve heard you answer in different ways over the years as sort of more facts come to be and technology changes and perspectives. But how do you see the threats, the trends, the cybersecurity business priority kind of today and where they’re going and maybe where they’ve been? How is that all evolving?

Dr. Chase Cunningham:

Yeah, it’s interesting you asked that because I’m actually working on a paper, right? I’ve pulled the last five years worth of Verizon DBIRs, which I think those are kind of a biblical reference in cyber. I literally wait every year to read that paper, and then I’m comparing that to where the market has gone with technology and valuations and whatever. And what you see that’s interesting is we’ve continually had the same problems based on the DBIR for the last five years, even though we’ve seen the same growth and investment, actually like an inverse of it over that same time period. And what that means to me is that there’s been a gap until recently where people were trying to just buy technology to solve the problems rather than taking the time to step back and go, “What are the fundamental things that we have to fix to eliminate the threat or reduce the risk? And then let’s get technology to align to that need.”

And that that’s where ZT came along. But we’re still in the early days of ZT being the strategy that’s actually driving that. I think if you do the same analysis by 2030, it’ll be a different inflection point because strategy will finally start to eat technology acquisition.

John Vecchi:

So Chase, that’s an interesting way to look at it. And so can you talk a little bit about how you tie what you just said into what is the prominent threat landscape today that that strategy should really address? I mean, obviously we’re going to talk a little bit about the focus of this show, which is what we call XIoT, the IoT side that includes traditional enterprise IoT, the OT, the industrial control systems, the industrial IoT, the IoMT and all that stuff, right? But in general, can you talk a little bit about how you’re seeing the attacks surface, its changes and how companies should really be thinking about their strategy relative to that?

Dr. Chase Cunningham:

Oh, I mean, the attack surface increases exponentially. Everyone talks about Moore’s law, right? Your 2X basically continues to grow, but it’s really more like dog years. It’s probably six or seven X whenever a new technology or new capability comes in the space, the threats increase at a proportional sort of exponential level. And that as we have more, we’re only generating more problems and more threats. And to your point on OT, IoT XIoT, all those things, we’re basically creating the same problem we had with the internet, but we’re doing it in a much more modular, much more dispersed fashion with all this IoT stuff. And if you’ve never had a wireless smart “smart” device in your house, you’re probably not aware of all the things that those machines do and are capable of. And that just becomes more a problem.

I think the fundamental issue that we deal with really is also that folks are always striving for this concept of perfect defense of no compromise, no breaches, and that’s not going to happen. It just doesn’t exist. The space moves too fast, the bad guys move too fast. Innovation essentially comes at you from the far end of that equation. So that’s why when I do workshops with people, I talk to them about, the first thing is accept compromise. You’re going to have things go wrong, and that’s okay. All the companies that have been breached actually are still around, the majority of them. Statistically speaking, they actually do better post-breach. Stock prices go up and whatever else. So it requires a shift in thinking and it requires something that most people don’t like to do, which is to be really honest about the problem and say, “What are we doing wrong? And then how is what we’re doing wrong empowering the adversary?”

John Vecchi:

Yeah.

Brian Contos:

Yeah. I’m wondering when we start, both you and John mentioned sort a little bit about the XIoT landscape and whether it’s printers or voiceover IP phones or digital door locks, or to your point, Chase, maybe a wireless access point or even these medical devices. There seems to be a tremendous amount of focus on this from nation states and cyber criminals. Why is that do you think? Is it just because of the sheer volume or what do you think is driving that in sort of the attacker space to say, “Hey, let’s put some of our cycles to focus on XIoT now?”

Dr. Chase Cunningham:

So when I was a red teamer, one of my favorite things to do is go after wireless printers because no one ever thinks about what’s in a printer, right? Printers have memory, they cache stuff. And what do you do with a printer? You print out all the stuff that you need for the purposes of intellectual property and whatever else. So if you can get to a wireless printer, you can get all kinds of valid, very good information. Oh, and by the way, they’re usually networked into the whole network, which is kind of like a flat point and you can maneuver and pivot from there. So those devices are, they’re low hanging fruit for adversaries, and they typically have got way more valuable information than people give them credit for.

