The CyberWire Daily Podcast 2.20.20
Ep 1028 | 2.20.20
UK, US blame Russia for 2019 Georgia hacks. Senator Sanders thinks Russian bots could impersonate supporters. Mr. Assange’s extradition. MGM Resorts breach. Ms Winner wants a pardon.
Transcript

Dave Bittner: [00:00:00] Hi, Jack. 

Jack: [00:00:01]  Hi, Dad. 

Dave Bittner: [00:00:02]  You know, there are lots of people who listen to the CyberWire every day, and they check out our daily news briefing every day. But there's some people who want more. 

Jack: [00:00:11]  They want more? 

Dave Bittner: [00:00:12]  They want more. 

Jack: [00:00:12]  Sounds a little greedy to me. 

Dave Bittner: [00:00:16]  (Laughter) Well, we're happy to provide them with more, but they have to pay for it. 

Jack: [00:00:20]  Well, that makes sense. 

Dave Bittner: [00:00:20]  Yeah. So we're launching something new. It's called CyberWire Pro. 

Jack: [00:00:24]  Oh, I heard about CyberWire Pro. 

Dave Bittner: [00:00:26]  You did? Well, what did you hear? 

Jack: [00:00:27]  Well, you told me about it last night at dinner, Dad. 

Dave Bittner: [00:00:29]  Well, share with our audience what I told you. 

Jack: [00:00:32]  Well, basically, CyberWire Pro is going to be a new service that you can pay for that has newsletters, exclusive webcasts and thousands of expert interviews and a lot more. So you can sign up for CyberWire Pro at thecyberwire.com/pro. 

Dave Bittner: [00:00:51]  Yeah. People should check it out, right? 

Jack: [00:00:53]  They should check it out, yeah. 

Dave Bittner: [00:00:54]  Yeah. Well, thanks for joining us, Jack. 

Jack: [00:00:55]  Of course, of course. 

Dave Bittner: [00:01:00]  British and American authorities blame Russia's GRU for last October's defacement campaign against Georgian websites. Senator Sanders thinks maybe some of his apparent supporters are Russian bots, the ones who are tweeting bad stuff in social media. Julian Assange says he was offered a pardon to say the Russians didn't meddle with the DNC. Stolen data from MGM Resorts turns up in a hacker forum. And NSA leaker Reality Winner would like a pardon. 

Dave Bittner: [00:01:34]  And now a word from our sponsor, ExtraHop - securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption just like they want to support enterprises' IoT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multicloud and hybrid enterprises. Or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:02:29]  Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:03:03]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 20, 2020. 

Dave Bittner: [00:03:03]  The U.K. and the U.S. have formally blamed Russia for a wave of disruptive, politically themed website defacements that hit Georgia in October 2019. British Foreign Secretary Raab called the GRU's campaign reckless and brazen, an unacceptable attack on a sovereign nation. U.S. Secretary of State Pompeo said the attempts gave the lie to Russian claims of being a responsible actor in cyberspace. The British response is harsher. The Americans call for Russia to reform itself and offer Georgia some help securing itself against further attacks. 

Dave Bittner: [00:03:39]  The defacement campaign was interesting in that it was, in effect and probably in conception, a purely disruptive operation. You may recall that some 15,000 websites in Georgia were defaced with a photo of the country's former president, Mikheil Saakashvili, with the text I'll be back overlaid on top of the ex-president's smiling, two-thumbs-up picture. 

Dave Bittner: [00:04:03]  Now, the former president was known during his time in office as a strong advocate of pro-Western policies, which, on the face of it, would make him an unlikely figure for GRU boosting. He left Georgia for Ukraine in 2013, saying that he was fleeing trumped-up corruption charges. Defacements are a low-grade form of hacking, and as influence operations go, they're a pretty blunt and not terribly effective instrument. But in this case, they served to exacerbate domestic tensions in Georgia, and that, the U.S. and U.K. suggest, was the point all along. 

Dave Bittner: [00:04:38]  By ZDNet's count, this is the fifth time the allies have accused the GRU of cyberattacks against foreign states. Their list of the other four is as follows - BlackEnergy, which, in December 2015, shut down a portion of Ukraine's power grid for up to six hours; Industroyer, a second attack on Ukraine's power grid a year after BlackEnergy - also known as CrashOverride, this attack disrupted power distribution in and around Kyiv for about an hour; NotPetya, a June 2017 destructive pseudo-ransomware attack that initially affected Ukrainian targets but which spilled over into many other parts of the world, including Western Europe and North America; and, finally, BadRabbit, a ransomware attack in October 2017, which encrypted hard drives and rendered IT inoperable. The campaign was also concentrated on Ukrainian targets. 

Dave Bittner: [00:05:31]  The public naming and shaming is being read as a warning to Moscow to stay away from attempting to meddle in other countries' elections and, of course, especially in fiddling with the U.S. 2020 elections. It needn't, however, take much fiddling to achieve a disruptive result. The difficulties the Iowa Democratic caucus experienced with Shadow Inc.'s less than fully successful IowaReportApp has already prompted some nonnegligible intraparty suspicion, especially as the ongoing recanvass has shown the already small margin between caucus frontrunner Buttigieg and second-place finisher Sanders having shrunk even more. 

Dave Bittner: [00:06:10]  Last night, at the Democratic debate that preceded this weekend's Nevada caucus, Senator Sanders deplored some of the social media excesses some apparent supporters of him have been seen to commit, but then immediately pointed out that it's quite possible that many of those supporters are just Russian bots. As quoted in The Daily Beast, the senator said, "all of us remember 2016, and what we remember is efforts by Russians and others to interfere in our election and divide us up. I'm not saying that's happening, but it would not shock me," end quote. 

Dave Bittner: [00:06:41]  He wasn't saying that's so, you see, still less that he had any evidence for it. But as a matter of a priori possibility, sure, it's possible the Russian bots are out and about. If your aim is disruption, with bot-hunters like that, who needs the actual bots? At a certain point, suspicion and mistrust will do your work for you. 

Dave Bittner: [00:07:02]  Chances are you've got systems in place to monitor the status and availability of the technical services you use day-to-day to alert you if a server goes down, power goes out or there is a sudden spike in traffic. But how about your people? How do you monitor your teams and co-workers to make sure they're not operating beyond their capacity and burning out? Jamie Tomasello is head of trust and compliance at Cisco Duo Security. She presented at the Virus Bulletin 2019 Conference, and her talk was titled "I'm Not Going To Die During This Conference Call: Reflections On Availability And Burnout." 

Jamie Tomasello: [00:07:39]  I think where a lot of people are focused are around what they have to do as an individual to prevent being burned out. A lot of the advice and presentations you hear say things around their own wellness, things like you should exercise more and make sure you're drinking water, make sure you get enough sleep, drink less caffeine or more caffeine, depending on who you're talking to. And one of the things that I think is being missed is the role of a manager or a leader in preventing and mitigating harm with regards to burnout. 

Dave Bittner: [00:08:16]  Well, let's dig into that. What part do you think the manager plays? 

Jamie Tomasello: [00:08:20]  So I think what's really important to think about when we talk about managers and their role in thinking about individuals from a burnout perspective that people - we're not perpetual motion machines. I think one of the challenges is that we fail to accept that forcing ourselves and the teams which report to us into work patterns that exhaust our personal energy will not lead to infinite productivity. 

Dave Bittner: [00:08:46]  If I'm a manager, how do I monitor for this? And how do I foster an environment where I feel as though I'm getting the most out of my employees, but at the same time looking out for them for both their personal health but also for the sake of the organization? 

Jamie Tomasello: [00:09:04]  A few things that we can think about when it comes to how to monitor this or how to think about this is thinking about - especially those who are in engineering or operational roles, thinking about, what are the signs and symptoms that a system or a service isn't healthy, optimized or at a sustainable capacity? There's actually a Cyber Operations Stress Survey, one of the techniques that you can use. Josiah Dykstra and Celeste Lyn Paul of the U.S. Department of Defense developed this. And it's a low-cost method to study fatigue, frustration and cognitive workload in tactical cyber operations. And it's easily adaptable to anyone in an operations or security role. 

