Dave Piscitello of Interisle Consulting Group: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

Know your friends: an integral part of incident response is knowing who to call to help you mitigate threats. Your contacts: vendors; third-party providers; law enforcement; local CERTs or CIRCs; partners; and customers may be able to lend aid or share intelligence when you’re under attack.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dave Piscitello.

David Piscitello has been involved in Internet technology and security for over 40 years. Until July 2018, Mr. Piscitello was Vice President for Security and ICT Coordination at ICANN, where he participated in global collaborative efforts by security, operations, and law enforcement communities to mitigate Domain Name System (DNS) abuse. He also coordinated ICANN’s security capacity-building programs and was an invited participant in the Organisation for Economic Co-operation and Development (OECD) Security Expert Group. Dave is a member of the Geneva Centre for Security Policy expert community. He serves on the Boards of Directors at the Anti-Phishing Working Group (APWG) and Consumers Against Unsolicited Commercial Email (CAUCE). He is the 2019 recipient of M3AAWG’s Mary Litynski Award, which recognizes the lifetime achievements of individuals who have significantly contributed to making the Internet safer.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in a 1950–1960s middle-class suburb in northern New Jersey. I was an only child but was raised alongside many cousins from my extended family — both Italian. I led what I thought was a typical 1950s childhood. We spent waking hours outdoors, unsupervised, left to make our games and rules, and we sorted out differences by scuffling, outwitting slower thinkers, or outrunning the bigger kids. My teachers either characterized me as an underachiever or a promising student, but basically, I did well when a shiny object caught my attention. I played several instruments, wrestled in high school, and played jazz sax at weddings and parties with a 5-piece band on weekends. I studied mathematics and philosophy at Villanova University. I was also a cheerleader and bartender.

I took a programming job with Burroughs Corporation after graduation, but only to pay for my master’s degree in philosophy. I supported assemblers on a microprocessor, pivoted to data communications, and in 1980 turned to internetworking, which was a fledgling industry, but a VERY shiny object. At this point, I put becoming a professor of philosophy in my rear window. I went to work at Bellcore on broadband tech in the late 1980s and was one of the first teleworkers on the US East Coast. I had a DEC MicroVAX in my basement and a UUCP connection to my office. Working out how to allow services through our corporate firewall was the shiny object that led me to the field of Internet security.

I left Bellcore to try my hand at consulting and different shiny objects caught my attention. I was interested in experimenting with emerging tech. I had colleagues at dot com startups who generously shipped me routers, switches, firewalls, or VPN appliances; my partner, Lisa Phifer, and I soon had a 24-port patch panel full of gear — but no broadband. We solved this by partnering with a local ISP, collocated equipment for more testing, and we fed our families by testing products. The lab gradually evolved from routers and switches to a firewall, IDS, and VPN appliances. Our lab introduced us to the problems enterprise admins faced, and finding solutions made work feel like play.

I was invited by Dr. Stephen Crocker to work as a security fellow at ICANN in 2005 and found shiny objects: domain names and cybercrime. I had opportunities while at ICANN to work alongside cybercrime first responders and international law enforcement agents on global botnet takedowns and created a DNS training program for law enforcement that ICANN generously supported. Our team provided on-site training throughout Europe, Latin and North America, Africa, and the Asia-Pacific regions.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My career in cybersecurity was evolutionary, but one event, in particular, instigated my pursuit of cybercrime. I heard Rod Rasmussen speak at an Anti-Phishing Working Group workshop on phishing and thought, “committing fraud can’t be this cheap and easy.” I spoke with Rod and others after his talk and decided at that moment to investigate and report the ways that cybercriminals exploited domain names and hosting services.

Can you share the most interesting story that happened to you since you began this fascinating career?

I was having dinner at a Vodka bar in LA during an ICANN meeting with three colleagues: John Crain, Jeff Bedser, and Greg Aaron. We were frustrated that there was so little interest or even willingness to talk about mitigating cybercrime. We had explained how phishers and spammers were purposely registering domain names in volume for attacks. Attendees objected to our conclusions and insisted that they had no responsibility for mitigating abuse and claimed, “These are content issues. We are not the Internet police.” After several hours, we concluded that we needed measurements to show this community just how bad the abuse is, but what should we measure?” We debated for a while and finally agreed to “measure it all!” We began building a domain name abuse activity reporting (DAAR) system at ICANN.The DAAR system wasn’t maturing as quickly as I’d hoped, so I retired from ICANN and began building a more ambitious reporting system with my colleagues at Interisle Consulting Group. We now operate the Cybercrime Information Center (https://cybercrimeinfocenter.org), where we collect data and report phishing and malware activity among Top-Level Domains, domain registrars, and hosting services.

