Responsible Exploit Disclosure: A New Perspective with MacKenzie Brown from Blackpoint Cyber

[00:00:01] Hello, Insight. I look for stories with my interviews. I look for somebody who's got an interesting opinion.

[00:00:07] Mackenzie Brown of SplatPoint Cyber came and said she thinks there need to be some changes in the way we do exploits,

[00:00:15] in the way they're revealed to the public. I had to know a little bit more because she thinks we're moving too fast.

[00:00:22] So we dive into it on this bonus episode of the Business of Tech.

[00:00:27] Data migrations are complex and irritating, creating days of frustration from setup to cutover.

[00:00:33] Movebot was built from the ground up to fix that.

[00:00:37] Movebot is the simplest and fastest data moving tool there is.

[00:00:41] Fully hosted with no infrastructure, no virtual machines, none of that.

[00:00:45] Sign up, connect, scan, and you'll be moving data in minutes.

[00:00:49] Techs of all levels can now move terabytes per day with Movebot.

[00:00:54] The magic lies in how Movebot simplifies and autoscales your migration with modern cloud technology,

[00:01:00] handling proprietary doc types, file name sanitization, permissions, and cutover,

[00:01:05] with detailed reporting and alerting at every step.

[00:01:09] Start moving data like a pro at movebot.io.

[00:01:15] Mackenzie, thanks for joining me today.

[00:01:17] Thanks for having me. I'm super excited to be here.

[00:01:21] I'm excited too because one of the things I love doing on the show is when somebody comes out with an opinion

[00:01:25] that is counter to the prevailing knowledge, I always want to know more to get a sense of it.

[00:01:32] And you've kind of declared that you think rapid exploit disclosure is more harmful than beneficial.

[00:01:41] And you want to make some changes. Walk me through your reasoning

[00:01:45] on what you're looking for in the change in exploit disclosure.

[00:01:49] Yeah. All right. Well, I will play devil's advocate a little bit

[00:01:53] because let me just caveat and preface this by saying specifically what I'm doing

[00:01:59] as far as within the team of the Adversary Pursuit Group, we do threat intelligence

[00:02:05] and threat research in the intent to enable our security operations or threat operations center.

[00:02:11] So we're there to make it easier to provide additional analysis and context to what we're seeing.

[00:02:18] So that our threat analysts can hunt and remediate as fast as possible.

[00:02:23] So I will be, you know, let me just caveat this devil's advocate threat researchers

[00:02:30] and security research plays an imperative role in information security.

[00:02:35] That being said, we have a lot of issues in cybersecurity, as everyone knows.

[00:02:39] And I was kind of mentioning this the other day, but I just got back from RSA

[00:02:43] and this is where marketing money goes to get set on fire.

[00:02:46] It's super interesting. But we have an inundation of marketing and tooling

[00:02:50] and technology specific to security that is overwhelming and quite frankly,

[00:02:55] not necessarily useful. We have an increase year to year of attacks.

[00:03:00] So that's not going anywhere. Cyber attacks. And if you don't have, you know,

[00:03:04] mess up money essentially, whether it's through cyber insurance or an incident response team,

[00:03:09] many people struggle and many people go out of business because of cybersecurity threats.

[00:03:14] And then we struggle finding good talent. So all of these, like we're obviously in a world of InfoSec.

[00:03:19] I'm sure Dave, you and I could probably talk over a beer for hours about what's broken

[00:03:24] and how it's not aligning with IT as a whole. But threat intelligence and threat research

[00:03:30] or rather information sharing of threat research is valuable

[00:03:37] and sometimes not even achievable. Like real threat intelligence is not achievable

[00:03:42] gaining to what we are being sold in the market. So the whole concept around know thy enemy,

[00:03:50] if I'm going to slap you in the face with a phone book, but it's like the art of war quotes over

[00:03:54] and over of knowing thy enemy. This is where researchers play an imperative role.