Everyone still focuses on databases and cloud and those types of whatever, which obviously that’s necessary. But if you’re looking for ingress and you’re looking for egress where they’re going to take stuff from, that’s a great space to start. And the issue that you deal with too with APTs and nation states is they’re under directive from their government to wait. I liken them to crocodiles. They’ll wait for a year to have six seconds of attack because that six seconds of attack is going to feed them for months on end and they’re not just running around going at everything all day because they can. They’re there for the long haul and it’s okay to wait and just stay under the noise floor. And those devices give us really good access and allow you to do that.

John Vecchi:

Yeah, I mean, it’s about the persistence, right? I think that’s a great point. I mean, you look at, whether it’s Russia or China, they all have their own type of targeted threats and advanced persistent threats that are targeting these devices as you said, Chase, right? And you look at something like even the OTICS side, the programmable logic controllers or all of these things that are controlling kind of industrial, manufacturing, critical infrastructure, and they’re targeting them, right? And it sounds like as you were saying, they can compromise them.

I mean, one of the things we talk about on this show a lot, Brian and I talk about it in our sleep, is most of the credentials on these devices are default. You can look them up on Google. So I mean, if it’s pretty easy, right, you don’t need to be some sophisticated hacker necessarily to compromise that device. I can just go and look at the credentials and chances are that’s what it is. But if I can compromise that device, I can just… I mean, no one’s looking at these things right there. And I can just sit there, right? I could have persistence. And maybe from there, pivot as you said, right? Is that kind of how you see some of these threats targeting those types of smart devices?

Dr. Chase Cunningham:

Yeah. And I always think Shodan.io is a great way to gauge the sort of presence of the space. I look at Shodan every morning. I wake up and jump in and go look and poke around and see what’s there. And I see ICS, I see dams, I see wind turbines, I see water control systems. And it’s one of those things where the segmentation of those types of assets and networks is usually not very good because they are, we need uptime. We need them not to ever go down because it’s a system that provides critical services. However, that’s also a dual-edged sword, right? If that is always up and no one takes the time to segment it because it could cause problems, you’re only opening it up for someone to go from one system into another end. The back end of those things are connected to other networks somewhere.

Brian Contos:

Yeah. Let’s kind of double click on medical devices because this is an area that seems to be popping up a lot in the media lately. And if we think about something like healthcare providers, healthcare payers, healthcare sciences, I think sciences and payers, they generally have relatively large security teams. But if you go into a hospital, clinic, lab, they generally don’t have large security teams. Generally, they’re on par with maybe retail, so they don’t have a big team. They have a combination of cutting edge, new technology, old systems, systems that are black box that they’re not allowed to update because it breaks the vendor warranty and all sorts of issues. And on top of that, these are very critical systems that do life-saving things, and they house sensitive information, people’s sensitive medical data, and we know they’ve been hit by ransomware.

It seems like a perfect storm to me, unfortunately, that these healthcare providers are becoming, if they haven’t already become the new ground zero. But how do you see this evolving? Do you see it getting any better with healthcare providers or do you think with the addition of all these medical IoT devices, it’s just going to compound an already kind of stretched security risk mitigation team and they’re just not going to be able to deal with this?

Dr. Chase Cunningham:

Yeah, I think it just continues to grow the threat vectors in the spaces. And just to give you some gravitas on it, I was doing a workshop with a hospital on ZT, and it was a physician-owned hospital. So the president of the hospital was a doctor, like a guy that did cardio surgery or cardiothoracic. And at the end of our workshop, he said flat out, he’s like, “Our job is not cyber. Our job is saving lives.” Like understandable. However, my question to him was, “Can you save lives if I shut off every wirelessly or web-enabled device in this hospital?” And he’s like, “No.” “Then your job needs to also include cyber.” You know what I mean? So that’s a thing that we have to get across to them.

But the issue that we really are running into is like you’re talking about Brian, how fast are they adding devices? What are those devices able to do? Why are they always default and able to talk to the dang internet, which is just not a good idea? And then how can they keep a running asset inventory up and imply controls to it and not make people miserable? It shouldn’t be that difficult. I can’t tell you the number of hospitals that I’ve done stuff for where I look and I see X-ray and MRI machines that talk to like FanDuel. And it’s like, “Let’s shut that off.” I mean, come on.

Brian Contos:

Yep.

