podcast

The CyberWire Daily Podcast

In today's podcast, we hear that Trend Micro has clarified what was up with allegations it was deploying spyware with its tools—no spyware, but they've changed their products to remove the appearance of impropriety. RiskIQ fingers the Magecart gang as the hoods behind the British Airways data breach. Exploit broker Zerodium discloses a no-longer profitable Tor Browser vulnerability. Google will challenge the EU's right-to-be-forgotten in court this week. An extradition in the JPMorgan hack. Justin Harvey from Accenture with tips on building an effective incident response plan. Guest is Colin McKinty from BAE systems, discussing the launch of The Intelligence Network, a collaborative task force developed in partnership with Vodafone and Surrey University, to engage, unite and activate the global security community in the fight against cybercrime.

Transcript

Dave Bittner: [00:00:03] Trend Micro clarifies what was up with the allegations it was deploying spyware with its tools; RiskIQ fingers the Magecart gang as the hoods behind the British Airways data breach; exploit broker Zerodium discloses a no-longer-profitable Tor Browser vulnerability; Google will challenge the EU's "right to be forgotten" in court this week; and an extradition in the JPMorgan hack.

Dave Bittner: [00:00:35] Time to take a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest research paper entitled "Building a Threat Intelligence Platform." ThreatConnect surveyed more than 350 cybersecurity decision-makers nationwide. Research findings include best practices and the impact of businesses due to threat intelligence programs and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out the research paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:56] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 11, 2018.

Dave Bittner: [00:02:09] Trend Micro has responded to accusations that surfaced over the weekend and resulted in the ejection of some of its security apps from the Apple Store. They don't, the company says, report anything to Chinese servers. Charges that they've been taking user data and exfiltrating them to an unidentified server in China are, quote, "absolutely false," end quote. What did happen, the company says, is that its products - Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery and Duplicate Finder - all collected and uploaded what Trend Micro calls, quote, "a small snapshot of the browser history on a one-time basis covering the 24 hours prior to installation," end quote. Thus, the data collection on user systems they did perform was a one-time thing designed to enhance the product's performance and not an ongoing scraping of information.

Dave Bittner: [00:03:05] Furthermore, this collection was fully disclosed in the end-user license agreement, and they point out where - although, in fairness to users, EULAs are notoriously difficult to navigate. Nonetheless, the company says it understands the objection and regrets the incident. Trend Micro reports that it's now discontinued that particular feature in its apps. They've also permanently deleted all the legacy logs. As they put it on their corporate blog, quote, "we apologize to our community for a concern they might have felt and can reassure all that their data is safe and at no point was compromised," end quote.

Dave Bittner: [00:03:43] A number of observers were struck by apparent similarities between the British Airways breach and the earlier incident at Ticketmaster. This morning, RiskIQ offered an explanation for the similarity. The company says that the two hacks were conducted by the same criminal group, Magecart. The company has been tracking Magecart since 2015. Researchers also say the gang remains active on an unusually large scale, conducting digital skimming attacks against a range of enterprises. They scan for websites that don't secure payment card data entry forms and then take whatever's available. This time, their attack seems to have been more tailored than usual. Magecart compromised Javascript on the airline's site. Many of the gang's earlier operations had concentrated on attacking third-party providers of payment services. That was, for example, the case in the Ticketmaster breach.

Dave Bittner: [00:04:36] But in this instance, Magecart appears, says RiskIQ, to have gone after British Airways more directly. British Airways hasn't commented on the attribution. They say that they notified all affected customers within a day or so of discovering the breach and that they're now working closely with law enforcement as the authorities investigate the incident.

Dave Bittner: [00:04:58] BAE Systems recently launched a collaborative taskforce they're calling The Intelligence Network with the aim to unite and activate the global security community in the fight against cybercrime. Colin McKinty is VP of cybersecurity strategy at BAE Systems.

Colin McKinty: [00:05:15] We launched it back in July with Vodafone and another organization called CyLon. And what we produced was a manifesto, explaining how we can see a path towards a safer digital world. We got a bunch of industry experts together. And through a lot of conversations and collaboration, we focused down on kind of three broad themes. The first one was around the economic incentives and buying power of the larger corporations, how this has driven fragmentation and complexity in the cybersecurity marketplace and the technical landscape that we're trying to buy security tools from.

Colin McKinty: [00:05:52] And what, often, this means is that small and medium businesses really don't get the right level of support. And we're also struggling with integration and implementation. Kind of the second theme is around the fact that societies, large enterprises and governments are going to continue to be disrupted by this new or growing digital business world that we're in. There's also a really fast pace of development and economic growth going on at the moment, which just basically means it's really hard to keep up.

