SANS 2018 Cyber Threat Hunting Survey

See the results of the 2018 Cyber Threat Hunting Survey. Survey results from 600 respondents show that hunting is still new and poorly defined from a process and organizational standpoint. Most organizations are still reacting to alerts and incidents instead of proactively seeking out the threats. Threat hunting itself cannot be fully automated. The act of threat hunting begins where automation ends, although it leverages automation heavily. Find out how organizations are finding success in their threat hunting practice.

The week that was.

Pyongyang is after ATMs.

Cash-strapped North Korea is hacking ATMs (SecurityWeek). For a nation-state this seems low-grade hooliganism, like mob soldier Lefty Ruggiero bashing the tops off parking meters in Donnie Brasco. But there's much more afoot in Pyongyang than petty jackpotting (Fortune).

Controlled unclassified information requirements affect federal contractors.

Cleared Defense Contractors will see DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, compliance requirements appear in DoD contracts. These requirements must be implemented within 30 days of contract award. The Information Security Oversight Office (ISOO) is responsible for one of those requirements, implementing the NIST SP 800-171. Learn more about CUI compliance in this joint webinar presented by ISOO and SecureStrux.

Developing: seeding attacks on the supply chain?

Bloomberg Thursday reported that China had succeeded in compromising US computer hardware supply chains with maliciously crafted chips. The chips, Bloomberg says, were found in motherboards of servers intended to handle, among other things, US Government files and other sensitive material. They are reported to have turned up in equipment made for both Amazon and Apple.

Apple is said to have noticed the issue "around" May 2015, and to have quietly informed the FBI. Bloomberg says Amazon discovered the problem shortly thereafter. Video encoding shop Elemental Technologies, since 2015 an Amazon subsidiary now folded into Amazon Prime Video, engaged Supermicro to assemble its servers. Supermicro used Chinese subcontractors in the process, which is where the compromise is thought to have occurred. Bloomberg says Amazon noticed something fishy—very small chips on the motherboards, not part of the design—during a security review of the equipment.

Their tip to the Government opened an investigation—Bloomberg calls it "top-secret"—that remains open three years later. Among the results Bloomberg reports is a finding that the chip established a persistent backdoor into the system on which it was mounted. If this is what happened, it would be a seeding attack, with malicious hardware placed upstream in the supply chain, whence it would eventually find its way into targeted systems. The other class of hardware attack that's sometimes discussed is an interdiction attack, in which finished devices are altered while they're in transit between manufacturer and end-user.

Some thirty companies in various sectors are thought to have been affected. Supermicro, whose hardware is used in a wide variety of systems, told Bloomberg they know nothing about the alleged incident or any investigation.

Both Apple and Amazon strongly deny the incident ever happened. Amazon said, "It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental." Amazon also said that "at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems.‎" Apple wrote, "On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server" (CNBC). Their denials are sharply worded and unambiguous, and both companies say they've told Bloomberg the story is untrue (CRN).

The Chinese government deflected direct questions about what did or did not find its way into Supermicro hardware, issuing a pious statement about logistics saying in part, "Supply chain safety in cyberspace is an issue of common concern, and China is also a victim" (Bloomberg).

No comment from the FBI or the Office of the Director of National Intelligence, but Bloomberg stands by its story, which it sources to "six current and former senior national security officials."

The UK's National Cyber Security Centre has said it has "no reason to doubt" Amazon's and Apple's denials (CRN). The story is still developing, murkily (TechCrunch). 

Create a culture of cybersecurity awareness with Coachable Moments.

According to The Ponemon Institute, two out of three insider threat incidents are caused by employee or contractor mistakes. The good news is, these mistakes can easily be avoided ... with the right coaching. Just in time for Cybersecurity Awareness Month, the Coachable Moments series from ObserveIT gives cybersecurity teams the tools they need to empower people to understand the policies and best-practices intended to keep them safe. Check out Coachable Moments today to learn more.

Naming, shaming, expelling, and indicting.

