 Welcome back everyone to day two of theCUBE's live coverage at MYS here in Washington, DC. I'm your host, Rebecca Knight, along with my co-host and analyst, Rob Streche. We are joined by Charles Carmichael. He is the Mandiant Consultant CTO Google Cloud and Jeff Lungelhofer, CISO at Coinbase. Thank you so much for coming on theCUBE. Thanks for having us here. So earlier today you were on a keynote panel where you really taught you and an executive from Microsoft and also Barracuda Networks as well as you, Jeff. Where you talked about incidents that had happened at your companies. You were incredibly vulnerable sharing what went down, how you dealt with it, the lessons you learned and where you're going from here. I want to start with you, Charles, and I want to hear about what happened at Coinbase, but I want to start with you, Charles, about why these conversations are so important right now. You know, I think so many of us learn about cybersecurity and the things that we should do better based on hearing about security intrusions and vulnerabilities and exploitation that's occurred at other organizations. And so I'm personally incredibly thankful that folks like Jeff and the executive from Barracuda and the executive from Microsoft decided to have the courage and to come onto stage and to be open and to transparently and candidly just talk about their security incident and the things that they've learned. And a lot of times people are afraid to do this because there's a stigma against data security events. But we all learn when we openly share learnings from the variety of security attacks that we all deal with on a day-to-day basis. Yeah, I think what was really interesting and striking to me is it's really the ecosystem that goes along with that and how that brings it all together. But one of the things that was also striking was a lot about, hey, here's how you deal with these things and some of the learnings out of it. So again, you can't stop being patient number zero, patient zero, but being patient one or two, you can start. One of the things was obviously authentication was one of the big things that Jeff, you brought up. Why don't you talk to a little bit about what the situation was and why authentication is really, you hammered that home. Sure, absolutely. So the situation we dealt with at Coinbase was a traditional but sophisticated and advanced social engineering attack. It occurred over the course of about four hours. We had several dozen of our employees who were contacted directly by a threat actor that we lovingly call Scattered Spider and a few other code names that Mandy and our other colleagues have come up with. But they began calling, directly calling our employees and sending a series of text messages and phone calls and they were extremely persuasive. They made very good connection with the staff in an effort to get them to be redirected to some phishing websites. Unfortunately, we did have one employee who did provide his username and password into a phishing website, a fraudulent website. So that was then harvested by the actor in this case. Now the good news is that we use multi-factor authentication for all access into Coinbase. So the actor was not able to use the username and password. So great news there. It was a win for the security team and the whole company. There was no access that was directly gained into our infrastructure. The not so great news is that using these very persuasive social engineering techniques, they were able to talk the employee into screen sharing in effect, loading up some screen sharing software and sharing their screen, not in an interactive way, but so that the adversary could see what was on that person's screen and they did upload a file that contained a subset of employee information, e-names, email addresses, phone numbers, things like that, which of course, from a security perspective, that's now the next wave of attacks that's going to come at our employees. So obviously not a devastating attack in that there was any access gained or any customer funds that were ever in any jeopardy, but certainly something that we were very concerned about from an attack perspective. But to your authentication question, multi-factor authentication is the key to preventing folks from getting that initial foothold and I really strongly believe that. So when we, when hearing from the audience about this social engineering and you think like, oh man, how that employee, what was that person thinking? You know, that's the thing and you really hammered home. Look, this can happen to any of us, even the most savvy among us. Yeah, I have a very strong opinion on this. People who say, how could you do something so stupid? How could this happen? This could never happen to me. I'm here to tell you, you're wrong. You are just completely wrong. Those are the people that concern me because it demonstrates that they don't really have an awareness of how persuasive and how effective these attacks can be. So I want my folks, all of my team members, all of my employees, I want everybody for that matter to acknowledge that yes, this can happen and it probably will happen at some point in your life or in your company's life and it's not whether that event occurs, it's how you handle it. It's do you acknowledge that something happened? Are you willing to come forward and say, hey, I think I might've done something I shouldn't do? That's a really powerful thing and I will say that the employee who suffered this particular issue was very forthcoming when our security team reached out to him and said, hey, what's going on? We're seeing some things on our network here that we're not comfortable with. Why are you running the screen share software? Oh, you know what? Oh wait, hold on, shut this down. Very responsive, very quick to respond and the other great news is that the employees who did not fall victim were reporting to the Security Operations Center that hey, we think this is happening. There's a campaign targeting our employees so we were very on top of the situation because of the behavior of the employees. So yes, it can happen to you, it can happen to anyone. And Charles, you lead up incident response practice here as well and you must hear from a number of, besides the people who