Colin McKinty: [00:06:19] And the final theme is around the increased software intensity of the world. And the growing use of AI raises real concerns around the risk to cybersecurity and what these trends mean. And so these key three themes led us to develop this manifesto and ultimately produce three pillars how we think we can develop, over the next seven years, a framework to combat this threat.

Dave Bittner: [00:06:41] All right. Well, let's continue then. Describe to us - what are the pillars?

Colin McKinty: [00:06:45] So there's three pillars. The first one is collaboration. And the key mindset change that we're looking for here is about building a new culture through radical trust. You know, we really need to move from each organization only defending themselves to where organizations are working together to defend everyone and really do need to collaborate. Now, in this context, you know, we can't defend the herd by seeking just to outrun it and be an individual. We have goals for this. So in 2025, what we want to see is a society where we can respond as one to these threats, really act as a collective.

Colin McKinty: [00:07:19] The second pillar is simplicity. So again, here we're looking for a mindset change where we don't blame the people. We actually change the game. This change is around, you know, making sure the security is focused on making it easier rather than punishing honest mistakes.

Colin McKinty: [00:07:35] The third pillar, then, is certainty. So what we have here is we're looking for a mindset change here where we're turning kind of the volatility of cybersecurity into just business as usual. What we see is, you know, kind of cybersecurity's kind of quite exciting. It's adrenaline-fueled where heroes fly in, you know, at the most important time with great technology to kind of try and save the day and sort out the issues.

Colin McKinty: [00:07:59] And what we need to do is actually focus less on kind of those heroes and technologies; increasingly more on a reliable world of competence and procedure, just basically where it becomes this standard, everyday process. And by driving this kind of maturity, this transparency, we believe we can position ourselves to be ready for the future of cybersecurity.

Dave Bittner: [00:08:19] Well, I mean - certainly, I would say, admirable - and perhaps lofty - goals. So what's the plan from here? How do you turn these ideas into reality?

Colin McKinty: [00:08:30] So it's been real exciting since we launched this in July. We've actually had over 700 people and organizations sign up to join the network, over 200 of those being in the U.S. And so what we've started is a collaboration between those organizations.

Dave Bittner: [00:08:46] So if folks want to get involved, what's the best way for them to get in touch?

Colin McKinty: [00:08:50] Well, there's a range of information out there. Go to the BAE Systems website. There's information about The Intelligence Network there. You can click on sign in and join the network. And then all we ask you to do is come and bring your thoughts, bring your problems, openly share and collaborate and help us work out how we prepare for the future.

Dave Bittner: [00:09:08] That's Colin McKinty from BAE Systems.

Dave Bittner: [00:09:13] The exploit brokers at Zerodium have dumped some of their wares on Twitter. In this case, it's a zero-day vulnerability in the Tor Browser. Their business is, for the most part, selling exploits to government organizations. Zerodium says it's disclosed the exploit publicly because the bug has, quote, "reached its end-of-life and it's not affecting Tor Browser version 8," end quote. If you're a Tor Browser user and you haven't yet updated version 8, you might want to do so soon. Version 8 was released last week. Users of earlier versions can expect the usual rounds of attempts on their systems.

Dave Bittner: [00:09:52] An important case goes before the European Court of Justice this week. Google will be challenging aspects of the EU's "right to be forgotten." In this case, Google seems to be on the side of the free speech angels. Many observers see broad application of the right to be forgotten as the entering wedge of more intrusive censorship.

Dave Bittner: [00:10:13] Authorities in the country of Georgia have extradited a Russian national to the U.S., where he'll face charges related to the 2014 hack of financial services companies. It's generally known as the JPMorgan hack, but there were a number of other victims as well, including E-Trade Financial Corporation, Scottrade and Dow Jones. Andrei Tyurin could receive up to 30 years if he's convicted on charges of computer hacking, wire fraud and conspiracy. Mr. Tyurin and his alleged co-conspirators are thought to have made hundreds of millions in stock manipulation, internet gambling, credit card fraud and cryptocurrency money laundering. There's much speculation about what he knows concerning connections between the Russian government and the Russian underworld. Today is, of course, the 17th anniversary of the 9/11 attacks. Spare a thought for the victims and their bereaved survivors and for all who've suffered since in the war on terror.

Dave Bittner: [00:11:18] And now a bit about our sponsors at VMWare. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMWare's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMWare for sponsoring our show.

Dave Bittner: [00:12:18] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. Obviously, your area of expertise - one of many - is incident response. So we thought we'd touch today on the best ways to go about developing and testing an effective incident response program. What's your advice?

