Chris Krebs weighs in on zero trust, FBI web shell removal

Regarding the FBI action to silently remove web shells from vulnerable Exchange Servers, former CISA director Chris Krebs said he expects to see the action again if appropriate.

Former CISA director Chris Krebs gave his thoughts on various cybersecurity issues Wednesday during a keynote at Gartner's IT Symposium/Xpo including zero trust and the FBI's decision to remove web shells without victim consent during the earlier days of the Microsoft Exchange Server attacks.

Krebs' keynote, titled "Defend Today, Secure Tomorrow" led Day 3 of the Gartner event. It featured an interview between Gartner vice president and fellow emeritus Neil MacDonald and Krebs, who now leads the cyber consulting firm Krebs Stamos Group with former Facebook chief security officer Alex Stamos.

Krebs was the first director of the Cybersecurity and Infrastructure Security Agency (CISA). He remained in his post from November 2018 until last November, when he was fired by former U.S. President Donald Trump for speaking out against Trump's unfounded claims of voter fraud.

The former CISA director spoke on a matter of issues during the session, primarily involving the government and its role in building a more secure nation. One of the more notable moments came when Krebs was asked about a court-authorized effort announced in April in which the FBI removed hundreds of web shells in Exchange Servers vulnerable to ProxyLogon without the consent of impacted server owners.

Christopher Krebs, former director of the U.S. Cybersecurity and Infrastructure Security AgencyChristopher Krebs

Krebs said the act was part of an operation to seize evidence, and that since it was "wildly successful," he expects the bureau to do it again in the future as appropriate.

"As far as I can tell, and from the number of conversations I've had, it was a wildly successful operation with almost no collateral damage," Krebs said. "I would expect going forward is, if this was the initial test case, I would expect on large-scale activities, like the Exchange attack, the FBI to follow the same playbook. But again, it was very disciplined, they had significant guardrails on the operation. And it was successful with minimal cascading effects."

Krebs also weighed in on zero trust, the security practice and strategy that removes implicit trust and requires strict user authentication methods to implement. President Joe Biden required federal agencies to implement a plan for zero-trust architecture in his major executive order strengthening cyberdefenses that was signed in May.

The former CISA head advocated for the practice and called it "one of your best tools to secure your own environment."

"Zero trust, some might consider it a branding exercise. And certainly I think some products are probably pitching it a little bit more narrow or myopically than it than it deserves," Krebs said. "But I would think about zero trust as exactly what the two words combined tell you. You can't trust the things that are on your network, particularly with this interjection of all the third-party services that we're using. And so, you should go about validating and verifying and each and every transaction."

On ransomware, Krebs said that he stood "staunchly" in the "do not pay" camp, and gave three reasons why: One, the victim is conducting business with a criminal; two, the ransomware decryptors don't always work; three, the victim is investing in a criminal enterprise's ability to cause further damage. He advised businesses with a board to figure out a response plan now, including whether the company will pay, because "when you have that bad day, half the board's probably going to be in Malibu or something like that. You're not going to be able to contact them."

At the end of the presentation, MacDonald asked Krebs for his advice on how CIOs can take advantage of the increased visibility boardrooms have on the importance of cybersecurity.

Though Krebs didn't give direct advice, he made two observations: One, that recent large-scale cyberattacks were "game changers for awareness." And two, that there aren't many meaningful metrics to convey risk to the boardroom.

"The biggest problem or challenge I see right now is that we still don't have good, meaningful metrics for conveying risk to the board. Everybody has struggled with this problem," Krebs said. "Do you do the volleyball charts [or] red, yellow, green? Nobody believes if you give them green, it just frustrates them if you give them red, and if you show them all yellow, what does that even mean? Similarly, percentages. Click-through rates on phishing test. Well, hey, we went from 15% to only 5%, click through, so that's great, yay! Well, who's in the 5%? Oh, it was the CEO. Well, that's bad. So, you know, we have to get better."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Security operations and management