What are the four types of threat detection in industrial security?
There is a considerable amount of market confusion around the types of threat detection, how they are derived, and the uses for each. Sergio Caltagirone and Robert M. Lee of Dragos, Inc., will address those challenges and offer sample use-cases focused on industrial control system (ICS) and industrial internet of things (IIoT) environments, so you can learn more about identifying the best threat detection method for your ICS organization. Register for the webinar.
The Week that Was.
December 1, 2018.
By The CyberWire Staff
Ad fraud botnet sinkholed; botmasters indicted.
A US Federal indictment unsealed Tuesday in Brooklyn charges eight men with several counts related to the ad-fraud scheme 3ve (Infosecurity Magazine). Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko face counts of wire fraud, computer intrusion, aggravated identity theft, and money laundering. Messrs. Oysyannikov, Zhukov, and Timchenko are in custody and awaiting extradition to the US. The other five remain at large. According to the FBI, the enforcement operation involved many international partners (Threatpost).
3ve had both a data-center and a botnet-based criminal operation. The FBI acknowledged several companies' and organizations' help in taking down the botnet: White Ops, Google, Proofpoint, Fox IT, Microsoft, ESET, Trend Micro, Symantec, CenturyLink, F-Secure, Malwarebytes, MediaMath, the National Cyber-Forensics and Training Alliance, and the Shadowserver Foundation.
How to Budget for Insider Threat Management, Proactively
According to a Ponemon Institute study, 34% of cybersecurity professionals said a lack of budget was a major barrier to effective insider threat management. So, how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives you the in-depth information you need to ask for a dedicated insider threat line item in your cybersecurity budget. Download The Guide to Budgeting for Insider Threat Management today.
A US Federal grand jury has indicted two Iranian nationals on charges related to distribution of SamSam ransomware (Dark Reading). The most well-known and consequential SamSam infestation was the one that took so much of the city of Atlanta offline (Atlanta Journal Constitution), and at considerable cost (WIRED), but other high-profile cases were also named in the indictment, including the extortion attempt at MedStar in Baltimore (Maryland Daily Record). The US Treasury Department has added sanctions on the accused extortionists, particularly interesting because of the novel way the sanctions address the use of cryptocurrencies (Wall Street Journal).
2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
Power grid reconnaissance.
FireEye warned this week that Russian threat actors are conducting opportunistic reconnaissance of the North American power grid. FireEye calls the threat group “TEMP.Isotope.” It’s also known as Dragonfly 2.0 or Energetic Bear. TEMP.Isotope seems interested, for now, in collection and not disruption, and it operates largely through phishing and waterhole attacks. Some of that collection is thought to be designed with a view to improving Russian power distribution, but it’s difficult to read much of the rest as anything other than battlespace preparation. Reconnaissance itself takes a toll in terms of what FireEye calls “degradation,” in the counterintelligence sense of the word. Reconnaissance consumes security resources, wearies security teams, and forces certain defensive responses. And, of course, it can lay the groundwork for some future disruptive attack (WIRED).
Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
"Snakemackerel" (a.k.a. APT28 or Fancy Bear, that is, Russia's GRU) is pursuing a campaign largely focused on collection against the UK. The phishbait it's using is chatter about the state of Brexit (Accenture).
Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace.
CyberWire-X is a new series of multi-part specials we’ve launched to share deeper discussions of important, complex security topics affecting individuals and organizations every day, and all over the world. Our first episode takes a closer look at cyber security regulation in the US. We hear from our Sponsor Gemalto as well.
Cobalt Dickens goes back to college.
Iranian threat group Cobalt Dickens is actively prospecting targets in universities. Secureworks’ Counter Threat Unit says they’re after credentials, and that they’re using familiar social engineering tactics. The targeted universities are found in at least ten countries.
EternalSilence shows, again, the need to patch ShadowBrokers' leaked exploits.
Security researchers at Akamai report that a UPnProxy vulnerability enabling exploitation of the Universal Plug and Play protocol is now being used to hit unpatched devices behind router firewalls. Attacks use EternalBlue and EternalRed, which the ShadowBrokers released (and said were NSA exploits) against targeted computers. Akamai calls the campaign “EternalSilence.” As Akamai points out, “this was bound to happen eventually.” More than 45,000 routers are believed to be compromised so far. It’s worth noting that the vulnerabilities these exploits use have been patched for some time, but there’s clearly no shortage of unpatched systems out there (ZDNet).
Marriott's Starwood reservation system breached.
