Prepare , Plan and Budget Organizational Security with Nader Zaveri

TLDR;

  • For incident response. Always prepare a plan and socialize that within the organization and perform tabletop or fire drill exercises to check for the preparedness of those.
  • Avoid social engineering and doxing attacks. MFA is a must. And on top of that, use onetime passcode based or the hardware keybased authentication to improve the security even further.
  • Security is everyone’s responsibility and accountability is one of the key areas to building a security centric culture.

Transcript

Host: Hi everyone. Thanks for tuning into another episode of Scale to Zero. I’m Purusottam, Co-founder and CTO of Cloudanix. Scale to Zero is a forum where we invite security experts to learn about their journey and discuss on security topics and get some answers for questions that we have received from some security professionals. So with that, let’s get started into today’s episode. For today, we have Nader Zaveri. Nader is a senior Manager in Incident Response and Remediation for Mandiant, which is now part of Google Cloud.

He has over 15 years of experience in IT security, infrastructure, and risk management. He has led both investigation and remediation efforts for clients, and he also provides strategic and tactical recommendations in order to prevent future attacks. Nader, it’s wonderful to have you here today for our viewers who may not know you. Do you want to briefly share about your journey?

Nader: Yeah, definitely. First, like to start off, thank you for having me on your show. Really excited and just a little bit about my journey. I started off my career about 15 years ago.

So before, cybersecurity was really a true kind of thing in the general IT space. So I started your traditional It person with help desk and desktop and turning into a system admin. But very quickly I started to always have a security focused mindset, which then got me into security departments within organizations. And like the first seven years I was part of security departments in organizations. And of the last eight years of my career, I’ve been in what is considered consulting. Consulting for many different Fortune 500, Fortune 100 clients across the world, and just kind of consulting from a risk management as well as now in the last four to five, four and a half years with Mandiant being part of the incident response team as well as the remediation team during an actual active investigation and breach.

Host: Lovely. It’s a pleasure to have you here. So the way we do the show is we have two parts. One is the security questions and the other one is the rapid file.

So let’s start with the security questions.

So nowadays we hear a lot about data breaches, ransomware attacks. So most organizations, they do preparation, they do planning, budget, put the infrastructure and processes in place.

But suppose with all of the planning and preparation, there is still a data breach that happens.

How should organizations respond to an event like that?

Nader: No, that’s a great question. And one thing I will say is because every week I’m handling multiple new investigations a week, have a very unique perspective. And a lot of times these are a lot of the organizations that are getting breached. They have spent a lot of money and effort to help secure their environment, but that still doesn’t prevent them from getting breached. And I think what we must do is kind of shift our focus, our thought process away from if we get breached to when we get breached. Because at some point in time, an organization will get breached. It’s just a matter of how major and minor, how can we limit the impact of the breach.

That is the way we should definitely shift our focus. Because if you are putting all this money into I don’t want to get breached, and then you happen to get breached, it’s a big time demoralizing factor for morale of the entire team and also leadership. So I think it’s really a shift focus on that and really want to focus on how can we limit the impact of the breach?

Host: Okay, that makes a lot of sense. So let’s say you have all the preparation, everything in place, right? You are in a breach. There are many perspectives. There are many areas. Rather like there is communication. How do you communicate with internal team, external team, after the damage like Event has done? Event is done. How do you repair your damage to do your reputation? And how do you rebuild the trust with your end users so that they come back to you and they bring their business back to you? Right?

Nader: That’s a great question. Just something that we see all the time is one of the major things is having an Incident Response Plan in place and socialize. That is the true only way that you can understand what will happen during a breach.

And it’s not always the case, right? And then one thing is testing your incident response plan. So once you have an Incident Response Plan in place, it is socialized. Both leadership and technical practitioners have an idea of what needs to take place. Who are the people that need to be informed. The escalation strategies, testing that. So coming up with tabletop scenarios, both executive and technical to be able to see during situations, are you following your Incident Response Plan? And if you’re not, that’s fine. Now we have to revise the way that your actual IR plan is.