None of us is able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I’ve had many, but the two who stand out are Dr. Vinton Cerf and Dr. Stephen Crocker. I met both while working on Internet standards in the mid-1980s. In 1989, Vint hired me to consult for MCI and tasked me to work with Dr. David Clark from MIT on secure remote access opportunities for MCI’s Internet service. I’d have worked with David and Vint for free, and the experiences during that time benefitted me in many ways. In 2005, Dr. Stephen Crocker invited me to work with him on the ICANN Security and Stability Advisory Committee. Steve and I researched and wrote security advisories and white papers focusing on domain name issues, and we increasingly shifted the focus from DNS infrastructure and services to misuse and criminal use of the domain name system. Vint and Steve remain my friends, colleagues, and mentors and I’m forever grateful for the opportunities to have worked for and alongside them.

Are you working on any exciting new projects now? How do you think that will help people?

Our Cybercrime Information Center occupies nearly all my time at work. We’ve built a repository for longitudinal studies of global security threats that exploit domain names and Internet addresses. We report where phishers or malware attackers are obtaining the resources that they use to perpetrate fraud, steal sensitive data, or extort individuals or organizations for ransom. We’ve created nearly 10 million records for phishing and malware, and are now processing spam, which will double our repository by 2023.

We’re raising awareness of the enormity and complexity of the cybercrime landscape. We aren’t trying to name-and-shame; instead, we provide measurements and analyses to help policymakers or legislators make informed decisions as they develop policies, recommended practices, and regulations. Our reporting and studies have been cited by the European Union’s High-Level Internet Governance (HLIG) expert group discussing domain name abuse https://op.europa.eu/en/publication-detail/-/publication/7d16c267-7f1f-11ec-8c40-01aa75ed71a1, which makes recommendations for knowledge building and mitigation collaboration at EU level.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Burnout comes in several forms. If you’re losing motivation because your work isn’t rewarding or challenging, and you aren’t ready to pivot to something different, look for that new shiny object that will motivate you to broaden your skill or knowledge set. For me, hands-on experience was as infectious as gaming, so I configured a firewall, sniffed LAN traffic, and ran an IDS over my home network as a diversion from my day job. When I heard about a novel security system or software, I found a spare laptop or added a VM, and tried it out.

If you’re in a high-stress position, make time to do something entirely non-technical. I found cooking to be rejuvenating. I set tech aside, use my hands, be creative, and enjoy what I’ve prepared. Cathartic! Pets work as well. We have two golden retrievers. They drag me away from my keyboard for walks and play.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1. Career diversity. There are a thousand ways to be involved in cybersecurity. Cyber defense, cybercrime prevention, offensive cyber, threat mitigation, forensics, security awareness, counter-terrorism, malware analysis, and so many more opportunities are within reach if you are motivated and willing to get your hands dirty.
2. Cybersecurity is interdisciplinary by nature. The notion that a background in STEM is necessary for a career in cybersecurity is ill-conceived. There are roles for nearly every background. Political science, psychology, and law are as valuable to mitigating cybercrime as engineering and mathematics. My son, an English major, works as a cyber analyst.
3. The community. In my experience, cybersecurity practitioners, especially those who pursue cybercrime careers, are trustworthy, passionate, and collaborate readily with others who share these attributes and want to share success. There’s nothing as rewarding as playing a part in dismantling a botnet, exposing a rogue operator, or contributing to the apprehension of cybercriminal conspirators.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

The biggest threat in the cybercrime realm is the trivial cost of entry to perpetrate a crime. You can get a domain name for free, download a phishing kit or malware from a file repository or social media page for free, and sign up for a free web hosting site. You don’t need hacking skills, and with minimum effort to hide your tracks, your risk of being apprehended is very small. Organizations and individual users must invest more talent and money than attackers. So long as the playing field is tilted in this manner, everyone is at a disadvantage.

Malware is the most worrisome cybercrime threat. We see malware of all kinds, particularly those that target Internet of Things (IoT) devices, as the predominant threat. Russia’s incursion into Ukraine has raised anxiety over the use of malware as a weapon in cyberwarfare, but I agree with those who argue that cyberwarfare is integral to waging war in the modern era and belligerents must utilize it to be effective. I think we should be more concerned with how political influence and disinformation threaten democracies worldwide.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Not a breach per se, but I played a role while at ICANN in what was one of the first successful dismantlings of a global botnet, Conficker. This action required cooperation from ICANN, Top-level Domain operators, private sector investigators, national law enforcement agencies, and justice departments across the world. As a post-mortem, I wrote an after-action report on Conficker (https://www.icann.org/en/system/files/files/conficker-summary-review-07may10-en.pdf).

