IT'S a Tech Podcast
The “IT’S a Tech Podcast” is an engaging conversation about the game-changing technology solutions being advanced by the state’s Office of Information Technology Services. Learn how we make IT happen for more than 50 state agencies and over 20 million New Yorkers.
IT'S a Tech Podcast
Episode 5: CISO Blue Team
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
All indicators show that cybercrime is definitely on the rise. People spend more time online than ever before, and new technologies and techniques are creating more possibilities for criminals to target and exploit unsuspecting victims.
On this episode of the IT’S A Tech Podcast, Ben McFarland, NYSOC Shift Lead and Anthony Mosher, CIRT Incident Response Analyst share insights about how the Blue Team keeps NYS systems secure, what our guests learned at the recent NYS Cybersecurity Conference, and how you can also be a cybersecurity hero.
Thank you for listening to the IT’S a Tech Podcast. For more information about ITS, visit our website at its.ny.gov. Follow us on X, LinkedIn, Instagram and Facebook.
0:01
You're listening to the It's a Tech podcast, an engaging conversation about game changing technology solutions being advanced by the state's Office of Information Technology Services.
0:11
Learn how we make IT happen for 53 state agencies and 20 million New Yorkers while helping government leaders deliver for New York.
0:22
Welcome to the It's a Tech podcast.
0:25
Not to be alarmist, but all indicators show that cybercrime is definitely on the rise.
0:30
People spend more time online than ever before and new technologies and techniques are creating more possibilities for criminals to target and exploit unsuspecting victims.
0:40
Regular listeners of this podcast will know that when we launched our first episode, we were joined by two members of the Chief Information Security Office, or CISO, Red Team for a super engaging discussion about how they get into the mindset of cyber criminals to test systems for vulnerabilities, gaps in our state's digital armor.
0:59
Today, we're looking at the reverse side of cybersecurity coin.
1:03
Our guests are from the CISO Blue Team who worked tirelessly to build and reinforce digital protections for New York State.
1:10
We are excited to be joined today by Ben McFarland and Anthony Mosher from our Cyber Command Center.
1:16
Ben is a shift lead at the Latham office of the New York Security Operations Center or NYSOC, and Anthony's an Incident Response analyst on our Cyber Incident Response Team or CIRT.
1:27
Gentlemen, thanks for making the time to talk to us today.
1:30
Thanks for having us.
1:31
It's a pleasure.
1:31
Thank you so much.
1:32
So for our very first episode, we were joined by two members of the CISO Red team.
1:37
The two of you are on opposite sides of the spectrum.
1:41
You're responsible for protecting and defending New York State agencies, our systems, our applications, our websites, billions of sensitive records.
1:49
So here's my question.
1:51
If the Red team acts like villains to test and exploit critical IT systems so we know where the vulnerabilities are, is it safe to say that the blue team is our resident cybersecurity superhero force?
2:04
I'd like to think of us more as first responders.
2:06
You know, we're performing triage, initial assessment, response, engaging teams like Anthony at CIRT.
2:14
You know, I don't know if they're necessarily superheroes.
2:17
They definitely don't wear capes, but they are pretty fantastic in my book.
2:23
We'll have to get capes into the budget.
2:25
So how did each of you get into these roles where you're doing this truly important job for ITS and the state of New York?
2:31
Ben, let's start with you.
2:33
So I had my start in the US Air Force.
2:36
I served at the Air Force Academy as a Lieutenant, where I worked in the Network Security Detachment.
2:42
After my term of service, I then entered private industry.
2:45
I worked at Solaris and then later Oracle where I was a Colonel support engineer.
2:53
And for the last three years I've worked as a shift lead at NYSOC or CYCOM as it's transitioned over time where now we manage the analysts and monitor the alerts.
3:04
Wonderful, Anthony.
3:06
Yeah.
3:06
So I started my career at the Drug Enforcement Administration as a forensic analyst, and that was down in the DC area. I'm originally from New York.
3:17
So kind of missed home, decided to come back.
3:19
Welcome back.
3:20
Thank you.
3:21
Started my career with the state at the Comptroller's office where I was doing forensics with fraud investigations and acceptable use cases.
3:33
It was interesting work, but I knew that I wanted to do incident response.
3:37
And yeah, I'm here with CIRT and been happy ever since.
3:43
Living the dream.
3:44
That's right.
3:45
Take us inside the Cyber Command Center.
3:48
What do we see?
3:49
Do we see big screens alerting systems, horns blaring lava waterfall?
3:54
There's no lava waterfall.