Because it’s a great saying for Mike Tyson, everyone has a plan until they get punched in the face. And that’s really what a breach is. So kind of the cheapest route to really test your IR plan and you don’t want to be testing it during an actual live incident is doing like a tabletop exercise where you can try to simulate just from a tabletop. And then once you have a better understanding, then we could get into more of a simulated attack with the actual technical simulations in place, like purple teaming and things like that.

Host: It makes sense. It’s very much like doing from an engineer’s perspective, right? Like doing your testing and production versus a pre product or a key way environment, right? Yeah. You do all the preparation in a lower environment and then you sort of move your code to production, doing the load testing and stuff like that.

Nader: Exactly. You never want to change the tire as the car is moving. And one of the things that I forgot to mention is during those exercises, when you’re having those tabletop scenarios, that is where you’ll be able to bring in a legal counsel, internal legal counsel, external legal counsel, your comms team, your social media team. Those are a lot of times, the first time all those teams have been together with the Instant Response team. So having that type of scenario where you can bring in all the teams together, now, once we are aware of the breach, do we have to report, what type of reporting has to be done? How can we at least be transparent but not give the full divulge the entire information? Because a lot of times, once you promote or once you divulge that you’ve been breached, that just opens the door for other copycat attacks to try to go and knock at your door as well, right?

Host: No, that makes sense. That absolutely makes sense.

So the next question that I have is most of the organizations, what they do is along with the Incident Response plans, they focus on improving their security posture. And one of the ways is to get certifications, like Sock tools or ISOs or HIPAA, all of those.

So what’s your take on what’s the right time to invest in certifications versus overall security posture?
And is certification enough or there is something beyond certification as well?

Nader: Yeah, definitely I come from the life of being a lot of those kind of risk assessments from standards and frameworks. So I understand the need for it. And so the need for it is based off of your regulatory standards, based off of certain contracts. You want to win, you have to have certain certifications. But as long as the organization itself knows that that is not enough.

A lot of those are wanting to know the processes in place, the documentation side, which is very important, but understanding from the technical aspect of it during these threat simulations, during these certain attacks, that is kind of you always want to verify and validate these types of things with, of course, Red team exercises with Purple teaming. As I mentioned, always trying to test your security team to the limit, especially with new tactics, new ransomware gangs that are coming out. They have different styles of attacks. And just know your threat landscape. Once you know your threat landscape, you will be able to truly understand what type of additional kind of validations that need to take place for your organization to feel like we are as secure as we can get.

Host: So one of the things that you highlighted, which is very critical, is the threat landscape, right. Understanding that helps you in determining where do you stand in your security journey and what’s the right next step. There will always be tons of things to improve in security, but what’s the right next thing? Right?

Nader: It will help prioritize because you can get 200 different findings in an assessment, but your threat landscape should dictate and help prioritize those specific actions. You need to take action on first and then let the other ones fall based off of your capabilities and your bandwidth.

Host: Yeah. So one of the things that again you highlighted is the prioritization, right, and it always varies organization to organization, teams, like between teams. It’s also different when it comes to that. It’s always about what kind of culture the company has. Right.

So you have worked with many organizations according to you, is security a bottoms-up thing or a top-down, if you have any examples you want to share to highlight that, that would be amazing.

Nader: Yeah, no, if you’ll ask me, the real short answer is it’s a top down. Security has to be top down. And that’s ten times out of ten, both I can tell you anecdotally so as I mentioned, the first seven years of my career, I was in a general kind of security analyst system, admin position, security architect position. And I would do regular reviews of my environment and then come up with recommendations. Those would always fall on deaf ears. And then lo and behold, a couple of months later, we have a high priced consulting agency come in and provide those almost exact same recommendations that I’ve been trying to implore my organization to implement. And when they had mentioned it, the leadership started to take heed and that becomes kind of disheartening. And I know this happens a lot, but after a while and it was kind of more of towards the end when my own leadership started to see that the recommendations I was providing was very similar to the recommendations they were getting from a lot of those consulting agencies.