Justin Harvey: [00:13:05] Well, my advice is let's step back and look at this from a high-level perspective. And really, the words that I think about are cyber-resiliency. How does an enterprise become resilient to cyberattacks? I think that really comes down to being able to, one, prepare for; two, detect; three, respond and recover to advanced cyberattacks. And that first step, preparing for, I think is one of the most important, particularly around the areas of incident response. So if you're going to respond and recover and restore your business operations, which is what our clients want to do time and time again - for all the incidents that we work, the first question out of their mouth is, how do we restore our operational services? - or how do we recover?

Justin Harvey: [00:13:37] And really, that begins with preparation. It begins with an incident response plan that takes into consideration not only, when something goes wrong - how are you going to do the forensics; how are you going to restore the systems and your backups? - but it also includes things like a communications plan. How are you going to effectively communicate to the C-suite and to the board and let them know what's going on?

Justin Harvey: [00:14:03] It includes things like operating with legal, ensuring that you have both general counsel and an outside third-party counsel ready to go, spun up; all the contracts are done because in an incident or breach, it is best practice to go with an outside third party. In case there is litigation later on, you don't want all of your decisions and all of your data and all of your emails to be subpoenaed. So you want to keep an outside third-party counsel on hot standby.

Justin Harvey: [00:14:38] And then finally, you also want to have your PR team and marketing team ready to go because if there is an operational impact - if there is a material breach or you've lost some PHI or PII or customer data - you want to have your PR team ready to go and talk to the press about what happened with the facts. They are armed with the contingency plan in case something was lost. How do you ensure that there is a concerted process and a concerted methodology to explain to the market, to explain to your customers in a very public way that you're going to resolve that?

Justin Harvey: [00:15:19] And what we're also seeing is a trend not only to respond to a breach or an incident on a technical level but also address it on a crisis management perspective. So let's take a destructive attack. Last year about the same time, Dave, you and I were talking about NotPetya. We were talking about WannaCry. We were talking about these destructive attacks. And when there's a destructive attack, you may not be able to access the same systems, applications and data that you were operating off of yesterday. So if you need to contact legal to get that contract done with an incident response company, how do you even know how to contact them? In a destructive attack, if you lose your active directory or your Outlook, there's no more global address list.

Dave Bittner: [00:16:03] Right.

Justin Harvey: [00:16:04] Perhaps there's no more Cisco Voice over IP anymore because your Voice over IP systems have gone down. So you need to have an out-of-band communications systems put in place which includes phone, instant messaging, screen sharing, email. And a lot of our customers are pivoting to have that hot standby system.

Justin Harvey: [00:16:26] And even - if you can believe this, it even will include things like having an air-conditioned room for your war room or catering. In some of the more remote environments that we've actually done incident response, particularly in the Middle East, everything shuts down at 6 or 7 p.m. And it can get quite hot in those buildings with no access to food or water for 12 hours as we are working through the incident in a war room.

Dave Bittner: [00:16:52] Now, what about, you know, this notion - the sports analogy is you practice like you play. I'm thinking of, you know, companies actually taking the time, the investment of time, to really seriously rehearse these things.

Justin Harvey: [00:17:05] You're exactly right. The traditional way of testing your incident response plan is to do a tabletop. And a tabletop is merely a paperwork exercise where everyone gets in the same room. Some of us use cards or some of us give sheets of paper to say, OK. There's been an incident. What do you do next? And we watch them role-play, in essence, the steps that they are going to take. But what we have found with my larger clients is that is not enough. They can still drill and drill and drill. And when the actual event occurs, there's still a lot of scrambling around. And there's still a lot of nervousness and trepidation, and things aren't being done effectively.

Justin Harvey: [00:17:46] So what we've done is we've actually introduced what we call a coached incident simulation, which is a hybrid between a red team operation and a blue team operation. So really, that's called a purple team. And what that means is we all get in a room, and we start our simulation. But instead of saying to the incident response team and role-playing with them, giving them a card, we actually give them the full laptop. And that laptop actually has a threat on it. And we actually observe and coach based upon the reaction, the reaction time and the steps that the technical team follows in order to actually work that incident.

Justin Harvey: [00:18:27] So doing - pressure testing your incident response plan and actually using real-world circumstances and technology, things like cyber-ranges, is really the next level up that more and more companies are adopting.

Dave Bittner: [00:18:43] Justin Harvey, thanks for joining us.

Justin Harvey: [00:18:46] Thank you.

Dave Bittner: [00:18:49] And that's the CyberWire.

Dave Bittner: [00:18:51] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:09] And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
ThreatConnect

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform. Start Using ThreatConnect Today for Free.

VMware

VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire