Tensions between the US and Iran over tanker attacks, nuclear ambitions, and the downing of a Global Hawk drone seem to be finding expression in cyberspace: Refined Kitten sees to be pawing for some American phish. Facebook tries friction as an alternative to content moderation in damping its abuse in fomenting South Asian violence. Cryptomining campaigns are showing some renewed vigor. And a look at lead generation for Nigerian prince scams. Mike Benjamin from CenturyLink on RDP scanning and the GoldBrute campaign. Guest is Michael Coates, former CISO for Twitter and former head of security for Mozilla, from Altitude Networks on better addressing the needs of CISOs and improving the sales process.
Dave Bittner: [00:00:03] Tensions between the U.S. and Iran over tanker attacks, nuclear ambitions and the downing of a Global Hawk drone seem to be finding expression in cyberspace. Refined Kitten seems to be pawing for some American phish. Facebook tries friction as an alternative to content moderation in damping its abuse in inciting South Asian violence. Cryptomining campaigns are showing some renewed vigor. My guest Michael Coates offers advice on selling to CISOs. And a look at lead generation for Nigerian prince scams.
Dave Bittner: [00:00:41] And now a word from our sponsor, ExtraHop, the enterprise cyberanalytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:38] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, June 21, 2019. Tensions between the U.S. and Iran, already high over attacks on tankers in the Arabian Gulf and ongoing disputes over Iran's nuclear ambitions, have risen significantly in the wake of Iran's shootdown of a U.S. Air Force RQ-4A Global Hawk reconnaissance and surveillance drone on Wednesday. The U.S. says the drone was in international airspace over the Straits of Hormuz. Tehran says the RQ-4A was flying over southern Iran. Either might be right in the fog of war, but we're strongly inclined to go with the U.S. Air Force on this one.
Dave Bittner: [00:02:19] The Global Hawk is a big, capable and expensive platform, costing $131.4 million a copy, leaving research and development costs out of the reckoning. It's 47 1/2 feet long, has a wingspan just shy of 131 feet, and it weighs more than eight tons when it's loaded for a mission. It's got a 14,000 mile range, cruises at about 350 miles an hour and has a 60,000-foot service ceiling. It doesn't, of course, have a pilot or crew onboard, so no lives were lost when an Iranian surface-to-air missile, probably a Sayyad SD2C, knocked it down. Still, Tehran says it sent a message, and Washington is unhappy with the shootdown. Those drones aren't cheap, and there are only so many of them to go around. Besides, they're U.S. government property, and so the U.S. government is understandably steamed.
Dave Bittner: [00:03:13] What's this got to do with cybersecurity, you may well ask. Well, it's this. As is so often the case, kinetic action is accompanied by cyber action, especially when there appears to be the danger of escalation. And cyber battlespace preparation appears to be underway. WIRED says that the security firms Dragos and CrowdStrike have reported a surge in phishing emails deployed against a range of American targets. The actor is said to be APT33, also known as Magnallium or Refined Kitten. FireEye, without naming the threat actor, says it's seeing much the same. At least some of the phishing attempts were baited with what appeared to be an announcement of a job opening at the White House's Council of Economic Advisers. The malicious link opened an HTML application, which in turn started a Visual Basic script on the targeted machine that installed the payload, the Powerton remote-access Trojan. All of these, the security firms say, are consistent with how Refined Kitten has done business in the past. It's not known if any of the attempts have been successful, nor is it clear whether their goal is reconnaissance of potential targets or the staging of malware against the possibility of future use.
Dave Bittner: [00:04:26] CrowdStrike's Adam Meyers speculated to WIRED that the choice of phish-bait suggests that the campaign might be principally interested in gathering intelligence about U.S. policy with respect to economic sanctions. But he points out that this is exactly that - speculation. The point of the campaign isn't known. Espionage is possible, but so are reconnaissance and staging. Dragos's Joe Slowik told WIRED that, quote, "you can't turn on a dime and say I need cyber now," end quote. That's what battlespace preparation involves - getting the intelligence, getting the reconnaissance and staging capabilities where you may need them.
Dave Bittner: [00:05:04] Under pressure to do something about abuse of its platform to inspire violence in Sri Lanka and Myanmar, Facebook is trying something other than content moderation - introducing friction. Facebook will limit the number of times users around the region can share a message. For now, the limit is five. The hope is that this will help keep things from going viral that ought not to go viral. It will be interesting to see if it has the desired effect.
Dave Bittner: [00:05:31] Security companies are tracking cryptominers in the wild. ESET and Malwarebytes are tracking similar cross-platform cryptominers, respectively LoudMiner and BirdMiner. They share some infection vectors. Trend Micro also has its eye on a cryptominer. This one is a Satori-like botnet that arrives via the Android Debug Bridge.