Russia's GRU has been again officially named as a bad actor by five Western countries (Atlantic Council). (The GRU, known under some aspects as "Fancy Bear," is Russia's military intelligence agency, established in Soviet times and continuing to this day, lame attempts to rebrand it as "GU" notwithstanding.) The Netherlands kicked out four GRU personnel after linking them to an attempted cyberattack on the Organisation for the Prohibition for Chemical Weapons (OPCW), the international agency investigating the Novichok attacks in Salisbury, England (Deutsche Welle). Australia and the UK accuse the GRU, in some detail, of cyberattacks against the World Anti-Doping Agency (WADA), the US Democratic Party, and others. Among their formal attributions to the Russian service is the BadRabbit ransomware campaign (SecurityWeek). Canada, which hosts the World Anti-Doping Agency in Montreal, joined in the condemnation, saying officially that it "assessed with high confidence" that the GRU was responsible for hacking WADA (SecurityWeek). 

It's worth noting that the attempts on WADA and OPCW appear to have intended attacks on data integrity, altering rather than simply stealing or destroying information, which have been more common in cyberattacks. It's also worth noting that these are official confirmations of what have for some time been consensus attributions.

And the US Department of Justice Thursday indicted seven GRU officers on charges related to the hacking of WADA and other organizations around the world (SecurityWeek). The indicted officers were all charged with conspiracy to access computers without authorization, wire fraud and money laundering for buying computer equipment with cryptocurrencies. Five were charged with aggravated identify theft. One was charged with wire fraud specifically for engaging in spearphishing. The Maleficent Seven are Ivan Sergeyevich Yermakov, Aleksei Sergeyevich Morenets, Alexey Valerich Mirin, Artem Andreyevich Malyshev, Dmitriy Sergeyevich Badin, Evgenii Mikhaylovich Serebriakov, and Oleg Mikhaylovich Sotnikov (US Department of Justice).

SecurityWeek has some interesting thoughts on misattribution as revealed in an earlier round of GRU indictments. 

Optimize your security teams with threat intelligence.

At Recorded Future, we believe every security team can benefit from threat intelligence. That's why we've launched our new Threat Intelligence Grader — so you can quickly assess your organization's threat intelligence maturity and get best practices for improving it. Get your Threat Intelligence Score™.

Information operations: conflict, but not military-on-military.

US Vice President Pence accused China of widespread influence operations directed against US midterm elections (Atlantic Council). Chinese authorities angrily denied the claims (Deutsche Welle). Chinese influence operations seem more aimed at shaping policy than at simple disruption (Foreign Policy). In this they resemble traditional propaganda more than they do the social-media-savvy operations of Russia's Internet Research Agency, for example. Some look at social media and seek to adapt lessons from Clausewitz to what they call "LikeWar" (Foreign Affairs). FireEye CEO Kevin Mandia sees cyber conflict evolving into people-to-people contests, a whole-of-nation approach to war in the new domain (Fifth Domain).

2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.

WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.

Cryptowars update.

Tech giants have united to advise Australia against adopting laws that industry argues would dangerously weaken encryption. On Wednesday the industry lobbying group Alliance for a Safe and Secure Internet announced that Facebook, Apple, Alphabet (Google's corporate parent), and Amazon would work to convince Parliament to modify the pending bill. As it stands the legislation under consideration would impose fines of up to $10 million for institutions for organizations that failed to comply with court orders to give authorities access to private data. Individuals who failed to comply would face prison (CRN).

Product development or cognitive dissonance?

Jigsaw, the cyber outfit owned by Goole corporate parent Alphabet, has introduced a security app, "Intra," that's designed to enable evasion of censorship in countries that censor (TechCrunch). One wonders whether Intra would circumvent Google's "Dragonfly" censored search engine inside the Great Firewall (Engadget). 

Intra or not, US Vice President Pence this week suggested to Google that enabling Chinese censorship wasn't a good idea (Washington Examiner).

Patch news.

Adobe fixed eighty-five issues in Acrobat and Reader (Naked Security). Google addressed six remote code execution vulnerabilities in Android (Threatpost). MIcrosoft's October patches are due Tuesday, and industry observers are offering some predictions (Help Net Security).

Crime and punishment.