3:55
But we are very fortunate to have two dedicated spaces.
3:59
There's one at 11 Metro Tech, which we're hosted there in partnership with the New York City Cyber Command, NYC 3.
4:06
And then we have a second facility at 31 British American, which we've really moved into this last October.
4:13
It's a great space.
4:14
We have a lot of new pods, which allows for a lot of great collaboration.
4:18
There's plenty of parking. Very soon,
4:20
while we do not have a lava waterfall in the budget, we do have a large video wall coming soon for better analyst collaboration.
4:30
So it's pretty great, you know. We kind of jokingly call it the zoo.
4:34
It's very open where where the analysts are, are sitting there able to kind of work and talk and engage with one another.
4:41
But it, it, it is really conducive to providing the best, best support that they can.
4:47
Collaboration. Absolutely.
4:48
Team effort.
4:50
So, talk to us about some of the more common threats that are out there.
4:54
What do state governments like New York usually have to defend their infrastructure against?
5:00
Yeah, so state governments like New York, we have such a diverse collection of data due to the people that are the agencies that we're protecting.
5:09
So, for example, just taking a look at agencies protecting under ITS, we have patient records, financial information, critical infrastructure and just our users themselves provide a whole lot of value to these attackers, right?
5:23
So, you have state-sponsored attackers, you have e-criminals or cybercriminals.
5:29
And then we've had cases where people are just hacking the state for fun, changing, changing road signs
5:36
just to get a laugh.
5:39
So you have a little bit of everybody trying to get a piece of New York and other state governments.
5:44
I can tell you that one of the biggest threats that we're seeing every day in our environment includes social engineering tactics, preying on our users, doing normal everyday things.
5:54
And these tactics go beyond your typical phishing emails.
5:59
So what we're seeing are legitimate websites that our users are visiting.
6:03
The attackers are compromising these sites and adding their own malicious code to then trick users into downloading malware.
6:10
And some of the social engineering tactics that we're seeing, they are showing up in different forms.
6:15
So you have fake CAPTCHAS, which we've seen a lot of lately, Diabolical, hate it.
6:22
So that will look like instead of choosing all the pictures that have a bicycle in it, it'll say press Windows R button, press control V and hit enter.
6:33
And so basically what the attacker has done is copied a command into your clipboard once you visited the site and then had you run it yourself.
6:41
So now you're, it looks like the command is coming from you, which it is.
6:46
And that's what they want.
6:47
A few more examples are tech support pop-up scams to try to scare users into calling support.
6:53
We get fake browser updates.
6:55
It might look something like your browser's out of date.
6:58
Please click here to download the update.
7:00
But it's actually a malicious script.
7:03
And then you also get malicious ads or malvertising as we call it.
7:08
And all the above introduce things such as information stealers that can steal your passwords, cookies, other, other data stored in your web browser. Can search for crypto wallets to try to steal cryptocurrency.
7:25
You get your remote access Trojans, which basically allow the attackers to do anything they want on your system.
7:32
We've been seeing a lot of remote management and monitoring software, or RR, excuse me, RMMS.
7:39
These are legit tools that are used by tech support, but the attacker gets our users to download them.
7:44
And it just looks like a normal benign process, but it's giving the attackers access to your computer.
7:52
And then there's ransomware, of course.
7:55
Oh yeah, that's always on everybody's radar.
7:57
Always.
7:58
Thankfully, we haven't run into any of that yet.
8:02
But we recently had a case where indicators did tie back to a ransomware group.
8:08
And you might be wondering, how did they almost get ransomware?
8:11
Well, they were basically just searching for a photo company and that happened to be compromised and it was fake CAPTCHA, which led to almost ransomware.
8:21
Wow.
8:22
So, yeah, those are just some of the threats that we have to deal with on a daily basis.
8:27
So glad you both are on our side.
8:31
So this may not be a fair question because there's nothing really typical about it.
8:35
But tell us what a typical day looks like for each of you.
8:38
Ben, you want to start?
8:39
Sure.
8:41
You know, we may begin the day just kind of checking up on the shift change log from the night before because the river alerts never stops flowing.
8:50
It's a 24/7 shop.
8:51
Our analysts are reviewing events all day every day.
8:55
But after they've come in, they've taken a look at what's happened in the previous 12 hours.
9:00
They'll take a look at fishing alerts, scanning events, malware alerts.
9:06
They're basically going through these alerts, triaging them, analyzing them, determining what needs an initial response and what needs to be escalated and what can be dismissed as a as a benign positive, something that that is appropriate for the environment.
9:21
But we can't ignore it.