John Vecchi:

Yeah, I mean, as an example, Chase, we recently… Phosphorus, we recently did a discovery in a very, very large healthcare organization. And we actually have, and I understand in often cases, people don’t want to kind of try to discover these devices in an active way. We can actually do that safely, but we found upwards of 90% of life critical devices, including infusion pumps and things like that had default credentials, right? So it’s just this, again, as you said, low hanging fruit, right? It’s a problem.

But let’s step back for a second and just what I’d love to hear, but you’ve worked so much, obviously on the Zero Trust side that’s kind of dear to your heart. You really took that to a whole new level from John Kindervag from the Forrester side. You continue to do that today, but when you think in terms of these devices in general as part of the attack surface, and you think having a conversation about Zero Trust, having a conversation about, as you said, you need to include them, you need to think about the cyber aspect of these devices. They’re smart, they speak TCPIP, right? But you can’t put CrowdStrike Tanium on them. You can’t do the things you can do to most endpoints, but yet they’re kind of endpoints. They’re part of it, right?

I mean, how do you begin to have that conversation, or how do you see that evolving given that it’s such a big piece of the attack surface, but it’s completely overlooked and sometimes it’s not even considered in the category of traditional land points or anything like that? Is that how you see it or how would you address that?

Dr. Chase Cunningham:

Yeah, I think that the concept that needs to be applied there is one that’s been in military doctrine for a long time. We call it contested space. And essentially what you mean by that is you’re never going to own it. You’re never going to have complete defensibility of that particular asset. However, what you do try and do is make sure that you understand what’s going on, you understand the operational condition of that asset, and then you make sure that you have a way to at least isolate it. It’s not, “Can I remediate it?” Like you’re saying, I can’t put CrowdStrike on it or whatever else or et cetera. But at the very least, I know what’s going on. I know where it is, I know what it touches and talks to, and if something strange or anomalous occurs, I’m able to apply some sort of control.

Right, if you can do that, you’re mitigating a lot of the problems that you’re going to have. And I think that like you were talking about earlier, one thing that people always look for in the space is what’s the 100% solution? There’s not one, but your goal is to make it where it is not worth the adversary’s time to stay on that resource and try and use it. And if you’re making it harder for them, they’ll find another target. If my hospital is 85% secure and the one down the street’s 60, where do they go?

Brian Contos:

Yeah. Well, you mentioned a little bit about visibility and attack surface management that I’d like to explore some. Well, when I think of attack surface management, it’s my laptops, my servers, my databases. You mentioned that. It might be my cloud and SaaS applications, it could be users, it could be software applications. All these things are relatively traditional within some type of attack surface management solution. But the XIoT stuff, everything from the layer two switches and load balancers to the wireless access points, and the, like you said, the wireless printers and industrial robots, they make up a pretty large portion of the actual devices in most organizations. Do you think that companies get that they might not have visibility even across their traditional attack surface management solutions, users, identity and devices, let alone XIoT? If they do get it, are they starting to integrate these solutions with CMDBs and SIM solutions and source solutions?

Have they matured that point, or are they still just trying to figure out, “What do I even have?” And are they vulnerable and are their credentials bad? Or I guess, are we at phase one or are we at phase four when it comes to managing and understanding these devices?

Dr. Chase Cunningham:

I think the majority of organizations I run into are probably at phase 0.5.

Brian Contos:

Yeah.

Dr. Chase Cunningham:

Where they’re just really understanding that there is a problem there and they have to figure out a way to deal with it. It’s pretty rare that you find one that has a really good inventory of what’s going on. And then also on top of that, you run into organizations where they don’t even have the policies on network things where people can’t install stuff on their own, just kind of willy-nilly. I did a red team workshop thing with a Hollywood movie studio, and they provided us an asset inventory on day one. When we started looking around, they were off by about 50%.

Brian Contos:

Oh, wow.

Dr. Chase Cunningham:

Because people would bring stuff in from home, pop into the network and then do whatever they wanted.

John Vecchi:

Yep. Yeah, wow. And to that end, Chase, can you, and do you advise and do they understand, can you apply Zero Trust principles to these devices? Should we, and how, if so? It sounds like we should, but how do you? I mean, it’s tough enough, right? Zero Trust is this big, huge thing and now it’s… But is that something that you see evolving is Zero Trust principles on these type of XIoT devices?