Vincent Ramos, former CEO of Phantom Secure, copped a guilty plea to racketeering in a US Federal Court this week. Mr. Ramos admitted that his company facilitated drug distribution by providing criminals hardened BlackBerry devices "designed to thwart law enforcement" (Ars Technica). Phantom Secure is not to be confused with Phantom, the subsidiary of Splunk.

A former junior Democratic Congressional staffer was arrested by Capitol Police for doxing Republican Senators and threatening potential witnesses. The police say they caught Jackson Cosko sneaking into Senator Maggie Hassan (Democrat of New Hampshire) late Tuesday night to log onto an aide's computer. Mr. Cosko says he didn't do it (Washington Post).

Courts and torts.

Ireland's Data Protection Commissioner, the one-stop-shop EU regulator responsible for overseeing Facebook's GDPR compliance, Wednesday confirmed that it was investigating the company's recent breach (Reuters). Fines could reach €1.4 billion. The company is likely to face legal action in the UK as well (Telegraph).

The UK's Financial Conduct Authority has fined Tesco Bank £16.4 million for succumbing to what regulators call a "largely avoidable" cyberattack (New Statesman).

Finjan continues to aggressively enforce its intellectual property claims. It's filed a lawsuit against Rapid7, alleging violation of seven Finjan patents (Reuters).

Policies, procurements, and agency equities.

The US Senate unanimously passed Cybersecurity and Infrastructure Security Agency Act of 2017, which cleared the House (also unanimously) late last year. The bill redesignates the Department of Homeland Security’s National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency, making it the lead civilian agency for cybersecurity and critical infrastructure protection (Fifth Domain).

Fortunes of commerce.

Facebook continues to suffer from a convergence of breaches, scandals, and perceived missteps (SecurityWeek). The data abuse scandals associated with Cambridge Analytica continue to raise hackles. So does Facebook's use of the phone numbers people submitted so they could enable multifactor authentication—setting up two-factor authentication, many object, doesn't count as an invitation to use one of the factors to target advertising more sharply (Naked Security). And, of course, the data breach hasn't been good news at all. Still, while observers lament the degree to which users are the product and not the priority, there's widespread recognition that a system as complex as Facebook's presents a vast and shifting attack surface that may be beyond anyone's ability to manage. An article in TechCrunch makes this case, and with it a case for learned helplessness. It might be said that with IT, the problem isn't that you become too big to fail, but rather that you become too big to do anything but fail, at least when it comes to security.

Some of the post-Facebook-breach advice on offer gets mixed reviews (CNET).

The US Federal Trade Commission closed an antitrust investigation of Google without taking action, but the Justice Department may be considering its own anti-trust inquiry. Justice told Congress this week that the Android OS might be the focus of any probe (New York Post).

Lenovo and ZTE aren't mentioned in connection with the supply chain compromise Bloomberg reported, but speculators see trouble in the tea leaves, and punished both companies' share prices Friday in anticipating a general backlash against Chinese IT hardware makers (Reuters).

Labor markets.

How important is formal education to the practice of cybersecurity? Consensus seems to be that it is, but the reasons for this are unclear (Security Boulevard).

Mergers and acquisitions.

Two companies from Northern Virginia, Reston-based risk quantification shop Evolver Inc. and Lorton-based electronic security solutions company eVigilant Security, have merged to form Converged Security Solutions (CSS). The combined company will offer both cyber and physical security services and solutions, with a workforce of about two hundred and some $50 million in revenue (Washington Business Journal).

Exostar has acquired secure access management shop Pirean with a view toward increasing its share of the pharmaceutical sector's cybersecurity market. Pirean is seen as offering smoother, quicker, more secure access to clinical apps and data (Outsourcing Pharma).

In a cloud security play, Palo Alto Networks is acquiring RedLock for $173 million (TechCrunch).

Cloudera and HortonWorks, big data competitors, have announced their merger, valued at $5.2 billion (CRN).

Investments and exits.