They started to take my recommendations with a lot more credence, which helped with now they started kind of had a better voice within the organization. So if you’re out there and you’re in the same boat where you are making recommendations and then a couple of months later you have a report from some third party organization that’s essentially saying the same things you’ve been bemoaning your organization about, do not get discouraged. It could very well change similar to how it changed my life. So that was like my first seven years, right? And then after that I moved on to my in the last eight years, being in consulting where I was, I was that person I dreaded. I was that third party that would come in either during a proactive risk assessment or technical validation or technical assessment, or even during an IR. And that then became a big process of I had the ear of the CEO, the Director of Security, the CIO, the board, and when they had the ability to make a decision and open up, sometimes their checkbooks or open up like, okay, now we’re going to put things on the back burner and prioritize the security commitments. That was when that organization made true leaps and bounds.

So it’s definitely top down because they are the ones who are going to be able to help prioritize major projects and get things off of your plate. Or if you need a third party to come in and pay for that, then they’ll be able to do that like that.

Host: Yeah. So that makes sense because they are like the sounding boards in the organization, right. It always comes down to the leadership, how they are sort of pushing the team towards the security direction. So, yeah, makes a lot of sense.

I want to talk about data privacy a little bit. So there are many security analysts who claim that human error is the biggest factor to it like the biggest factor to data privacy. And there have been many phishing attacks or social engineering attacks to sort of steal the employee data and then through that get access to customers data. Like there were significant attacks to Twilio and Cloudplay.

What steps would you recommend organizations take to prepare for such attacks?

Nader: Yeah, definitely one of the things that we’ve seen a lot, and it’s been hitting a lot of the newswires as well, is what is called MFA fatigue where a threat actor simply puts multiple MFA requests, multiple logins to then produce an MFA push notification. If you’re using a smart, smart app. And after a while a lot of people are trusting by nature, right, or a lot of times just to stop the notifications from happening, they will simply click approve and bam. Now the threat actors in your environment, and this has happened across multiple organizations.

We still face it every week or so. We’ll have an organization get popped via that method. So one of the things is one of the major recommendations I always do that is move away from that push notification, move and move totally towards a one time password. Yes, that is going to be a major hassle for your user base. But the security implications that’s been happening is going to be major. And what just recently happened is Microsoft and Azure started getting that. Like the Azure started being the brunt of a lot of the attacks and seeing that their Azure MFA was being abused with that massive MFA fatigue.

What they did recently and just came out is what they have is number matching. So when you are putting a push notification or MFA request, there is a number that is on the screen that you must put in your phone that will be able to say, okay, yes, it’s actually a human behind the door. I am actually putting this in. They also have the ability to geolocation. So you could see like, hey, you have a login coming from some country that you are not in. That will be a major red flag. So that’s a major step that Azure has been doing a lot of other organizations, other third party or other MFA providers try to get to that one time password. It is the biggest way because MFA, there are many ways. Now MFA is a big thing to at least have MFA in place. But even after you have MFA in place that doesn’t put you in the clear.

Host: Yeah, makes a lot of sense. And I think for the last couple of years many security experts were recommending MFA and then this MFA F take thing has been kicking in. So now folks are looking into hardware keys or 502 UB keys, things like that.

Nader: That will be of course the best case scenario. So like for example the Azure number matching scenario that just came out recently with Microsoft. We literally implemented Azure number matching for a client during an actual active incident response because the threat actor was getting kicked out. We got in the threat actor got in, we kicked them out and they just got another person’s username password and came back right in by the push notification. So once what we did was try to implement the Azure number matching, we were able to implement that number matching over 100,000 users in just a weekend. So it is quick changes things that can happen fairly quickly, massive. And that was the only way to kick out the attacker because they had 100,000 users. There’s credentials out there for almost everybody on the internet through breaches, right as we know with all the breach notifications and things like that on some sort of dark web somewhere. Just a matter of them credential, stuffing and getting into an environment. So yeah, we were able to implement that. But best case scenario would be to use a hardware 502 type of key to implement your best two factor authentication for sure.

Host: Right, that makes sense. It’s great that you guys could implement your number matching over a weekend, right. Sometimes these implementations take like months if not weeks for improving your security. So yeah, that’s an amazing win.

