We'll be observing the Christmas and New Year holiday season next week, and so the CyberWire will take a break from publication. The Daily News Briefing won't publish next week, but we'll be back to our normal schedule on January 2nd. See you in 2020, and all our best wishes to you for Christmas, Chanukah, and New Year's Day. And, as always, thanks for reading.
Everyone says that we need to build security in, but when it comes to app development, security seems always to be at war with speed. Besides, app developers are always more concerned with function. You want them to care about functionality, so help them with security. It’s critical, and Code Dx can help you help them. Code Dx automates the tough parts of AppSec so your developers can use their mad skilz where they really pay off. Help them help you.
The Guardian reports that Pegasus spyware, the intercept tool produced and sold by NSO Group, has been found in the phones of several senior officials in Pakistan’s defense and intelligence services. The infestation apparently took advantage of the same weaknesses in WhatsApp that enabled Pegasus to be installed in devices belonging to journalists and activists in India. The Indian cases appear to have been, potentially, instances of domestic surveillance, and their discovery prompted a public scandal and parliamentary inquiries in India. The Pakistani case seems, the Guardian says, to represent “state-on-state” espionage.
Deep Instinct's dissection of Legion Loader displays an impressive mix of bad things. ZDNet calls Legion Loader a "grab bag," including as it does "information-stealing trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer."
Britain's Financial Conduct Authority is investigating a possible case of eavesdropping on Bank of England press conferences. High-speed traders are thought to have hacked access to the press conferences slightly before they became publicly available, and this would have given them material information a few seconds early, which can be, as Law360 points out, a considerable advantage in trading.
The city of Frankfurt, a German and European financial hub, shut down its municipal networks after they were infected with Emotet, ZDNet reports. The city is in the process of recovery.
Bogus greetings purporting to be from climate activist Greta Thunberg, Proofpoint warns, are serving Emotet. ZDNet reports that Taylor Swift images deliver cryptojackers. PCMag says phony Rise of Skywalker files are carrying malware.
Today's issue includes events affecting China, Denmark, France, India, Italy, Pakistan, Russia, Switzerland, and United States.
Bring your own context.
The "1-10-60 rule," what's up with that?
"This 1-10-60 rule really is defined, as we see it, as the ability to detect in a minute, investigate in 10 minutes or less and be able to remediate the attack in less than an hour. And why is this important? This is important because another metric that we measure, breakout time, is the amount of time it takes an attacker from their initial entry point into a customer's network or environment until the time that they're able to move to a target or move laterally in a customer's environment. And what we see in the metrics that we track is that well-funded, advanced nation-state and e-crime threat actors typically move quickly. On average, it's about an hour and 58 minutes, which is a really tight window for organizations to be able to detect, triage and remediate that issue from becoming a bigger issue. And that's the importance of 1-10-60. We've reported in our global threat report last year some of the metrics around advanced nation-state adversaries, like Russian nation-state actors, or Bears as we refer to them, can move in some cases in less than 20 minutes - 18 minutes and 49 seconds to be factual. Nation-states that we call Chollimas, they're the next fastest threat actor group that we're tracking. Their movements typically, from breakout time, is around two hours, 20 minutes and 13 seconds. So the ability to be able to detect, triage and understand what's going on with a threat that's in your environment and to be able to remediate it before the threat actor has the opportunity to move to parts of the environment, hide or deploy additional tools that provide access or exfiltration capabilities is really important for customers to understand and try to strive to meet that metric."
—Thomas Etheridge, VP of services at CrowdStrike, on the CyberWire Daily Podcast, 12.18.19.
We're just spitballing here, but to safe-side it, divide by two.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
And our regular Daily Podcast, as well as our weekly Caveat and Hacking Humans podcasts, will take a holiday break next week, returning as usual on January 2nd. Feel free to catch up on back episodes, or, for something new, give a listen to the special editions we'll be posting next week.