Dan Woods, Global Head of Intelligence at F5, spent more than 20 years with local, state, and federal law enforcement and intelligence organizations, including the FBI as a special agent where he investigated cyberterrorism; and the CIA as a technical operations officer where he specialized in cyber operations. We caught up with him to learn about his career to date, his work at F5, and which cybersecurity trends to look out for.
What was it like to work for the FBI?
At the FBI, I investigated all sorts of crimes that had a cyber component. These were not necessarily cybercrimes, but any crime that involved computers or the internet in some way. For example, I worked with the National Center for Missing and Exploited Children (NCMEC) to investigate child pornography; I helped analyze the digital evidence associated with the 2001 anthrax attacks in the U.S. (codenamed Amerithrax); I investigated online fraud cases, which were typically referred by the Internet Crime Complaint Center (IC3); I investigated terrorist indoctrination and fundraising websites; and I investigated the compromise of U.S. government computers. My day-to-day was determined by whatever it took to advance my currently active investigations, or the investigations of another agent I was supporting. Some days, I would be in my workspace the entire time reviewing bank statements, computer logs/images, or telephone records. Or I’d be in the field executing a search warrant or conducting interviews or surveillance; or I’d be in training, attending a conference, or meeting with the prosecutor. The one thing I really enjoyed about being an FBI agent is that each day was different and brought about new challenges.
You were also a Technical Operations Officer at the CIA. What did your work consist of there?
I started in the Office of Technical Service (OTS). This required that I travel all over the world teaching our human intelligence (HUMINT) sources how to use communications systems. I enjoyed this position but it was not strictly cyber, so I looked for other opportunities at CIA.
My next role was my dream job—I was assigned to the Clandestine Information Technology Office (CITO) Computer Network Exploitation and Attack Division (CNEAD) that later became part of the Information Operations Center (IOC), which is part of today’s Directorate of Digital Information (DDI). In this role, I traveled all over the world helping case officers (those who recruited and handled HUMINT sources). This included leveraging HUMINT sources to gain access to computers and other information systems to which they had some level of access. For example, if a case officer (CO) recruited a janitor at the internet service provider of a high-value target, the CO and I would meet with them and ask questions about the environment at the ISP. This might require many meetings over several months, during which we’d provide the janitor with special tools and training for each stage of the operation, ultimately providing the CIA with remote access into the ISP’s systems. The position also allowed me to complete the training required to become a CO. This enabled me to support COs more effectively.
What is the most important lesson you learned while working at those organizations?
Most people are drawn to my experience at the CIA and FBI, and they ask a lot of questions about those organizations. However, the most interesting and life-changing position I ever held was that of a beat cop in the early 90s. I drove a marked patrol car in metropolitan Phoenix, Arizona, and responded to calls related to domestic violence, burglary, forgery, identity theft, shots fired, homicide, gang violence, criminal damage, illegal drugs, missing children or vulnerable adults, stolen vehicles, traffic accidents, and so on. Over the years, this caused me to interview (or interrogate) thousands of people from all walks of life. These interactions taught me compassion, empathy, the value of education, and most importantly, the paramount importance of effective communication.
How has cyberterrorism evolved in recent years? What tools are most used to fight it?
As one would expect, cyber criminals have become more sophisticated over the years, but only to the extent needed to overcome new countermeasures. For example, when organizations started using browser fingerprinting to prevent unauthorized logins, the bad actors developed platforms like the Genesis Marketplace, which not only sells usernames and passwords, but also many of the same attributes from the victim’s machine that are used to generate browser fingerprints. When organizations started to use text message-based 2FA, the attackers started using OTP bots. Attackers don’t evolve until they are forced to evolve. And the tools used to fight against cyberterrorism are the same as for other types of cyber crime. We need to prevent bad actors from gaining unauthorized access to systems regardless of their objective.
Do you think that states and organizations are prepared to fight cyberterrorism, or do they still have a way to go?
States and organizations are not as prepared as they should be. The reasons vary, based on the state and the organization, but some common reasons include: 1) lack of cooperation, or sometimes even an adversarial relationship, between the people who are required, directly or indirectly, to work together to help an organization detect and prevent attacks; 2) mergers, acquisitions, or other events that cause organizations to change or quickly integrate entirely different systems; 3) turnover in personnel that results in the loss of institutional knowledge; 4) malicious insiders; 5) lack of properly trained and adequately-funded security teams. Too often, states and organizations try to address all the challenges themselves in-house when the better option is to outsource certain functions to third-parties. For example, customer identity and access management, monitoring and management of security devices and systems, collecting and analyzing behavioral biometrics, and identifying and preventing malicious bots. These are all areas that can, and should be, outsourced.
What is the main mistake made in the fight against cyberterrorism?
It again varies based on who is engaged in the fight, but if I had to identify one main mistake, I’d say it’s the lack of cooperation, or sometimes even an adversarial relationship, between the people who are required, directly or indirectly, to work together to help an organization detect and prevent attacks. This could be friction between the security team and the network operations team, lack of alignment between the security team and a business unit, or even a conflict in the objectives between the organization and the state, or states, in which the organization operates. The main mistake is not a technical one, it’s a human one: growing or protecting one fiefdom at the expense of others, hoarding budgets, ineffective communication, outdated policies and procedures, and an overall lack of leadership.
Recently, the European Defense Fund (EDF) freed up 67 million Euros to improve its cybersecurity capabilities and to develop tools to combat cyber and information warfare. Is this enough, or is further investment needed?
Not even close to enough. This problem will never be solved, but to approach the solution asymptotically, the price tag would be in the billions. And the human problems I described above would also need to be addressed.
Describe your role as Head of Global Intelligence at F5.
I work with data scientists, engineers, and analysts who examine billions of transactions that flow through F5’s network every day. These transactions are associated with what people from all over the world do online every day. As we analyze the client-side signals associated with these transactions, we find evidence of malicious attacks, the attack infrastructure they use, new attack tools, and new monetization schemes, which we share with our customers through regular threat briefings. We also use these findings as a feedback loop to continually improve the efficacy of F5’s suite of security products.
What do you think the cybersecurity trends will be in the coming years?
Organizations must look forward and plan for the next threat. However, too often organizations spend more time and effort speculating on what might happen next than they do solving the actual problems they face today. For example, credential stuffing still works. This is when a bad actor buys or obtains millions, or even billions, of username/password pairs valid at one or more organizations, and then tries them programmatically against the login application of other organizations. And because of consumer habits to reuse usernames and passwords, these attacks end up compromising 0.1% to 3.0% of the attempted accounts. As long as these attacks continue to work, the attackers will not have any incentive to evolve.
Also, as organizations start using 2FA more broadly, attackers will continue to find ways to defeat it, e.g., SS7 compromises, telco insiders, mobile device malware, social engineering, OTP bots, port-outs, and SIM swaps. Going forward, rather than deploying security countermeasures that increase user friction, organizations should instead rely more heavily on client-side signals to help authenticate users. These include behavioral biometrics, as well as signals from the device, user agent, and network. Taken together, these signals can improve security without increasing user friction.
Check out more from Dan Woods in his recent blog posts.