Dave Bittner: [00:05:53] And finally, it's long been a truism that criminal markets behave in many ways like legitimate markets and that criminal enterprises ape some of the practices of legitimate businesses. Researchers at security company Agari have been looking at some of the West African cybergangs, the people who gave the world the now-familiar but still sometimes effective Nigerian Prince scam. Agari tells Axios that email scammers run their operations like a business, complete with consultants and lead generation systems. The gangs use regular lead generation services of the kinds that many legitimate businesses employ. As the story in Axios puts it, Agari has seen the criminal groups use several lead generation firms. The lead generation sites offer customizable searches. You want CFOs of companies in a given sector, of a given size and a particular geographical region? You got them. Agari found that the crooks generally signed up for free trials using the Gmail dot trick that lets them create accounts easily. Some of them are even more brazen. The London Blue crew just went ahead and bought a $1,500 annual subscription to a lead generation service last year. Was it worth it? Apparently, at least London Blue seems to have thought so. They downloaded 50,000 leads in six months.
Dave Bittner: [00:07:17] And now a word from our sponsor ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know exactly who did what, when and why. Security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated insider-threat management platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself - no downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:08:33] And I'm pleased to be joined once again by Mike Benjamin. He's the senior director of threat research at CenturyLink's Black Lotus Labs. Mike, it's great to have you back. You all have been tracking a large RDP scanning campaign, and it's been getting some attention lately. What do we need to know here?
Mike Benjamin: [00:08:48] RDP, of course, a lot of folks are using to administrate remote computers and often is using single-factor username and password. And with that sort of infrastructure on the internet, actors want to take advantage of it for a variety of reasons. And periodically, we'll see someone come out on the internet and scan RDP across the internet. They'll look for some pretty simple default usernames and passwords, and they'll move on with their day. They'll grab a handful of hosts, and that's about the extent of what they'll accomplish.
Mike Benjamin: [00:09:19] We are constantly monitoring for, you know, internet-wide anomalies in port utilization. So those things tend to stand out like a sore thumb. When somebody issues such a scan, they also tend to do them from a small subset of hosts. So you'll see a number of other public resources talk about hey, I'm seeing a scan from IP address X, Y and Z. In this particular campaign, what we were seeing was they were dropping a persistence payload on the host and then, in some cases, even using that to scan for more hosts. And so while not a worm in the true nature of the word, they were using that scale to find more hosts.
Mike Benjamin: [00:09:56] And we saw a lot of folks reporting on the fact that there were 1.5 million open RDP hosts on the internet. And that sounds like a horribly scary number - right? - anything that can talk to 1.5 million hosts. However, the actual infection pool that we were able to see, where they successfully brute-forced and then we saw command and control callback, was more in the tens of thousands - still not a small number in regards to success but nowhere near that 1.5 million number.
Dave Bittner: [00:10:25] Now, this is the campaign that folks are referring to as GoldBrute?
Mike Benjamin: [00:10:28] Absolutely. The command and control has been publicly listed and - as well as the port number for the callback. So, of course, folks can review their logs to look to see if they were one of those infected.
Dave Bittner: [00:10:39] So what are the ways to - for folks to prevent this?
Mike Benjamin: [00:10:42] First and foremost, don't turn on RDP on the internet. VNC, even SSH try to restrict it to the places where you actually need to be accessing it from. That's a pretty basic security control that most folks can use. And in this case, they were using dictionary attacks. So basic password hygiene could also prevent such an attack.
Dave Bittner: [00:11:02] So what are the take-homes here? What did we learn from this one?
Mike Benjamin: [00:11:05] Well, anytime an actor decides that they want to automate the scale of what they're doing, it gets us all in a bit of an uproar. But in most cases, we'll find that what they're attacking really isn't that complex. A number of years ago, we saw embedded IOT devices attacked with some extremely simple usernames and passwords. That then evolved to a whole plethora of exploits that we see embedded into those things. But I'll tell you about 99% of the time, they're known exploits with existing patches and known dictionary method attacks. So the good news is we can manage these things. And as we see them as an internet community, as a security community, we should make sure that we're openly sharing what's going on and making sure that we're patching those, you know, simple-to-do tasks.
Dave Bittner: [00:11:52] You know, never underestimate how many folks out there are just trying to be opportunists.
Mike Benjamin: [00:11:57] Absolutely. And in many of these cases, we're seeing the sophistication that occurs afterwards not be particularly high with some of these really loud actors. But keep in mind that those vulnerable hosts, those default credentials, sit out there for more sophisticated actors to use as well - so the things that we need to be concerned about, even if the very loud ones aren't actually causing much impact at the end of the day.
Dave Bittner: [00:12:21] All right. Well, Mike Benjamin, thanks for joining us.