Nader: So that’s one of the things about being an instant response is there’s two major things that happen. One, the checkbook opens up. So now security is not you don’t have to pay any pinch on security things but also security is now the foremost in priority and now we are willing to have a little bit of disgruntled users if this is truly going to help us. And during active incident where you’re getting the specific threat actor came in multiple times, started harassing the user base. It was the only way to truly work. And the implementation, the quickness of it is just a testament to how Azure has been set up and also how the organization was able to help prioritize it.

Host: Yeah, makes a lot of sense. Makes a lot of sense. I want to dig a little deeper into this topic. Right. So let’s say the organization did all the preparation and all. Now if you are in an attack. How should organizations react during that and after the attack? I think you touched on how should they react during the attack, but how should they react after the attack is done.

Nader: Yes. Well actually let’s take this MFA fatigue scenario and just kind of start pulling the thread a little bit. Let’s say your organization has been popped with MFA fatigue where through a push notification, an admin or another user has been compromised during the investigative portion. What I like to call this step Zero, because it’s more of a whacka mole, is once you’re able to find out what IP or what country that user has been coming from that is unauthorized being able to implement a block policy both at the external firewall or even at the conditional access policy level. I call this Wacky mall because you could just spin up another IP address and come in, right? Yeah. But then if you start to see going back through your incident and you start to find a better date of when that initial access occurred, unauthorized access and then the MFA enrollment starts to happen.

What you can do is in the past seven days all new MFA enrolled devices will be taken off because that’s exactly what threat actors do. Once they get in through one time. They then try to enroll their device so they don’t have to keep doing the push notification back and forth. So then being able to remove all newly registered devices, whatever time period we have, let’s say seven days in this instance away from the organization. Yes, certain legitimate users will be impacted and they will have to re enroll. But that’ll be a good kind of indicator of if they have to re enroll. You can then add another capability which Microsoft just came out with.

If we’re going to use like an Azure scenario is using the MFA enrollment has to be through a certain IP range. So then let’s say it has to be from your public VPN or has to be internally at an onsite location. That way you’re not getting random MFA device enrollments from the outside which is what was happening with a lot of these cases.

Host: I like that approach that Microsoft has taken. Right.

Nader: That location based or your IP number matching and of course do the number matching as well.

Host: Yeah, the last question that I have is all of this comes down to the organizational culture, right. Security, the organization and team. Of course you have to work together and you have a unique perspective. Right. I would think because you have worked with many organizations and every company has unique culture. Like either they are engineering driven, sales driven, security driven. So as a security leader,

What methods would you recommend to sort of bring awareness and develop a security centric culture in an organization?

Nader: I think one of the big kind of organizational cultures that has to be implemented is accountability. It sounds very cliche. But security is everyone’s responsibility. All right? But when you’re an engineer driven or sales driven organization, a lot of the responsibility lands on the shoulders of the engineering team, the sales team. But as a security driven organization or having that culture of security, accountability is very important because it will just take one user to get a phishing email to approve a false MFA response and the entire organization can be compromised because it’s just one user. Then the escalation of privileges, the lateral movement and an entire organization could be compromised. So accountability is key. And making sure your workers, your team is accountable in terms of understanding that their role in responsibility and security is just as strong as the security team because it just takes the weakest link to be able to get into an environment.

Host: Makes a lot of sense. So now, let’s say you earlier talked about security being top down approach, right? So how do you influence the mindset of your teams in an organization so that they appreciate the investment which is being made in the security? And how do you tackle that across cultures as well?

Nader: Yeah, so one of the ways to kind of help influence, depending on the level, if you’re going at the sea level or at the practitioner level, is to kind of for myself, coming in from the front lines, giving real life scenarios, being able to understand the threat landscape. So understanding the need for certain security measures to be in place. One thing is always regularly communicating with your leadership on what is out there. Like for example, if you recall back in 2020, whenever Pandemic first started, one of the major ransomware groups was Maze, right? So Maize Ransomware was just getting every organization under the sun. They came out with their side and their docking side and they were coming out and really extorting a lot of organizations and encrypting a lot of files and pushing that out. And it was irregardless of your industry. They were just kind of indiscriminate. But understanding the landscape.

