Lightning Round with Mike Sikorski:
What is the state of cybersecurity today?
Michael Sikorski, one of the cybersecurity industry’s technical leaders, is the founder and leader of the FireEye Mandiant FLARE team, one of the world’s top reverse engineering and threat analysis operations. Working with Mandiant Incident Response, his team helped uncover the SolarWinds supply chain backdoor malware. Sikorski recently joined Trinity Cyber’s Advisory Board. “I’m really excited to be part of a company that is directly disrupting and messing with the bad guy—live on the wire,” he said at the time. “This is a dream come true as someone who has been cleaning up after intruders and reverse engineering their malware for 14 years.”
Here, Sikorski answers a few quick questions on the state of our industry today.
Former Companies: FireEye Mandiant FLARE Team and Mandiant Advantage Labs
Cybersecurity Claim to Fame: His perennial book Practical Malware Analysis was inducted into the Cybersecurity Canon Hall of Fame in 2019.
Q: Tell us about your time at FireEye.
Sikorski: When I joined FireEye through its acquisition of Mandiant, I had the chance to take all the best reverse engineers from both companies and create a super-mega team called FLARE, where we did reverse engineering, vulnerability analysis, and research and development. Altogether, I’ve been supporting the front lines of incident response and R&D for 14 years between Mandiant and FireEye. And through that time, my team has grown little by little through mergers and acquisitions. We ended up building educational courses on malware analysis and then products to be able to automate malware and threat analysis. We most recently became the innovation center for the Mandiant Advantage platform.
Q: What gets you excited about your job these days?
Sikorski: Outside of the people and raw expertise we have access to, I would say it is our data. And the reason the data we have is special is that we are doing about 400 incident responses a year worldwide. To put that in perspective: If there’s a big hack in Bangladesh, we probably go do the investigation. Any corporation or vendor gets hacked in the United States, we’re likely to be the ones behind the investigation. We’re the first ones to see what those attackers are doing. We know what an attacker is doing right this second, and at a very deep level. I lived through and supported some of the largest and most notable intrusions in history. I’m excited that through my role in Mandiant Advantage Labs we get this frontline data and can quickly put the knowledge we gain internally into the hands of customers.
Q: Based on that experience, who would you say is at risk for being attacked?
Sikorski: Everyone gets breached—period. That has been Mandiant’s motto from the early days. Recently, FireEye disclosed that we were hacked. It wasn’t easy to stomach at first, but due to our expertise, experience, and perseverance, we were able to sort out what happened and discovered the now infamous SolarWinds supply chain backdoor. We ended up uncovering one of the biggest incidents in recent history because they used it against us, something I’m proud to have been a part of solving and sharing with the world.
Q: During an attack, what can Trinity Cyber's technology offer that others can't?
Sikorski: Trinity Cyber’s technology takes bad things and makes them benign before they impact your network without tipping off the bad guy. Trinity Cyber makes malicious attachments clean and tricks vulnerability scanners into thinking you’re patched when you’re not.
One of the exciting things from an incident response perspective is Trinity Cyber’s ability to buy you time to figure out what's really going on. When doing incident response, you shouldn’t go into the situation and say, “Oh, that's a hacked system. Take it offline and reimage it.” That's a horrible way to do an incident response. What you should do is take your time, figure out everything that's going on, and then remove the attacker holistically from the environment. Because if you just play whack-a-mole, trying to fix the situation system by system, the attacker is going to pivot, they're going to change their tactics and tools, and they're never going to leave the environment. Trinity Cyber’s technology is a game changer. Trinity Cyber could be messing with the attacker without them realizing that they're being messed with while you're doing your investigation. Then you figure out what's really going on and boom, you get them out of the environment.
Q: Why wasn't this technology offered before?
Sikorski: People thought about it for sure, but no one really thought that it could be implemented at a speed that would be able to keep up with current rates of network traffic while being a real man in the middle. And nobody actually tried to build it with the knowledge of malware and the knowledge of the threats to be able to actually pull it off. Steve [Ryan] comes in and has the vision and the experience to know that he could pull it off. He is so driven to stop the bad guy, just like FireEye's CEO Kevin Mandia. They are very similar in that intense goal to get attackers. That, I think, is super cool and motivates me to be a part of their mission. It’s why I believe there’s a sense of shared purpose in the cybersecurity industry today.