[00:03:58] But we have kind of disrupted away the way the InfoSec culture has been where

[00:04:04] if we are performing exploit development, proof of concepts and basically the race to get those POCs out

[00:04:12] before other security companies just for pure marketing, we're actually doing more harm than good.

[00:04:20] And coming from the incident response world, this is where we saw this a lot.

[00:04:24] You know, just to put in perspective, we have 23,000 vulnerabilities that were released in 2023

[00:04:29] and that's a lot. Now, albeit a lot of those didn't come with exploits,

[00:04:33] they're not going to be as critical or severe, but a lot of them come with exploit development,

[00:04:37] which is basically the how do we utilize this vulnerability to do in what manner

[00:04:44] to perform malicious actions or to be successful as a bad guy in my attack path?

[00:04:50] But we also have the other side of the house where we're performing this research,

[00:04:56] which is imperative. It needs to be done. We need to understand how these threats work.

[00:05:00] We need to understand how to mitigate and remediate against them.

[00:05:03] But we're releasing that information before a vendor even has time to whether create a patch,

[00:05:09] communicate the patch, test it, ensure that people are actually implementing it correctly

[00:05:14] or creating processes in a workflow that is coordinated.

[00:05:18] And this coordinated disclosure is something that we don't perform.

[00:05:24] Google has a coordinated disclosure policy out there.

[00:05:28] Many other companies are starting to implement it.

[00:05:30] And this is more around the bug bounty stuff as well as like, hey, I'm going to alert a vendor

[00:05:35] that they have a vulnerability, but I'm not going to release it on YouTube or GitHub

[00:05:41] of how that could be exploited. And so we have this proverbial race going on

[00:05:47] both for clout, but also we're not actually increasing the proactive manner

[00:05:54] of when information sharing becomes useful.

[00:05:58] So without a doubt, threat actors are following these elite researchers that are very important to us.

[00:06:04] That makes their job a lot easier if you're basically handing them the instruction manual.

[00:06:10] We are often against organizations who are subjected to these threats,

[00:06:15] who can't even implement MFA. They're not doing the bare minimum, right?

[00:06:18] They're not doing best practices of patching and having a program.

[00:06:22] And what we've discussed before being that secure design aspect, the basics.

[00:06:27] We're struggling with the basics in InfoSec.

[00:06:30] So we're almost racing to the shiny object, making the attacker's job a lot easier

[00:06:35] if we're doing the work for them. And we're not giving the vendors time to basically

[00:06:40] in a coordinated manner, collaborate and work together so that we can improve the problem

[00:06:46] or not improve the problem, but create the solution and, you know,

[00:06:51] improve everyone's defense capability against these threats.

[00:06:56] So let's acknowledge exactly what you said.

[00:07:00] Like, look, people need to be working on the basics.

[00:07:02] And if you haven't done the basics, then this conversation is a 400-level college course

[00:07:07] that you have to go back and take the 100 level.

[00:07:10] But let's assume for somebody who is doing that, who's then looking at the security landscape

[00:07:15] and say, okay, I'm trying to understand the motivations around it.

[00:07:19] And again, I'm kind of a layperson looking in when I think about the security space.

[00:07:24] It's my understanding that there's a lot of different security researchers out there.

[00:07:28] There are some very white hat ones. There are some very black hat ones.

[00:07:32] But then there's a whole bunch in the middle, right?

[00:07:34] There's a whole bunch of people that are just doing this kind of stuff.

[00:07:37] And these exploits, they have monetary value.

[00:07:40] I don't want to be dismissive of the fact that like they have monetary value.

[00:07:43] So somebody who's looking and saying, like, hey, I found something.

[00:07:48] If clout has value, right, like clout does have value in terms of like career advancement

[00:07:55] or being able to project it.

[00:07:57] So I'm looking at the endpoints and saying, like, what are the ways that you really think

[00:08:02] these researchers should be able to take their discovery?

[00:08:06] Like is the best version a bug bounty engagement with the vendor where it's collaborative?