Now it’s a fully functional organization, almost this ransomware as a service where they have different teams. So the way the ransomware works now is they have an initial access team, they have a lateral movement team, they have an encryption team, they have multiple teams who are really good at what they specifically do, running and not just, let’s say, one or two people in their mom’s basement anymore. It’s an organization. It’s almost an organization going against another organization and understanding that gravity of the situation of what is currently in place will be able to kind of change a lot of mindsets. It won’t change everybody. Right. A lot of times it takes an organization to get breached, to finally realize that they need to focus a little bit more on security and not as much on, let’s say, DevOps or sales or things like that.

Host: Makes a lot of sense. And one thing that you highlighted is communication, right? And that you are spot on. That is very important that you have to communicate your security plan, security strategy to the entire team, entire organization so that everybody is on board on that. So yeah, that makes perfect sense and that’s a great way to end the security questions as well.

Host: So let’s move on to the rapid fire section.

Rapid Fire:

Host: So the first question is, if you are a superhero of cybersecurity, which power would you choose to have in you?

Nader: That’s a tough one. If I could have a superpower, it would probably be, let’s say if I get into an IR, I have the ability to find out and immediately know what the initial access vector is of how that third actor came in. One, it’ll improve the investigation time a lot, but also help with the containment remediation steps that needed to take place. If I had that immediate superpower of knowing exactly how they got in, I think that would be amazing.

Host: That makes a lot of sense. With the number of attacks that we see in our days, it’s a very powerful you’re getting a lot of power, right? Yeah, it definitely makes a lot of sense. What advice would you give to your 25 year old self starting in security and why?

Nader: So 25 year old me, I would definitely tell him to learn about cloud and cloud security. So that’ll be a little less than ten years back. And cloud was still a very negative thing to a lot of It departments, to a lot of leadership. And getting into cloud early on and then getting into specifically cloud security at its infancy stages would then allow me to have better conversations. It would allow me to be more prominent within the cloud security knowledge space.

Host: Makes a lot of sense. So the last question is, and we ask this to every guest, is how do you stay up to date? Can you share like three blogs or books or websites where you go to stay up to date on security?

Nader: Yeah, I would say number one is Twitter. So infosec Twitter is the greatest way to get up to date on latest blogs that are out from major organizations, the latest threats, latest vulnerabilities. There’s multiple kind of lists within Twitter that you can just have an infosec list which is of like 2500 infosec specialists across the world, that is, I would say Twitter is probably the best way to stay up to date. Number two, for more kind of detailed step by step guides, more detailed conversations. Medium. Medium is a great way. Get a Medium account, ensure that whatever specific topics you’re interested in, get those tagged up. And then anytime new things are brought up in that Medium article, you’ll be able to get it right away. And the third would be not really a website, but an app. So I use what is called feedly. Feedly is just a conglomeration of a bunch of RSS feeds and they have a great kind of cyber securityecurity section.

It’s an app that’s on iPhone. I don’t know if it’s on Android, but it’s on iPhone. And all you have to do is just start adding the various different RSS feeds and they have a great cybersecurity section that you can easily start adding right away. And you’ll be able to get the latest blogs, latest news and updates straight from there as well. Oh, lovely. So we’ll make sure to sort of add all of this information when we publish the video so that our viewers can go to these sources and learn more.

Host: Yeah. Thanks, Nader. Thank you so much. Great to speak and learn from you. For folks who might have more questions or want to connect with you, what’s the best way to reach out to you?

Nader: Yeah, I guess the two best ways is hit me up on Twitter at NaderZaveri. It’s going to be within the description of this video as well as LinkedIn. NaderZaveri just type my name and on LinkedIn, I answer to pretty much everyone who sends me a message just about what’s happening and the latest trends or wanting to have some mentoring or advice.

I’m really open to communicating with anybody and everybody.

Host: Oh, that’s wonderful. Thank you so much for coming to the show and sharing your knowledge with our viewers.

Nader: Thank you so much for having me.

Host: Absolutely. And to our viewers, thanks for watching. Hope you have learned something new.

If you have any questions around security, share those at scaletozero. We’ll get those answered by an expert in the security space. See you in the next episode. Thank you.