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

We work with cybersecurity tools that provide us with threat intelligence data and assist us with threat analyses. We use domain blocklists from Spamhaus and SURBL, URLBLs from the Anti-Phishing Working Group, PhishTank, OpenPhish, Malware Patrol, MalwareURL, InvaluementURI, and URLhaus. These report phishing, malware, spam, and botnet activity. Many organizations use one or more of these in their perimeter defense security systems.

We also use the DomainTools IRIS and Seclytics Threat Intelligence platforms. These provide us with historical threat data that complements what we collect. We use malware analysis services from Hybrid Analysis and ANY.RUN to further understand the nature and behavior of reported malware, and I recommend the community versions to those who want to learn about malware.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

It’s becoming harder for organizations of every size to contend with cyberthreats. Mitigating the factors that create a greenfield for cyber-attacks is generally too costly and complicated for organizations to bear, and defensive security becomes the best effort for a predetermined cost.

Organizations that run off-the-shelf security solutions and don’t invest in security expertise sit behind modern-day Maginot lines that can’t withstand concerted attacks. We’re still nowhere close to install-and-forget defense. Contracting with a third party for cybersecurity can be cost-effective, but I’d urge organizations to also dedicate staff to meticulously oversee the services those agencies provide.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

One of the best indicators of what’s going on in your network is DNS traffic. Your users and devices resolve thousands of domain names to Internet addresses hourly or daily. Infected devices do this as well. Monitor your network and traffic (which includes, but is not limited to, DNS) so you know what is normal and what is not. When you find something that is not, investigate. That will either yield information about a breach or hack or better inform your understanding of what is normal.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Every company should know exactly what to do when they are attacked. If you don’t have an incident response plan, or don’t test, review, and revise it regularly, it will cost you dearly. There are quality resources for incident response planning, so my answer would be, “formulate a plan, follow the plan, trust the process”.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA, GDPR, and other related laws affected your business? How do you think they might affect business in general?

Privacy measures are well intended, and I believe welcomed by cybersecurity practitioners. But GDPR and other regulations didn’t and still don’t understand the critical role that private sector actors play in mitigating cyberthreats and failed to consider them carefully when they attempted to define the legal basis for private data processing. This omission has created serious impediments to threat resolution, the ability to identify perpetrators, or digital rights protections. Cybercriminals are profiting longer from attacks, and the harms and losses have increased. The data we publish at the Cybercrime Information Center corroborates these claims.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Many organizations don’t effectively assess and manage risk. We see ample evidence that organizations don’t recognize registered domain names and IP address allocations as corporate assets, and they fail to inventory or protect them.

Our studies reveal that device configuration and management, especially IoT devices (think surveillance cameras), is lax or absent.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

I don’t think that we have sufficient historical data to determine how much influence the pandemic played in the increase in cyber-attacks or data breaches. I’ve been studying cyber-attacks for nearly two decades, and I could just as readily assert that complacency, neglectful policy regimes, and poor security management are equally to blame. Pointing at Covid is convenient but I suspect that the vulnerabilities exploited during the pandemic were present before Covid, and I suspect that they’ll remain so if the pandemic ever ends.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Know your assets: many soft assets like domain names and IP address allocations are overlooked in inventories.

Know your risk: a proper risk assessment and management will help you make the most of your security budget and resources.

Know your network: measure, monitor, and log continuously so you can distinguish normal events from anomalous or suspicious activity.

Know your enemy: stay on top of the evolving threat landscape.

Know your friends: an integral part of incident response is knowing who to call to help you mitigate threats. Your contacts: vendors; third-party providers; law enforcement; local CERTs or CIRCs; partners; and customers may be able to lend aid or share intelligence when you’re under attack.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

The Internet is by nature a socialist experiment. Everyone can connect and share, but everyone must also contribute to infusing trust and respecting privacy to make it work as we would like. Do your part. Protect your network and assets, but also think about protecting everyone else from miscreants or criminals who could harm others from your network as well.

How can our readers further follow your work online?

You can find me at http://securityskeptic.com, or @securityskeptic on Twitter. Follow our Cybercrime Information Center project at https://cybercrimeinfocenter.org or @cybercrimestats on Twitter.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!