Dave Bittner: [00:12:28] And now a word from our sponsor ExtraHop, the enterprise cyberanalytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:13:27] My guest today is Michael Coates. He's CEO and co-founder at Altitude Networks, and he's also former CISO at Twitter and former head of security at Mozilla. Our conversation focuses on how he, as someone with purchasing authority, prefers to have products pitched by cybersecurity vendors.
Michael Coates: [00:13:47] I had some pretty exciting years leading security programs. I was head of security at Mozilla for many years. I was also the CISO at Twitter for a number of years, and what I noticed was that there was clearly a lot of activity in the vendor space for security solutions, which is great. We need innovation. But the way in which they reached out to potential buyers, like myself as a CISO, left me certainly wanting more.
Michael Coates: [00:14:18] I would receive, largely, a ton of unsolicited inbound emails with really peculiar message formats. I applaud the efforts to try and catch our eye, but they end up having, you know, an unintended consequence - emails like, do you care about security? Or, did you know you're vulnerable to this? Let's talk more. All things that - I get it. They're trying to be catchy and clever, but it's actually kind of off-putting.
Dave Bittner: [00:14:50] Yeah.
Michael Coates: [00:14:50] Yeah. The thing that hit me initially was the massive amount of cold-call email that I would get, and that really just didn't work well, as I know we'll dive into here.
Dave Bittner: [00:15:01] Well, so let's come at it from the other direction. The folks that were successful, who got your ear - what techniques did they use?
Michael Coates: [00:15:08] As a result of the large amount of movement - there's obviously tons of investments in security right now, tons of innovation, lots of new companies. Because of the fact that there's so much noise, many buyers, like myself, would actually rotate hard the other way. Instead, we would rely very heavily on referrals from, you know, our personal networks. And I realize that that is something that would happen in any space. You always want to, you know, think about a referral. But in security in particular, these CISOs form together in these, you know, CISO networks. And we have one in the Bay Area, and I know other industries and other locations have them, too. And in some regards, they're a bit of a support network because let's face it. The security role is hard. It's hard at every level.
Dave Bittner: [00:15:57] Sure (laughter).
Michael Coates: [00:15:59] But we would definitely use that referral. Like, hey, have you guys heard of this? Or, I'm looking for a solution in this space - and see who would pipe in. And that is great. It's really good to have a referral. But at the same time, that could leave us a little bit blinded to really great new innovation that we should be thinking about.
Dave Bittner: [00:16:16] Do you think there's a risk, then, of becoming insular?
Michael Coates: [00:16:20] I think we're in a challenging spot because we definitely need to branch out and look at new ideas, look at new solutions. And yes, if we're not careful, we could be a little bit insular right now in terms of the solutions and products we use. But I think the trick we need to do is actually shift the way we look at selling security software, security solutions, and also the method we have for discovery because we've kind of taken two extremes here.
Michael Coates: [00:16:50] We're talking about - on one hand, you have cold inbound versus referral. Like, what's that middle ground? Like, where can we have a trusted review of options out there? And in some regard, trusted advocates kind of fill that void. Like, if you have a VC relationship, someone that you trust, they're kind of a vetting mechanism. Like, hey, these solutions look pretty interesting. And sure, they're in their portfolio, but they've done some vetting to get them there. So that's kind of nice. That works really well, of course, in Silicon Valley - but not scalable to the rest of the country or world.
Michael Coates: [00:17:22] And so can we have some sort of Consumer Reports-style trusted review or display of vendor information? The thing that's important about that, and where I really key in is, as a security buyer, you want the security information. You want the technical chops of what you're looking at. You really don't want to see a marketing slick sheet that says, machine learning, internet of things. How do you measure success? Which are false positives? How do you look at those types of things that actually matter to us?
Michael Coates: [00:17:53] So I think we can find that middle ground if the security vendors realize, hey, stop trying to push buzzwords. Stop, you know, with the cold calls. How do you show your product and what it actually does, hopefully in a neutral space, if we can create such a beast? And if not, how do we lead in more of a demo-first-style sales approach? Like, let your product speak for itself. Let me come to your website and, like, actually see how it works. And for some reason, I think we're really far away from that reality right now.
Dave Bittner: [00:18:24] Why do you suppose that is? There's no doubt that there is a lot of noise out there. I mean, you walk around on any of the trade show floors, and it's hard to focus on any one thing. Everybody's fighting for your attention. So I guess on the one hand, I have a certain amount of sympathy for the folks out there who are trying to sell in that environment.
Michael Coates: [00:18:43] And I have to eat my own words here because I'm now on the other side of the fence.
Dave Bittner: [00:18:47] Yeah, yeah.