Dr. Chase Cunningham:

Yeah, I mean, the good thing about ZT is it’s just a strategy and people understand that there’s a way to manipulate a strategy for your particular purposes and needs. So can you apply Zero Trust strategically to IoT XIoT, MIoT, whatever? Sure. The main thing that you’re probably applying there is the concept. John calls it the Kipling questions, right? Who, what, where, when, why? Those things. If you can know that and apply a control, you’re applying ZT at some shape, form, or fashion.

Now, the other thing that I think people should do if they really want to have effective strategy in place, and it’s something I always advise in my first shout out of the bow, is you need to run a real red team op because if your goal is to defend yourself from compromise, you should have someone try and compromise you, and that will help you be better prepared. You never want to be the black belt that’s never left the dojo, if that makes any sense.

Brian Contos:

Yeah. No, that’s interesting. So let’s explore that a little bit because you’ve done a lot of offensive work over the years for a lot of different organizations and agencies and whatnot. Do you have any interesting stories from the trenches, you personally, or things you’ve heard as it relates to these types of actions?

Dr. Chase Cunningham:

One of the best ones was we did a thing with an organization that moved oil and gas, and basically they said that they had a pretty good lineup on inventory and whatever else. And at the end of, I think it was first week or something, we found that they had had a web-enabled valve system that had been talking to the internet for, I think it was like five years.

Brian Contos:

Oh, wow.

Dr. Chase Cunningham:

With admin, admin as the password or username and password, and it connected on the back side of that valve manifold to something like a quarter million miles of piping.

John Vecchi:

Yeah.

Dr. Chase Cunningham:

And it was probably something we should fix.

Brian Contos:

Yeah.

John Vecchi:

Wow. Yeah. Holy smokes.

Brian Contos:

That’s one of those organizations where, “How many devices do you think you have?” “I don’t know, 50,000?” It turns out, “Oh, it’s like 250,000.”

Dr. Chase Cunningham:

Yeah.

Brian Contos:

And they haven’t been patched in a couple decades, so there you go too, right on top of that.

Dr. Chase Cunningham:

Right. And I mean, it was like they said, “Oh, well, we’ll… it’s something we know about.” I was like, “Well, then we should fix it.” But then the question for them was like we talked about earlier, if we knock it over for some reason, do we lose service to our customers? And that’s a non-starter.

Brian Contos:

Of course. Yeah.

John Vecchi:

Yeah. Yeah.

Brian Contos:

Availability always trumps confidentiality and integrity when it comes to those high value assets. Any kind of asset that controls physics, right? Pressure, flow, temperature.

Dr. Chase Cunningham:

Pressure, water, flow, healthcare. I mean, even in your own home, turn the air conditioner off for a hot day in the afternoon and watch what happens.

John Vecchi:

Yeah.

Dr. Chase Cunningham:

No one wants to live that way.

John Vecchi:

Right, right. And Chase, I only began, and you mentioned it in your intro, right, you come from the defense and intelligence side. You spent a lot of time there, so can’t help but just try to ask this question around the idea of, obviously as I talked about, you’ve got nation states, predominantly the Russia, China focusing on these types of devices. There’s many threats, right? I mean, we could rattle them off, right? Quiet exit, front on. You’ve got now the crystal 2v, the pipe dreams, which is like, I call it a Swiss army knife for attacking kind of OTICS kind of stuff. And then of course, China now, given the volt typhoon and all the things happening there, did you ever feel when you were there, it’s just not a level playing field? I mean, they don’t really operate with too many rules, right? They just cross boundaries and go at it, and they’re in it for the long game or the short game or whatever it might be.

Did you ever have that feeling, or do you think that’s changing? How do you think the intelligence and government is looking at these kinds of attacks on these kinds of devices today, given that many of them are controlling critical infrastructure, right, as you said? Pipelines, gas, electricity, power grid, railways, right?

Dr. Chase Cunningham:

I mean, well, if you look at Ukraine, Estonia was a good example too, but you see what happened there. So cyber warfare, cyber ops is the bridge between espionage and kinetic warfare. And when Russia was getting ready to invade Ukraine, the first thing that happened was they started messing with dams and power systems and whatever else, and it was pretty overt. So it’s one of those things where when you start seeing systems being targeted and affected and attacked, like actually attacked, that’s when there’s probably kinetic action to follow, which that means basically conflict, which nobody wants.