Hotel-chain Marriott disclosed Friday that data belonging to about 500 million guests over the last four years have been illicitly accessed. Attackers have been in the company’s Starwood guest reservation database since 2014 (Wall Street Journal). The brands affected included more than just “Marriott:” W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels were all hit (SecurityWeek).Most of the affected guests, around 375 million of them, lost data that included contact information (name, address, phone number, email address) passport number, Starwood Preferred Guest account information, date-of-birth, and gender. An undisclosed number of guests also lost paycard information (ZDNet).
Crime and punishment.
According to Motherboard, the FBI has begun using fake websites (in at least one case a bogus FedEx website) and "booby-trapped" Word documents against a wider variety of crimes. Hitherto such tactics had been largely confined to investigation of child pornography and bomb threats.
New York will extradite Nicholas Truglia to face twenty-one California felony charges involving his alleged extraction of Bitcoin in sim-swapping scams. Mr. Truglia's preferred targets are said to have been Silicon Valley executives. He'll surrender to the Santa Clara District Attorney this month (Naked Security). (Santa Clara is in Silicon Valley.)
Ukrainian police collared an unnamed man in Lviv on charges related to his distribution of the DarkComet remote access Trojan. DarkComet has had some high profile illegal clients, including the Syrian regime (Infosecurity Magazine).
Police in India have raided sixteen tech support scam boiler rooms. The scammers' victims were for the most part in Canada and the US (Dark Reading).
Police in Hessen have been searching the Frankfurt offices of Deutsche Bank's board in search of money-laundering evidence connected with the Panama Papers leak (Reuters).
A US Federal Court has ruled that, for now at least, the Department of Justice need not reveal a sealed indictment against Wikileaks founder Julian Assange, even though a bungled cut-and-paste job in an unrelated set of documents Justice released appeared to contain some notes about just such an indictment (Washington Post).
A French civil servant, Benoît Quennedey, has been arrested on suspicion of treason and "supplying information to a foreign power," in this case North Korea. M. Quennedey "holds a senior position in the French Senate's department of architecture, heritage and gardens." He's also the president of the French-Korean Friendship Association, which promotes better relations with Pyongyang (BBC).
The US Department of Justice has now charged Autonomy founder Mike Lynch with fraud in connection with the 2011 sale of his company to HP for $11 billion (TechCrunch).
Ten hoods in Ohio have been sentenced to varying prison terms on Federal charges of installing paycard skimmers on gas pumps (HackRead).
Courts and torts.
Google is facing complaints that it failed to comply with EU strictures against alleged anti-competitive practices in Google Shopping (Computing).
Russian authorities have filed a civil suit against Google, alleging that the company has failed to comply with Russian laws controlling search results and content distribution (Reuters). Read this as noncompliance with censorship policies.
Baden-Württemberg's Data Protection Authority has issued Germany's first fine under GDPR. Social chat platform Knuddels.de, described as "flirty," sustained a data breach that exposed roughly 808 thousand email addresses and more than 1.8 million usernames and passwords. Knuddles was fined €20 thousand (BleepingComputer).
Ireland's Data Protection Authority has been taking a close look at LinkedIn's targeted advertising, especially its use of data to suggest connections to users. The suggested connections in many cases were non-users of LinkedIn. The concerns appear to be on their way to a relatively amicable resolution, with LinkedIn taking pains to establish that it's been acting in good faith and is willing to abandon practices that might run afoul of GDPR. No fines have been levied (TechCrunch).
The US is filing suit against companies in Singapore, Hong Kong and China, alleging that they helped North Korea launder some $30 million (Wall Street Journal).
Policies, procurements, and agency equities.
Stung by the outing of GRU officers involved in the Salisbury nerve agent attack, Russia is tightening control over personal information. A draft law before the Duma would criminalize the unauthorized creation and publication of databases drawn from official sources. Another regulation would increase penalties imposed on firms that fail to observe requirements to delete certain search results, share encryption keys with security services, or store all data maintained about Russian citizens on servers located in Russia (Reuters).
US Federal agencies will soon be scored and ranked on their cyber hygiene by the Department of Homeland Security (Nextgov).
US Cyber Command intends to award a sole-source contract to Enlighten IT under which the consultancy would manage its Big Data Platform program, but on Monday issued a notice to industry asking if a full competition might be warranted (Nextgov).
Long acquisition lead times have long troubled the US Defense acquisition system: it takes, studies suggest, seven years' gestation for an idea to be realized in a contract (and longer for it to reach the field), but tech products have just a three-year lifecycle (Fifth Domain). The challenge is even more acute in the cybersecurity sector, where students of the problem see the acquisition system as effectively a vicious circle that will reinforce technological inferiority (Cyber Defense Review). Faster procurement vehicles (like Other Transaction Authorities) may not survive Government Accountability Office scrutiny in forms that will ameliorate the problem.
Fortunes of commerce.