Michael Coates: [00:18:49] I think, one, we have a macro challenge in security, which is there's far too much headline-chasing, you know, Hollywood-style products that are solving things that don't matter. And because there's so much investment money out there right now, the bar to get funded, the bar to start a new idea is lower, perhaps, than it should be. And as a result, you see just crazy, off-the-wall ideas that may catch fire because of their buzzwordiness (ph). It may get a set of buyers that aren't as technically adept that, you know, need it. Like, what is your solution right now to quantum encryption? And things like that - like, well, it's a cool buzzword, but is it really the most important thing to solve in your program?
Michael Coates: [00:19:36] So we have that big mismatch between flashy, headline-grabbing things, people trying to solve APT. Really, they don't even have good inventory management. Or how do you even think about automation and real-time alerting? You look up something like the Target breach. And so I think that's one problem. There's just so much stuff out there. And then the second part really is we don't have a channel that can give people that neutral way of learning about companies, so it really is the biggest shouting match. How can I shout more over email? How can I shout with catchy phrases at a expo floor? And that's an unfortunate reality of where we are right now. I think as we mature, as buyers become more sophisticated, more aware of what they need to focus on, it will get better.
Michael Coates: [00:20:19] And yeah, going back to that point, again, like, I would really love for that neutral evaluation - like, give me the - maybe not a hard copy - but that magazine of - what are the different security products and different spaces, and how do we have a neutral body to give us some information about them?
Dave Bittner: [00:20:36] Now, if someone's reaching out to you - you get that email in your inbox - what would the ideal approach be? How could someone get your attention and get you to spend a little more time with their product?
Michael Coates: [00:20:47] Yeah, I think that actually is a really good question because sure, I'm harping on email as really hard, and it is because there's so many inbounds. But there's a lot we can do in the messaging itself because there is some amount of hit rate. There's some opportunities where people do sit down and say, all right. Let me see what's going on, what kind of inbounds I have.
Michael Coates: [00:21:06] The thing that can help a lot for a vendor selling to a CISO is to basically do the three-second test. Let's assume you're going to get three seconds as they scroll through - if they open it, so make your subject line helpful. But if they scroll through that email, you're going to get three seconds. Don't have a long narrative. Don't have tons of words. Do not ask me things that make me kind of recoil in a bit of frustration. Like, yes, I do care about security.
Dave Bittner: [00:21:33] Right, yeah. I love cute puppies (laughter).
Michael Coates: [00:21:34] Yes, yes. I know you don't have a silver bullet and all of these things. Like, let's just cut through all that. Just tell me, one, what do you do? Like, we solve this problem. Don't tell me about flashy features because we don't need to sell on features. We need to sell on what problem gets solved. If you tell me, number one, what problem you solve, I will then self-select and say, I have that problem or I don't. And either answer is good for you because we don't need to talk if I don't have that problem. But if I do, I'll read the next line. Like, tell me how you solve that problem. Do it - maybe this is my Twitter days coming back. Do it in, like, one sentence or two, because...
Dave Bittner: [00:22:07] That's right.
Michael Coates: [00:22:07] ...You should be able to. It should be compelling in two sentences. And three, tell me how you integrate because that's actually really important for a security person to wrap their head around. Like, am I looking at a network device? Am I looking at an agent on my workstations? Help me wrap my head around it real quick.
Michael Coates: [00:22:21] And then after those three things, what I would ideally like as a buyer - let me go view your product without talking to sales. I know it's horrible. I know you want me to talk to sales, but let me just see it because if I can do those things, there's a better chance I will learn about your product. And when it's - the time is right, I will engage. But if you don't do those things because you really want me to engage with sales first, you really want me to read this long narrative, what will happen is I will do none of those, and you will have no reaction from me. And I think that's a worse outcome because when you look at security and, you know, why particular things happen - like, if you think about phishing attacks, we're always like, how does anyone fall for those? And most - almost no one does, but if 0.1% do, you just send more emails.
Dave Bittner: [00:23:07] Right.
Michael Coates: [00:23:08] So maybe we're at a spot where the smarter companies are figuring it out and they're being more successful, or maybe we're all incredibly biased and we're in this small segment of the market. But I don't think that's the case because as much as we say there's, you know, more technical or less technical CISOs, or the West Coast, the East Coast - how they're different from each other or even the Middle America, I think, really, people want that core info. I don't think there's anybody out there saying, yeah, I really want to read through this long narrative to decide if I care about security. Thank you for asking. So I don't know. I don't know what we're missing. I think we have a fair point, as the buyers, to say, please just give it to me this way. That's what I want.
Dave Bittner: [00:23:50] That's Michael Coates from Altitude Networks.
Dave Bittner: [00:23:58] And that's the CyberWire. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyberanalytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:25] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Nick Veliki, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ExtraHop provides cyber analytics for the hybrid enterprise. Using wire data and machine learning for real-time threat detection and investigation from Core to Cloud, ExtraHop delivers unprecedented visibility, definitive insights, and immediate answers so security teams can act with confidence. Learn more at ExtraHop.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.