Tanium, now a unicorn more than six-times over, has raised an additional $200 million, bringing its valuation to $6.5 billion. The funding round was led by Wellington Management, with participation by Baillie Gifford & Company and Adage Capital Management LP. This $200 million comes less than five months after Tanium raised $175 million (TechCrunch). The company is also believed to be delaying its IPO: it doesn't really need the money (Financial Times).

Kumo Capital Partners, a pooled investment fund led by Virgil Security's Dmitry Dain, has filed a ceiling of $150 million with the Securities and Exchange Commission in its Form D (Washington Business Journal)

Iron Bow announced an equity partnership with H.I.G. Capital (Odessa American).

San Francisco-based Gremlin, which offers "failure-as-a-service" (application-level fault injection for testing enterprise resiliency), has raised $18 million in a Series B round led by Redpoint Ventures (Help Net Security).

Hysolate announced on Wednesday that it had closed an $18 million Series B round led by Bessemer Venture Partners and Innovation Endeavors, with participation by NGP Capital. Based in Tel Aviv and New York, Hysolate intends to use the funding to support increased market penetration by its Hysolate Platform, a software-defined endpoint protection solution (Hysolate).

CloudKnox is out of stealth, with its cloud security platform and  $10.75 Million in Funding from ClearSky Security, Dell Technologies Capital and Foundation Capital (BusinessWire).

Perch Security has announced a $9 million Series A round led by ConnectWise with participation by existing investor Fishtech Group. Perch, whose offerings combine self-service threat intelligence tools with a managed security operations center, will use the funding to expand software development, marketing and customer success (PRNewswire).

Randori has emerged from stealth, with a $9.75 million investment led by led by Accomplice, with participation from .406 Ventures and Legion Capital. Boston-based Randori offers what it calls "the first nation-state calibre attack platform," that is, a stress test that emulates the threat from a high-end state actor. Their offering would supplant traditional penetration testing (BusinessWire).

Hmatix has raised $500 thousand in seed capital. The California-based company, founded last year, offers a "autonomous, hardware-based, endpoint cybersecurity solution for industrial IoT." Hmatix has a particular interest in the medical IoT (Help Net Security).

And security innovation.

Sir Tim Berners-Lee (who has as much claim as anyone else to having “invented” the Internet) has started a company, Inrupt, designed to foster adoption of Solid, a decentralized mode of organizing the World Wide Web (Computing). It's seen as an attempt, in effect, to restart the Internet in the light of what's been learned about security, privacy, and concentration of control (Quartz).

The US Department of Energy announced $28 million in funding for research, development and deployment of tools to build resilience in the US energy infrastructure (Department of Energy).

New York is making a push to become a cybersecurity hub. NYC Cyber has introduced five new startup programs (TechCrunch).

Commonwealth Cyber, Virginia's economic development initiative, is ready to enter its next phase (Virginia Tech News).

Maryland's DreamPort has some early winners in its rapid prototyping competition. Northrop Grumman's Xetron team took away the prize in Defense (Northrop Grumman). We hear from people at DreamPort that Draper Labs won the Offense competition, and CrowdStrike received an honorable mention on the basis of their overall performance. 

It's National Cybersecurity Awareness Month in the US. Also, US Fiscal Year 2019 has begun.

The FBI would like to remind everyone, during this Cybersecurity Awareness Month, that all have a part to play (Federal Bureau of Investigation). And to all our Fed friends, a happy fiscal new year. May you get those EW and cybersecurity tools you're wishing for (Fifth Domain). (As for you, GRU, may Ded Moroz and Snegurochka leave you coal. Not quite the season yet, of course, but it's the thought that counts.)

 

This CyberWire look back at the Week that Was discusses events affecting Australia, Canada, China, New Zealand, Russia, United Kingdom, United States.

On the Podcast

Research Saturday is up. In this week's edition we learn about criminal cryptojacking. Researchers at Palo Alto Networks' Unit 42 have been tracking the rise of cryptocurrency mining operations run by criminal groups around the world. Ryan Olson, vice president of threat intelligence at Palo Alto Networks joins us to share what they've learned.

THE CYBERWIRE
Compiled and published by the CyberWire editorial staff. Views and assertions in source articles are those of the authors, not CyberWire, Inc.