are on stage with you and you even mentioned in the panel, FireEye and the incident that happened there, what are some of the other learnings that you're hearing that you're bringing back to that practice as well? Yeah, so I want to start by talking about the types of threats that we're seeing and there's probably a few different categories of threats that are the most prevalent across our roughly 1,200 intrusions that we're investigating for our clients. Probably the number one threat against organizations today is a threat of multifaceted extortion. God are the days where threat actors break into companies to steal credit card data because it takes a long time to acquire enough credit card data and it's hard enough to sell it to make millions of dollars. But within a three day intrusion operation, a threat actor could demand a $5 million extortion payment or a $15 million extortion payment and about half the organizations that we work with feel compelled to pay. They're evaluating pros and cons of paying and a lot of times they just have no better option but to pay. Another threat that we see very commonly across our customer base is the intrusions by nation-state actors that are intruding organizations usually for economic, political, or military advantage and we're seeing a resurgence in intrusion activity by certain governments that are more interested in acquiring data today than maybe they had been in the past through cyber means and we're starting to see a little bit of a shift from the acquisition of information from insiders that we might have seen a few years ago back into the cyber attacks. And there's a few other types of threats that we see but those are probably the two most prevalent. Now what we typically do is we kind of look at what are the threats, what are the ways in which the adversaries are getting access to environments, escalating privileges, moving around and ultimately accomplishing whatever their mission is and we see a lot of commonality across that. Now my colleague Jeff mentioned the authentication opportunities that a lot of organizations have right now. A lot of people are still using passwords, they may use either single-factor authentication but maybe multi-factor authentication and as Jeff and Kevin earlier mentioned, there's a huge issue with SIM swapping today where somebody's cell phone number can be hijacked and they could get access to the one-time passwords that are sent to mobile devices and so that's just an example of a takeaway that I hope a number of people have been imparted with as they've attended the M.Y.S. conference this year. Another takeaway I got from you in particular, Jeff, was this new idea, I'd never heard it before, a push fatigue. Can you tell our viewers a little bit about that? Yeah, so there's various forms of multi-factor authentication and Charles alluded to what I would consider to be the least effective form which is SMS text message. Everybody knows, you go to your bank, you put in your username and password information and they'll send you a text message, you put in that code and you're authenticated. That's great so long as you are actually in control of that mobile phone or the SIM card associated with that mobile phone which can be changed. Any carrier because of the portability, the phone number portability acts that were passed, laws that were passed some time ago that allow you to port your number from one carrier to the next, if you have a person who's positioned within another carrier or an insider, they can literally clone your phone and take that number away from you on a temporary basis. They only need it for a few minutes to get those codes and then they have access to your accounts. SMS is the weakest form of authentication and I want to be clear, because I have a lot of colleagues who work in telecommunications, that's not a slam against telcos, Verizon, T-Mobile, all those providers that are out there. They never intended nor designed SMS to be used in this manner. It has been sort of attached onto by industry as a solution for multi-factor because of course the cell phone is almost ubiquitous now, everybody has one, but they never intended it to be what it's become. So unfortunately, that is by far the weakest form of authentication. Going up the chain from there, there's what we call push-based authentication and that's where you may have an authenticator app on your phone. There's a number of providers that offer this service and when you try and log in, that authenticator app will pop up a notification and say, hey, do you accept this login? You may have seen it at Google, does it, a variety of companies will do it as a service. It'll pop up and you can accept or you can deny that. The problem with that is that if someone already has their username in your password, aka the employee at Coinbase who gave that information up or anywhere where that information is exposed, they can just send those push requests constantly to somebody's phone. So it happens pretty frequently, you'll have an engineer who gets 10, 20, 30, 40 of these push requests at two o'clock in the morning. They just want to sleep. The phone keeps waking them up and they're like, this is probably some rogue script or something that's running. You know, I just accept. I just want to go back to bed. They just have had it. They click accept and they go back to bed. And now you're compromised, right? So that's push fatigue. People just get sick of it. They just used to clicking accept and they just do it. The stronger forms of authentication are what I would call a one-time password and OTP solution. That's like Google Authenticator. I'll give you all a plug. I use that pretty extensively. And that's an app that runs in your phone that has a cryptographic seed that you can share with other companies that will produce a rolling series of one-time passwords. But there's no communication. You just put that in. It's synced between a server and your device. You can authenticate using that. Even stronger still is a physical security token. And that's the thing that I encourage everyone to use. If you have the option of using it, use a physical security token. That could be a UB key. It could be there's a variety of vendors out there that offer these. But that is a physical