Dave Bittner: [00:09:48]  Do you have any insights on how companies successfully manage that transition from what I'm imagining is that startup culture where everyone is putting in a lot of hours and working hard and just doing whatever needs to be done to get the company going, but then there comes a point - there's a process of putting things in place to achieve sustainability? Do companies have to be deliberate in that process? 

Jamie Tomasello: [00:10:19]  Yes. I think you have to be deliberate. You have to be inclusive. You have to be intersectional. You have to be able to look at - in order to scale your organization to take it from a startup into a growth stage company and then ultimately pass that point, you cannot just look at the sustainability or the growth of the product. It also has - you have to look at staff and the needs and the resourcing of the team. I think it's critical that - human condition, ultimately, the people who serve your organization are part of that growth plan and part of that trajectory and making sure you're keeping that resource and keeping that space for them to grow as the rest of the organization grows. 

Dave Bittner: [00:11:05]  That's Jamie Tomasello from Cisco Duo Security. 

Dave Bittner: [00:11:09]  Julian Assange's attorneys and his extradition hearings have claimed that former U.S. Congressman Dana Rohrabacher offered him a pardon on behalf of President Trump if Mr. Assange would say that the Russians had nothing to do with leaking the Democratic documents WikiLeaks published during the 2016 election season. WikiLeaks has long suggested that the Russians had nothing to do with the leaks, so it's difficult to see why such an inducement might have been offered. 

Dave Bittner: [00:11:36]  In any case, Mr. Rohrabacher and the White House have both denied making any such offer. Mr. Rohrabacher said in a statement that he met with Mr. Assange in 2017, and upon his return, told then-Trump-adviser General Kelly that the WikiLeaks proprietor might provide information about the DNC leaks in exchange for a pardon, but that no one in the administration took the idea up. The White House says they knew nothing about any such offer. 

Dave Bittner: [00:12:02]  Mr. Assange is currently fighting extradition from the U.K. to the U.S., where he faces a number of federal charges. His attorneys would like the British court to release him so he can seek asylum in France. 

Dave Bittner: [00:12:15]  MGM Resorts sustained a data breach last summer that affected almost 10,600,000 guests. This week, much of the personal information lost was posted to a hacker forum. ZDNet and Under the Breach confirmed that the data were indeed from the MGM Resorts incident. MGM Resorts says it notified affected guests last year. The data posted this week included names, home addresses, phone numbers, emails and dates of birth. MGM Resorts says no pay card information was compromised. 

Dave Bittner: [00:12:47]  And finally, Reality Winner, the former airman and former NSA contractor who's currently serving five years in prison for leaking a classified NSA report to the media - specifically to The Intercept - is asking President Trump for either a commutation of her sentence or a pardon. She's hopeful because at the time of her sentencing, the president called her offense small potatoes, specifically smaller than what former Secretary of State Clinton did in setting up her homebrewed server while she was in office. The documents Ms. Winner leaked, Fifth Domain reminds us, had to do with Russian attempts to penetrate a provider of voting software and to compromise the accounts of election officials. 

Dave Bittner: [00:13:33]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single sign-on password management and multi-factor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization. Add an additional layer of security to every single login through multi-factor authentication. Securely authenticate into your work using biometrics like fingerprint or face. Deliver a passwordless login experience for employees while securing every password in use through Enterprise password management. And gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, go to lastpass.com/enterprise. That's lastpass.com/enterprise. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:14:59]  And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it is always great to have you back. I think a lot of folks out there have concerns with all of the things we're hearing in the news about tensions between the U.S. and Iran, the possibility for Iran reaching out via cyberattack, stirring things up that way. What are some of the things that companies should be focused on? What are some of the actual actionable things that they can do to make sure that they're prepared should something happen? 