9:22
We have to confirm that it's actually something to worry about. Double check.
9:25
Yeah, exactly.
9:25
And so that's what our day kind of is, day in, day out.
9:29
Fortunately, it doesn't get boring because we have a lot of different use cases to look at, a lot of different ways that folks out there can can do bad things.
9:37
So there's a lot of different kinds of analysis puzzles that the analysts are allowed to take apart and figure out what's going on.
9:44
Amazing. Anthony?
9:46
Yeah.
9:47
So a typical day for me might include checking my e-mail first thing, make sure there aren't any escalations from SOC, and then looking through any alerts that came in overnight because, you know, the attack, the attackers don't don't stop at 5:00 like we do, right?
10:03
Unfortunately. Yeah.
10:05
So I'll do that.
10:06
And then I have my morning meeting with the team where we discuss things that we've seen, any alerts that look interesting, any information that we want to share with each other, like knowledge sharing.
10:17
And then basically always keeping one eye open on the mailbox for any alerts that come in for anything interesting.
10:25
And so actions might include remoting into the user's computer, getting browser history to see what they were doing around the time of the activity.
10:36
If there is malware involved, we'll normally take a copy of that from their computer and then we'll run it or detonate it as we like to call it, in our secure lab environment just to kind of see what it does.
10:50
And then from there, we just, we're just collecting indicators.
10:55
So, IP addresses, domain names, file hashes, anything that we can share with SOC to then share with our partners and add domains to our block list, things like that, just to keep the rest of us secure and prevent it from happening again.
11:11
Basically. Information sharing, absolutely crucial, absolutely crucial.
11:16
So, tell us about the Joint Security Operation Center, the JSOC, and how that has changed the way New York State approaches cybersecurity.
11:26
Sure.
11:28
Really the JSOC is now sort of a paradigm.
11:30
Really we're the New York State Security Operation Center and JSOC was an initial paradigm, but it's more become a core of our of our operating thought process.
11:41
What we do every day is, is that that that program has really seen an expanded scope in what CYCOM and now NYSOC does to help keep New York State safe, right?
11:56
It's improved our maturity.
11:58
It's modernized our tool set.
12:01
It's really allowed us to help keep the world's 10th largest economy safer.
12:05
And I say safer because in the world of cybercrime, of script kitties, nation-state actors, there's really no safe.
12:12
There's just safer, right?
12:14
Absolutely.
12:17
So obviously it's on everyone's mind.
12:20
We always are talking about it in the news.
12:23
How is AI changing the cybersecurity landscape?
12:27
Yeah, so AI is changing the landscape for everybody, everybody involved really.
12:33
So starting with attackers.
12:34
Attackers utilize AI to help write new malicious programs quickly, even with zero coding abilities, which is really scary.
12:43
And they can also write better phishing emails now.
12:46
So before, a huge indicator of a phishing e-mail is poor grammar and spelling, but now you have AI that can write really, really good emails that are hard, harder to detect.
13:00
Another thing that attackers are using are deepfakes.
13:03
So these are fake video and audio created by AI to alter someone's appearance and make them appear as someone else.
13:10
So there was a recent case a few months ago where a finance worker paid out $25 million to fraudsters after they had a video call with who they thought was the CFO and other members of staff, but it turns out they were all fake.
13:23
Terrifying.
13:25
Yeah.
13:27
And on the other hand, AI helps defenders by detecting threats and malware in real time because AI can analyze tons and tons of data that humans really just can't do, at least not as well as AI, and can analyze that data to proactively detect anomalies and mitigate threats before they can even happen.
13:48
So another way that defenders can use AI is to enhance and speed up our analysis of things such as obfuscated scripts.
13:57
So an obfuscated script might look like a lot of gibberish.
14:01
There's some garbage code, complex math equations that humans just really can't compute.
14:08
Yeah, parse or compute ourselves.
14:10
So, we have to use AI, or AI can be used to make it easier for us.
14:17
Code in general: if you're code illiterate like me, you could say, explain to me what this code does and it'll, it'll tell you.
14:25
And another thing that you could do is feed it some event logs to analyze and search for any anomalous behavior.
14:32
And it might, you might find something that you didn't or just give you a good starting place.
14:38
We'll say that. A powerful tool for both sides.
14:41
Yeah.
14:41
Of the struggle.
14:42
Absolutely.
14:43
So, we've made extraordinary progress enhancing cybersecurity across the state under the leadership of Governor Hochul and New York State CIO Dru Rai.
14:52
Is there any recent achievement you'd like to highlight for our listeners?