token that you have to have. USB, NFC, you insert it into your computer. You press the little tongs on it. You authenticate. And presto, you're able to get into your accounts. You can't clone it. You have to physically steal it. You can't, if it's in someone's computer and you compromise it, you have to physically touch it. So even compromising the machine where someone has a token inserted, you still can't use that authentication device. So it's a very, very strong form of authentication. And I encourage everyone to use it if possible. Yeah, I think it's a lot easier than it used to be with the old RSA tokens where you would have the random numbers generating next to you. And you try to type it in at the same time. I've used very similar hardware when I was with another cloud provider. Don't think about it. You just touch it. All you have to do is touch it. It's not, no numbers, no codes. Of course they're all doing all that in the back end. But you have to physically have the token and you have to touch it. So I have several of those. I keep them in safes. I won't say where. But I can grab them. I can insert them. I can transact. I take them out. And when that's out, my accounts are secure. I was just going to say it's one of those security conventions that actually make things more secure but even easier, more convenient for folks. You know, after the FireEye incident a few years ago, we had some pretty strong controls in place. But we decided that we wanted to go to five to two authentication. And we rolled out UB Keys for everybody that was an employee of the organization. And I was initially a little skeptical myself because I assumed I would probably lose it or I'd break it. I'd forget to take it when I traveled. But surprisingly, it's been actually quite effective and it's been so much more convenient for us to authenticate by pushing a little button. Yeah, I always had two of them. And I had one in two different places to your point about, hey, you got to keep them secure but at the same time. Have a backup. Yeah, have a backup because I would smash one and I'm like, okay, that's bad. I now need to go get my other one so I can actually log in and actually get my email and things of that nature or log into a sensitive system. But I think that was also another point that you brought up was not one person being able to get into systems and especially with the keys. And I think we were talking to some financials and financials are becoming more like crypto companies and crypto companies are becoming are financials for all intents and purposes but especially where it's the keys that are like keys are literally the kingdom for Coinbase. That's right. That's right. And that's a difference I think in a crypto ecosystem, a lot of people don't understand. Traditional wallet, we call it a Coinbase wallet, right? It's one of our products that we offer and you think about that and you think, oh, it's like my wallet. You pull out, there's your crypto, your money's right in there, it's in your wallet and it's contained. That's actually not what a wallet, a crypto wallet is. A crypto wallet is a key management solution. Your actual crypto and your actual wallet is on the public blockchain that's out there on the blockchain network that's what we call the L1 network that's out there that's running on a series of distributed nodes around the whole or all over the world. That's where your crypto actually is. That's where your actual wallet is. Your software that you run on your phone or on your computer, that simply allows you to access the private key or the secret key that will allow you to transact on that network to move that crypto around. So you're exactly right. You've got to protect those keys. It's all about protecting the keys. So one of the innovations, I shouldn't say an innovation, it's certainly not Coinbase specific. One of the things that we're leaning into is multi-MPC, multi-party compute, which is where we take the traditional key, Charles has a key, Charles opens a lock, and we're breaking that key up into five bits, six bits, seven bits. And we can give those individual, we call key shards to various people. And we can have a consensus agreement that says, I want to have three of the five or seven of the 11 or whatever you choose as you're setting up your infrastructure. And you have to have all of those shards all being operated simultaneously in order to transact. A lot of our institutional customers and others really like that because they can use Coinbase's infrastructure, but they can retain control of enough key shards where we can't transact on those wallets. They can't transact on those wallets. We working together can transact on those wallets. So it gives them a great degree of assurance that even if we're completely compromised and our key shards are taken, we still can't transact in the crypto. And the same is true vice versa. They lose control of their key shards. We can't transact without them. So it creates a very trustless environment. And I think that's one of the goals that we have for the crypto ecosystem. So last question, and this is, you've already shared why it's so important for different companies to get together and talk about best practices, what they've learned and how they're getting better together. What's the flip side if they're not as transparent and as candid? Yeah, I mean, if they are not transparent and they're not sharing information, then we all have to learn on our own and it just quadruples or exponentially increase these amount of time that it's going to take us to solve cybersecurity challenges. You know, when people ask, you know, do I compete against Microsoft or do we compete against other organizations? I say, no, I mean, we are competing against the adversaries. We need to share information to help the community just get better and defend themselves. And so I personally have a great relationship with a variety of organizations who may be competing from a business perspective. We're all on the same team when we're fighting against the adversary. A great note to end on. Excellent. Thank you, Charles. Thank you so much. Yes. I'm Rebecca Knight for Rob Stretch A. Thank you so much for joining us on theCUBE's second day of coverage of MI's. We'll be back tomorrow.