Justin Harvey: [00:15:34]  Well, from a security operations perspective, there is a set of processes and procedures that should be well matured and acted upon. Now, first is operating at a heightened sense of alert by scrutinizing events and infrastructure, including administrative actions, looking for the three mainstays in monitoring today. 

Justin Harvey: [00:15:57]  No. 1 is the known bad. An attack will most likely not originate from an Iranian IP address. It might not even be a foreign IP, but at least still having your beefing up your known bads, I think, will help a little bit in that respect. When I say known bads, I mean IPs and domains and indicators of compromise that the Iranians have allegedly used in the past. Having those loaded into your monitoring infrastructure won't hurt. But, Dave, I'll tell you, I'm a little bit skeptical if the Iranians are going to use the same approach or tactics, techniques and procedures they've used before. But it still helps to have the known bad there. 

Justin Harvey: [00:16:40]  The second one is anomalous behavior - hosts acting in a strange way but not necessarily malicious. It could be odd administrative activity. It could be some weird registry settings that were changed. Essentially, anomalous means looking for the weird. 

Justin Harvey: [00:16:55]  And the third one would be looking for the suspicious, particularly around users and/or administrators. So one of the areas that I think needs a lot of work in our industry is scrutinizing privileged access actions. So, for instance, if you're - if you work at all with Linux, you know it's generally not a good thing to log in as root, particularly via SSH. You want to log in as yourself. And then you want to use a command like pseudo to become root or the system administrator. 

Justin Harvey: [00:17:28]  So suspicious could be if you see the system administrator who is not on the console of the box, perhaps SSH-ing in from a remote site or even someone SSH-ing in as a user and then becoming root from a weird location, that could also be suspicious. Secondly, ensuring that the SOC is properly prepared to escalate potential findings to leadership in the event of an attack, and that means establishing a strong communication path. Whether you're an analyst in the Security Operations Center, the director of the SOC or the CISO, you should have a clear means to communicate that suspicious or anomalous behavior up the chain of command. And that chain of command should be ready for this. 

Justin Harvey: [00:18:10]  So if you're an executive, a CISO, a CSO, make sure that you collaborate with the C-suite and the board and let them know all of the plans that you're taking, and that if something were to happen, these are the steps they're going to take. 

Justin Harvey: [00:18:24]  Next is validating that the enterprise's high-value assets are known, labeled and catalogued by the SOC for heightened monitoring. We all know you can't secure that which you do not know exists. So if your business is all about credit cards and credit card data, well, you darned well should know all the databases that your credit cards are in, and also, who's accessing that data. 

Dave Bittner: [00:18:52]  You know, it's interesting to me. I have to wonder, when you talk about potential events like this, is it right to think that an organization who has taken all of the proper steps ahead of time, who is running and using best practices, that overall, it would pretty much be business as usual for them? They already have these things in place. 

Justin Harvey: [00:19:11]  Very good question. The answer is you're absolutely right. If you're doing it right from the start, if you know your high-value assets, if you have great threat intelligence, if you have a resilient enterprise, then this should just merely be a blip on the radar. Yes, you should read the bulletins. Yes, you should double check with the board and the C-suite. 

Justin Harvey: [00:19:33]  And everyone should have a clear understanding of what possible attacks could occur. There's probably not very much technically or procedurally that you would need to do to shore yourself up. So our large clients that I speak with, our financial services clients in particular, they're all prepared. There's nothing really different that they're doing from a technology or process standpoint. They're just bubbling this up and making sure everyone's on the same page. 

Dave Bittner: [00:20:02]  All right, interesting stuff. Justin Harvey, thanks for joining us. 

Justin Harvey: [00:20:05]  Thank you. 

Dave Bittner: [00:20:11]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing, too. 

Dave Bittner: [00:20:21]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIt, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:32]  Funding for this CyberWire podcast is made possible by RSA Conference, where the world talks security. Through global events and year-round content, RSAC connects you to cybersecurity leaders and cutting-edge ideas for a safer, more secure future. Learn more at rsaconference.com. 

Dave Bittner: [00:20:51]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: [00:21:00]  Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.