But where we’re at on the intelligence side, without getting into any classified stuff, is really that our folks have done a hell of a job of doing something that they call kind of hunt forward, which means that they’ve got the capabilities and the legal authorities to push when they see something coming across the wire. Now, do we get engaged in things internationally that could be considered actions by our government? I’m not going to say, but everybody’s heard of what happened in the [inaudible 00:25:27]. So our folks are doing the best that they possibly can. They have the title, authorities and the capabilities to do what needs to be done. But you’re right, we do play by a set of rules that adversaries do not play by, which does put us at a disadvantage in some arenas under some circumstances.

John Vecchi:

Yeah.

Brian Contos:

And Chase, as we wrap up here, we’ve got these cyber criminals that have figured out how to monetize attacks, and they’ve been doing it for a while. We’ve got nation states that are becoming more aggressive, they’re investing more time and effort and resources into non-kinetic warfare cyber activities than they have in the past. And on the other side of this, we’ve got organizations that still have limited resources. They’re still stretched too thin. They’re talking about ZT strategy, they’re talking about attack surface management, they’re talking about XIoT, they’ve got all these things. What should the average organization do, whether it’s the CISO or the security operator to maybe not even get ahead of this stuff, but just kind of contain it and try to be a little bit more strategic than just fighting fires every day? What’s some kind of good rules of thumb that they can follow to stay ahead of these things and kind of manage all these new concepts and all these threats?

Dr. Chase Cunningham:

I mean, I think the majority of organizations would be wise to consider partnering with an MSSP, somebody that can take a lot of that load off of them, because security is not something where you can dip your toe into it and think you’re actually making much of a difference. And if you don’t have the resources, the human capital and the experience to do the work, don’t. Partner with somebody and have them do that. I tell people all the time, “I run my own business, I don’t know how to do taxes. I partner with someone that does taxes, and I use software to make it where I don’t screw that up and go get put in an orange jumpsuit.” So you can approach it that way. And then the other side of it is to make sure that whoever you’re partnering with understands what your actual concerns are and the things that you’re willing and not willing to risk, because everything is not always fixable. You will have contested space. You will have to make some compromises and you should focus on where the vectors are most likely to be successful for the adversary.

John Vecchi:

And as you said, Chase, right, I’ll also include your point that it doesn’t have to be perfect. It’s not that you’re going to… You’re never going to stop these things a hundred percent, but do what you just said. Even you’re not going to get it perfect, but do something. Is that the message?

Dr. Chase Cunningham:

Yeah. I mean, there’s a lot of value in deterrence, and I don’t think people give that enough credit. And I can tell you from being on pause, if you’re doing work and you start getting into a spot where it’s like, “I can’t get past this,” you go looking for other avenues and that’s what you want. You want them to be like, “Look, I’m stuck. I’ll go find something else.”

John Vecchi:

Yep.

Dr. Chase Cunningham:

And it might suck for your neighbor down the road, but it ain’t me.

Brian Contos:

Yeah. Run faster than the other guy when the bear’s chasing you.

Dr. Chase Cunningham:

I mean, if there’s a zombie hoard and you trip on your tennis shoe, sucks for you pal.

John Vecchi:

Yep.

Brian Contos:

And Dr. Chase, if somebody wants to check out some of your books, where’s the best place to go?

Dr. Chase Cunningham:

Yeah, so go on Amazon and look up my name, Chase Cunningham, and you’ll see a bunch of books in there. You can also find stuff on my DrZeroTrust podcast site. Everything’s linked up there as well.

Brian Contos:

Awesome.

John Vecchi:

Wow. Amazing. Dr. Chase, we could talk to you for another podcast and probably a lot more, but it was really fantastic to finally get you on the podcast and thanks so much for joining us today. Appreciate that.

Dr. Chase Cunningham:

Yeah, thanks for having me. It’s great talking to y’all.

John Vecchi:

And remember everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive full scope security for the extended Internet of Things. Thanks again to our special guest, Dr. Chase Cunningham, and until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

And we’ll see you next time on Phosphorus Radio.