14:56
Where do you think we've made the most impact in the last year?
15:01
So to kind of put it in perspective for our listeners, I'd like to highlight from the report that our subscriber base includes the five big cities, 55 counties and 43 additional cities, towns or villages.
15:14
And with that comes 160,000 endpoints and about 140,000 users for us to secure and defend.
15:21
Incredible.
15:22
Yeah, incredible.
15:23
It's not a small feat.
15:24
No, not at all.
15:25
I also think it's important to note that as Anthony mentioned there, as we bring that down to the county and municipal partners, we're really broadening our visibility across the state, getting a much larger picture into activity, and that's helping bring that level of cybersecurity down to the local level and you know communities that that would not otherwise have those resources available.
15:46
Right, absolutely.
15:48
So, we are fresh off the 27th Annual New York State Cybersecurity Conference, which was held on June 3rd and 4th in Albany and had more than 1,000 people in attendance.
15:59
Tell us why this conference, which was hosted by ITS the Albany School of Business and the New York State Forum, is so important.
16:08
Are there any takeaways for our listeners that you picked up that can help them be cyber superheroes, too?
16:14
Sure.
16:15
This was a fantastic opportunity to see some of the research being performed like dark web scrapers or AI guardrail testing, as well as some product innovations, wire industry trends.
16:28
And and you know, it's also really just a good old fashioned opportunity to sit down with some of your peers from across the state and maybe trade war stories. Idea sharing.
16:37
Absolutely.
16:38
That personal touch is always important, and that helps build a lot of a lot of cohesion with the team.
16:44
Absolutely.
16:46
Yeah.
16:46
I'd say my biggest take away from some of the talks that I had seen at the conference was that business is really booming for cybercriminals.
16:53
You know, it's, I think the number is like somewhere around 10 1/2 trillion dollars now.
16:59
Amazing.
17:01
Yeah.
17:01
So the money's good and there's new groups continuing to emerge and tactics are always evolving.
17:08
So and they're, they're quickly learning how our organizations work and they take advantage of that.
17:13
So like one of the examples from one of the talks was that help desk workers, they, they have a time to resolve for their tickets.
17:23
So what attackers have done is they figure that out and they're dragging out the conversation and trying with the end goal of trying to get those workers to maybe cut corners or do something that they wouldn't normally do, hoping for them to make that error so they can, you know, get their entry point.
17:40
Because that's what attackers are actually really trying to get, right, is an entry point into an organization.
17:45
And the easiest entry point is through through US, right? Right, people.
17:49
Yeah.
17:51
So I'd say if listeners can take anything away from kind of what we've said or I've said on this podcast today, I'd like to, I'd like it to be this is that stay vigilant, be skeptical and slow down.
18:03
So, you know, take your time before clicking that link.
18:06
Is the domain name that's taking you too strange or unexpected?
18:09
Is that email from your coworker or supervisor out of the ordinary?
18:13
Be on the alert for any scams via email or text messages.
18:17
In some cases, lots and lots of text messages hoping that you'll finally give in.
18:23
Limit personal email and web browsing to your personal devices.
18:27
I can't hit on this enough.
18:29
I think a lot of our alerts would,
18:32
we would drastically cut down on alerts.
18:34
I'll just say that if people stayed off e-mail and personal, personal web browsing. And then sticking to downloading and using authorized software, there is a list available.
18:48
Or just try to avoid the sketchy stuff.
18:52
And lastly, if you receive something suspicious or accidentally download something, and you question its legitimacy, you can always reach out for support, whether that's your supervisor or CYCOM.
19:03
Absolutely, think before you click.
19:04
Yep.
19:06
So before you both go, I have one final question that I ask all our guests.
19:11
What are you most looking forward to this year?
19:13
And it does not have to be related to your job.
19:16
You know, for me, this is my daughter's senior varsity swim season and she's been at this for about 10 years, so it's going to be great to see her get a shot at Ithaca and the 500 free there.
19:27
Congratulations and good luck to her.
19:29
Thanks.
19:30
And for me, I just feel like I have a lot left to learn and do, so I'm excited for another year of experiences and professional and personal growth.
19:42
I love that.
19:43
Fantastic.
19:44
Well, Ben, Anthony, thank you for joining us and shining a light on the important work you're doing and for helping keep New Yorkers safe.
19:52
It's been a pleasure.
19:52
Thank you so much.
19:53
Yeah.
19:53
Thank you for the opportunity.
19:55
Thank you for listening to It's a Tech Podcast.
19:57
For more information about ITS, visit ourwebsite@its.ny.gov.