New Zealand has joined general Five Eyes skepticism about Huawei. The government turned down, on grounds of national security, a plan by Spark New Zealand to use Huawei equipment in its forthcoming 5G network (BBC). Papua New Guinea, over strong advice to the contrary from Australia and the US, did decide to let Huawei play a prominent role in an undersea telecoms cable serving the nation (Wall Street Journal), so Huawei's got that going for them. On the other hand there may be signs of internal displeasure: in an honor roll published to recognize forty years of a more open economy, the Chinese Communist Party pointedly omitted the name of Huawei's founder (TechCrunch).
ZTE, contracted by Venezuela's government to enhance identity management and security controls in that rapidly failing state, is under fresh US scrutiny for the apparent violation of sanctions in effect against the Caracas regime (TheHill).
Google's plans for Project Dragonfly, a censorship-optimized search engine designed for the Chinese market, continues to rile employees who see the initiative as the opposite of not being evil (Guardian). Planning is reported to have been closely held, with Mountain View's privacy and security teams excluded from the process, which took pains to avoid creating written, let alone internally available records, of how Dragonfly might be realized (Intercept).
Geographical note to consumers of journalism: Silicon Valley is a relatively small area just south of San Francisco. The State of California as a whole is not "Silicon Valley." For example, Orange County, California, home to a number of tech and security companies, is about 375 miles from Silicon Valley. It's not quite "Hollywood" or "the Inland Empire" either, but those two would be closer, just a couple of coastal ranges away. Putting Southern California in "Silicon Valley" is a little like describing Glasgow as being "somewhere in the Midlands." Maybe this is geography of the spirit, but even so telling someone in Orange County that they're in Silicon Valley is a little like wearing cowboy boots in New York or Lederhosen in Berlin. It can be done, but actually doing so would seem really out-of-place.
So having thus cleared our metonymic palate, we note the emergence of Anduril in Orange County. The start-up has hired the former director of the Senate Armed Services Committee staff, Christian Brose, as its strategy lead. The company offers battlefield situational awareness products that fuse surveillance, mesh networking, and artificial intelligence with virtual or augmented reality (Defense News). Elendil's broken sword Narsil was renamed Andúril (Quenya for "Flame of the West") after its reforging in Rivendell. As you might infer from this, Anduril's CEO and COO are alumni of that other Tolkien-themed company, Palantir, which is in fact headquartered in Palo Alto, and Palo Alto unlike Orange is smack in the middle of Silicon Valley.
Facebook had a rough week, with allegations it sought to smear George Soros (New York Times) and unfriendly inquisition in London over its data handling and competitive practices (Guardian). Westminster did some strong-armed collection of emails (Ars Technica).
Part of the difficulty in filling open cybersecurity jobs may lie in a tendency to look for the wrong credentials. A too-narrow focus on computer science degrees may lead companies to overlook talent that could do the companies they need done (Computing). Some such talent may need to be formed and developed internally (Computing).
From an industry perspective, is it wise to hire reformed black hats? The obvious answer is, "it depends on the individual" (Computing).
One group about whom industry has few doubts is that comprised of military veterans entering the civilian workforce: Facebook and Synack are working to attract more veterans to the sector (Dark Reading).
Whatever problems industry has finding talent, it's generally able to out-compete government agencies on pay and benefits (Daily Signal).
Mergers and acquisitions.
After strong interest prompted by the announcement that it would acquire Cylance, BlackBerry shares have experienced a bit of a sell-off (Seeking Alpha). Any acquisition with a $1.4 billion price tag is as likely to arouse investor jitters as much as speculative excitement; the market's jury will be out on this move for some time.
Investments and exits.
Venafi has received $100 million in an investment round led by TCV, with participation by existing investors QuestMark Partners and NextEquity Partners. Venafi intends to allocate $12.5 million of the funds to its Machine Identity Protection Development Fund. Third-party developers will be able to received support from that fund (CRN).
Michigan-based Censys, provider of Internet security data, has raised a $2.6M seed round led by GV and Greylock. Censys intends to use the money in part for key engineering and product development hires (Odessa American).
Companies handling personally identifiable information have generally speaking regarded the EU's GDPR with trepidation. But GDPR may be working to consolidate the strong position market leaders Google and Facebook hold: there are indications that the privacy regulation may be inhibiting the formation of start-ups that might challenge Big Tech with disruption (POLITICO). That said, there are some search start-ups that do see an opportunity for disruption by featuring privacy (AP).
Today's issue includes events affecting Australia, Bulgaria, Canada, China, Estonia, European Union, Germany, India, Iran, Israel, Democratic Peoples Republic of Korea, Malaysia, New Zealand, Papua New Guinea, Russia, Singapore, Syria, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.