Black Hat, BSides, and Def Con
We're in Las Vegas at Black Hat this week. Here are some of the stories that have caught our eye.
The interpenetration of criminal groups and espionage services.
Sometimes it's a protection racket; at other times it's more like moonlighting. APT41 seems to be moonlighting.
FireEye released a report this morning on APT41, a Chinese group that’s been observed executing espionage operations as well as financially motivated criminal campaigns. At Black Hat last night, FireEye’s John Hultquist, Nalani Fraser, and Barry Vengerik summarized and answered questions about the report. APT41 is known for targeting the video game industry, which the researchers believe is due to a hobbyist's interest used for financial gain. They said that there was a significant shift in the group’s activities in late 2015, in which the hackers moved away from intellectual property theft and towards strategic intelligence gathering from multiple different industries, including healthcare, telecoms, high-tech companies, and software supply chains. Simultaneously, APT41 continues to target the video game industry for what appears to be personal financial gain, although the researchers noted that it was strange that the Chinese government would allow them to use the same tools used in other state-sponsored campaigns for personal reasons.
"Broken, as an industry."
At Synopsys’ Codenomi-con last night, we heard Chris Roberts, Chief Security Strategist of Attivo Networks, say that “we are arguably broken, as an industry.” He pointed out that companies have increased their spending on cybersecurity to billions of dollars, while data breaches continue to rise. There could of course be a causal relationship here: if attacks increase, it's reasonable to expend an increase in spending on security. But Roberts sees this as a sign of misapplied effort, and not as a case of the Butterfield Effect.
He criticized disproportionate spending on conferences and marketing, and an inordinate focus on technologies and buzzwords that don’t really help customers. Roberts said that to fix this problem cybersecurity companies need to do a much better job of listening to their customers. He also argued that there needs to be an increased focus on proactive response, rather than simply detecting malicious activity. Additionally, Roberts said the industry needs to start bringing in fresh blood from other sectors, particularly from those sectors that know how to operate safety-critical systems, such as engineers. (As an aside, we note that an umpire at the US Naval War College's recent cyber war game argues a similar conclusion about a role for operating engineers.)
For organizations, Roberts recommended increasing awareness training to at least a monthly frequency, pointing out that attackers adapt their phishbait to match the time of year. Having a plan is essential, even if that plan is as simple as knowing whom to contact when things go wrong. Finally, Roberts argued that you can’t measure security—you can only measure risk. Organizations need to construct their defenses based around this concept, knowing that nothing can be completely secured against every threat.
Roberts concluded by quoting Dr. Martin Luther King Jr.: “We may have all come on different ships, but we're in the same boat now.”
We'll have further observations from Black Hat (and Def Con) throughout the week.