[00:08:12] What about the vendors that don't do that?

[00:08:13] Give me a little bit of sense of like how it should be and what the ideal would be

[00:08:17] and then like kind of the broken bits behind it.

[00:08:20] Yeah, right.

[00:08:21] In an ideal world, and we talked about this a little bit with secure design.

[00:08:25] In an ideal world, vendors are held accountable.

[00:08:28] They take the SDLC process very high, you know, and they ensure that they are continuously

[00:08:33] stress testing and providing that quality assurance that as a consumer, the things that

[00:08:38] we're investing in is not going to be subject to being broken on a regular basis.

[00:08:44] And I do think that there's a natural like evolution in technology where certain technologies

[00:08:49] become legacy and they become redundant or not useful.

[00:08:53] And then that technical debt over time actually imposes more risk because we're not patching

[00:08:58] them and no one really utilizes them.

[00:09:00] And so it's just a bunch of parts sitting around.

[00:09:03] But I and I'll continue to say that researchers play this imperative role.

[00:09:10] They have we need these exploits.

[00:09:12] We need to understand we wouldn't be where we're at in information security if we didn't

[00:09:15] have people who are willing to tinker and break apart the things that we rely on from

[00:09:20] an infrastructure perspective and from an identity and access perspective or authorization

[00:09:26] and authentication side.

[00:09:27] We need to constantly break those things apart.

[00:09:30] And then we also have to find processes where we can tell the vendor, hey, we're notifying

[00:09:36] you.

[00:09:37] You have an expectation to your client base or to your consumers to fix this problem.

[00:09:44] But this the biggest issue in an ideal world is it's not regulated.

[00:09:48] We don't live.

[00:09:49] This isn't a regulated process.

[00:09:51] There's no framework to work off of necessarily.

[00:09:54] And then we're just doing it an equity process based on large company to large company.

[00:09:59] Right.

[00:10:00] We're talking about the Googles, the Microsofts, the the the Cisco's of the world.

[00:10:04] Right.

[00:10:05] The really large companies that we're not going to stop dating.

[00:10:10] Right.

[00:10:11] We're not going to stop building a relationship with them no matter how hard we try.

[00:10:13] But so we have to follow suit of those organizations do have these equities process.

[00:10:19] So all vendors should start adopting that.

[00:10:22] But.

[00:10:23] You we kind of spoke about this a little bit on the great work that CISA is doing.

[00:10:27] Right.

[00:10:28] They're really starting to put basic knowledge transfer out there.

[00:10:31] They're saying this is how we do things.

[00:10:33] This is how this works.

[00:10:35] This is how we implement these components of security programs that need to be in place.

[00:10:40] And the next step to that is basically an advancement in policies and regulation to say, what does this equity process look like?

[00:10:48] How can we hold the vendors accountable?

[00:10:50] Because I know for MSPs, right, we don't really have a choice.

[00:10:53] We're sitting there trying to work with vendors to decide who we want to go into business with and how we make those choices.

[00:11:00] But it's also up to the vendors to say, no, without a doubt, we also work together in this coordinated manner and have.

[00:11:08] With for a lack of a better word, a moral compass to know that it's important to us not just for loss of business, but because we are providing infrastructure that now we live, whether we like it or not, in an information security world where security is going to be the first thing that is on the top of mind of every business owners.

[00:11:26] Basically, agenda, whether they like it or not.

[00:11:30] So I do think that we have to start having some of this discussion now, because if we don't find a way to either bring it up, we're not going to find a way to regulate it or to push it.

[00:11:43] Or we're not going to find a way to actually study the data and see how effective this is.

[00:11:47] I talked about the twenty three thousand vulnerabilities.

[00:11:50] A lot of the ones that get hit from an investigative standpoint, when you're looking at doing an incident response, a lot of the vulnerabilities that are exploited for initial access or persistence, they could be two years old or three years old.

[00:12:04] So it's past the conversation of we need to teach people how to build a patch program.

[00:12:09] Realistically, if we can't get them to enable MFA, if we can't get them to segment their network in an appropriate manner or do data classification, I mean, why are you expecting them to be able to patch, especially at the strenuous rate that we need to be patching?

[00:12:22] So we have to find ways, especially in InfoSec, to work together in a coordinated manner that has ethics behind it and where we're starting to actually have these real conversations and make regulated change, but in a way that is useful.

[00:12:38] And regulations don't come easily and they're certainly not very comfortable.

[00:12:44] But I do think that if we start talking about it now, we can hold other vendors accountable that aren't doing this, that aren't disclosing it.

[00:12:51] And then we can also break the culture where the vendor is the bad guy as well.

[00:12:56] Right. We don't want that. We want a culture where vendors do disclose, where they do create communications, where they create remediation plans and then where they share with other InfoSec based companies that perform the research.

[00:13:08] We're supposed to be defending and working together. And this problem, I think culturally is something that has really pulled us apart.

[00:13:17] And so clout chase is one thing. But when we market intelligence and we advertise certain things, we're just doing an IOC dump.

[00:13:26] And now we're going back to the other issues in cybersecurity.

[00:13:29] How do you expect this smaller medium business to call up their MSP and say, hey, I just heard about this. What are you doing about it?

[00:13:37] They're also dealing with hundreds of customers that are emailing them about the same issue.

[00:13:42] And so I feel like it causes more harm than good, not just because the threat actors are actually monitoring those researchers, not just because we're doing post exploitation research, which is also can be damaging.

[00:13:55] But it's because we're not accompanying that with remediation best practices.

[00:14:00] We're not helping MSPs. We're not doing it in a way that is this is how you're going to solve this problem.

[00:14:06] Because let's face it, even I've seen this time and time again, like the Exchange Zero vulnerabilities.

[00:14:12] We saw them getting exploited two years later. It's not unknown.

[00:14:16] Vulnerabilities they got released that may seem minor but provide remote code execution or access just because you were able to scan or discover devices connected to the Internet and then exploit those easily

[00:14:29] and then hope that their identity and access privileged identity programs in place.

[00:14:33] I mean, we're really not going to win this fight. Unfortunately, we're going to be in constant defense mode.

[00:14:41] Well, it's interesting. So I want to ask you your perspective on kind of the dichotomy and the disconnect between end customers.

[00:14:48] You said something that I'm not sure I agree with because you said small business owners, a top of mind is cybersecurity.

[00:14:55] I would actually say for most business owners that I talk to, top of mind is growing my business and making payroll.

[00:15:02] Like that actually that security is probably not even third on the list.

[00:15:08] It might be lucky to be fifth on the list, that it actually is probably 10th or 20th on the list of what the typical small business operator in a generic sense.

[00:15:20] And that could mean your retail facility, a doctor, a lawyer, like literally like they're thinking about their day-to-day operations, driving the business and cybersecurity is not top of mind.

[00:15:32] Now, they will then when you talk to them about their needs, they will include that and they will talk of, hey, yes, I need to make sure that I'm compliant.

[00:15:40] I need to make sure I'm obeying the law. I've got, you know, particularly because you have data privacy stuff.

[00:15:44] Like I actually think data privacy probably bubbles up before cybersecurity in their needs because there's actual laws there.

[00:15:52] Give me your take as somebody, you've spent a ton of time thinking about threat hackers, thinking about this space.

[00:15:58] Tell me what you think that the industry needs to do to reckon with that.

[00:16:04] Cybersecurity people tend to think they're most important.

[00:16:07] And when I go out into the talk to owners, they aren't like, talk to me about how you bring those two groups together.

[00:16:14] Right. Okay.

[00:16:15] So, well, first and foremost, I do agree.

[00:16:18] I feel like cyber people do go out there and we wear our top hat in a gentleman way.

[00:16:22] But the way that I always approach that is I actually think that my father's an infrastructure director.

[00:16:31] He's also been a CISO. And I've been around networking for a really long time.

[00:16:35] My brother is a network engineer.

[00:16:37] They're not thinking about that when they're working on a server rack, right?

[00:16:41] They're not thinking about even data classification and how it relates or if this is a critical asset.

[00:16:47] I mean, they know.

[00:16:48] I also think that there's this distinguished side of cybersecurity where we make it seem like the person doing I.T.

[00:16:57] also isn't doing security, whether they know they're doing it or not, or they're not knowledgeable in the fundamentals of cybersecurity.

[00:17:05] And I think the same thing goes for small medium business.

[00:17:08] Right. Of course, a business owner is going to make sure they're not committing crimes and they're able to make money.

[00:17:15] That's like the goal.

[00:17:16] But I would argue that I think that they just simply don't know how to define cybersecurity.

[00:17:23] They know that they need the technology, whether it's an app or Active Directory or Microsoft licensing.

[00:17:31] They know they need to work with an MSP to do business.

[00:17:35] Point blank.

[00:17:36] But they don't realize that all of those conversations they're having, same with from an I.T. perspective, we don't realize our security conversations.

[00:17:46] Being able to give access to a corporate resource that is probably under some data privacy requirements, likely whether it's PCI or PII.

[00:17:55] Right. We're having the conversation of who gets access to that.

[00:17:58] And that's a cybersecurity conversation as well.

[00:18:00] And so I think that the problem is, is it's top of mind whether they know it.

[00:18:06] And that might be an easy way to debate it with you.

[00:18:09] But it's top of mind whether they know it because we haven't defined the language in which information security directly overlaps with I.T. and technology.

[00:18:17] And everyone knows we need that to run a business, unless you're like a goat farmer.

[00:18:22] But like, it depends. You still need to file your taxes.

[00:18:25] So you still need to connect to the Internet.

[00:18:27] I don't know. But I do think that there is it's just more of a culture issue.

[00:18:32] It's a knowledge base issue.

[00:18:34] And so if you think about it, like if you're asking an optometrist office or a new small business owner what they think about cyber or what how do they define cybersecurity?

[00:18:45] They're going to say, oh, they're going to relate to something that's in the headlines or in media.

[00:18:49] Or, oh, it's when threat actors come and ransomware you or take your data.

[00:18:53] And so it's very limited.

[00:18:56] And also, I think that's a problem in InfoSec is we're not educating in a way that is universally translated so everyone understands it.

[00:19:05] We're and we're also not communicating in a way to understand that I.T. and cyber, they are the same, in my opinion.

[00:19:13] We need to do this when we design, when we implement, when we protect, when we grant access to things, when we redesign or incorporate new technologies.

[00:19:25] Security is always a part of that conversation, especially now.

[00:19:29] So why aren't we starting to blend it so we understand when we're talking about security, whether we're intending to or not?

[00:19:37] Well, I think you're right.

[00:19:38] I think we could talk about this for hours.

[00:19:40] But that last point is actually where I'm going to leave us, because those that will be most successful are the ones that are going to blend exactly as you just described.

[00:19:47] Mackenzie Brown is the vice president of security at Black Point Cyber, where she leads initiatives to enhance cybersecurity strategies.

[00:19:53] She's got a very strong stance on responsible exploit disclosure, and she advocates for control research practices to safeguard organizations from potential threats.

[00:20:02] Mackenzie, thanks for joining me today.

[00:20:04] Thanks so much for having me, Dave.

[00:20:08] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:20:15] If you like the content, please make sure to hit that like button and follow or subscribe.

[00:20:20] It's free and easy and the best way to support the show and help us grow.

[00:20:26] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP radio or buy our Why Do We Care merch at businessof.tech.

[00:20:38] Finally, if you're interested in advertising on the show, visit mspradio.com slash engage.

[00:20:45] Once again, thanks for listening to me.

[00:20:48] I will talk to you again on our next episode of the Business of Tech.

[00:20:55] Brought to you by the MSP Radio Network.