Chrome zero-day patched. Ransomware against infrastructure. Notes from RSAC 2020. Julian Assange’s extradition hearing.
Dave Bittner: [00:00:05] Google patches a Chrome zero-day. Ransomware attacks against infrastructure. DoppelPaymer prepares to dox its victims. How CISA and NSA cooperate. Dallas County, Iowa, finally drops charges against pen testers. Mr. Assange's evolving defense against extradition to the U.S. Notes on RSAC 2020. And if you were a superhero, which superhero would you be?
Dave Bittner: [00:00:36] And now a word from our sponsor ExtraHop, securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption, just like they want to support enterprise IoT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multicloud and hybrid enterprises, or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:01:54] Coming to you from the 2020 RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Wednesday, February 26, 2020.
Dave Bittner: [00:02:05] Google has patched a Chrome zero-day that's undergoing active exploitation in the wild. Mountain View isn't saying much about how, where or by whom the vulnerability is being exploited. It's CVE-2020-6418. In fact, Google's not really saying anything at all, confining itself to this terse observation. Google is aware of the reports that an exploit for CVE-2020-6418 exists in the wild. The zero-day is a type confusion issue, one in which an app initiates data execution of a certain type of input but is subsequently fooled into treating the input as a different type. Exploitation could give an attacker the ability to run malicious code within an application. Two other non-zero-days are also fixed in the update. Users are advised by multiple experts to patch.
Dave Bittner: [00:02:55] Energywire says the Coast Guard has confirmed that the ransomware attack against a natural gas facility CISA warned of on February 18 was, in fact, the same incident the U.S. Coast Guard reported in a December Maritime Safety Information Bulletin. Dragos offered the same evaluation last week. FireEye notes the ways in which industrial systems have become increasingly attractive targets for ransomware operators. The extortionists are now frying bigger fish than heartland school districts.
Dave Bittner: [00:03:24] Concerns about ransomware are high on the list for those charged with defensive infrastructure, as FCW reports CISA Director Krebs observed this week at RSA. As if to give point to those concerns, a small electrical utility in Massachusetts, the Reading Municipal Light Department, has disclosed that it sustained a ransomware attack last Friday.
Dave Bittner: [00:03:47] Another big trend in ransomware is stealing files in addition to simply encrypting them. Bleeping Computer notes that the operators of DoppelPaymer ransomware have now adopted the increasingly common tactic of adding doxing to the traditional threat of data loss. DoppelPaymer has established a site where it will post private files stolen from victims who decline to pay the ransom.
Dave Bittner: [00:04:09] An RSAC panel hosted by CyberScoop featured the directors of two major U.S. agencies - NSA's Cybersecurity Directorate, led by Anne Neuberger, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Directorate, led by Christopher Krebs. The organizations see their roles and missions as complementary and offering a good scope for collaboration. Work against the Russian influence operations and other information operations that targeted the 2016 elections and that have since continued spurred more effective information sharing. And Microsoft's January patches provided an important opportunity for the two agencies to reach out to the public on an urgent matter of online security.
Dave Bittner: [00:04:50] Dallas County, Iowa, has ended its bungling and discreditable treatment of two Coalfire penetration testers, dropping all felony, burglary and criminal trespass charges against them, Infosecurity Magazine reports.
Dave Bittner: [00:05:05] In another legal case, the extradition hearing in the matter of Mr. Julian Assange continues at Woolwich Crown Court. Reuters reports that barristers working on behalf of the WikiLeaks proprietor branded U.S. allegations that Mr. Assange helped the then U.S. Army Specialist Bradley Manning hack into classified systems as lies, lies and more lies - a position that the American prosecutors, of course, are unwilling to accept. Mr. Assange's counsel also took on another central U.S. contention that WikiLeaks' publication of material then-Specialist Manning stole put lives at risk. On the contrary, argued lawyer Mark Summers. When Mr. Assange learned that unredacted copies of the material he'd received and prepared to share with various media were about to become public, he tried to warn U.S. authorities, calling the State Department and asking to speak with then-Secretary Hillary Clinton to warn her that lives were on the line and that something needed to be done. She didn't take his call, Mr. Assange's defense team said, and no one got back to him in the promised couple of hours.
Dave Bittner: [00:06:08] Keith Mularski held leadership positions with the cybersecurity team in the Pittsburgh office of the FBI. And under his team's watch, several high-profile criminals and organizations were brought to justice. These days, Keith Mularski is with the team at EY. He stopped by our booth at RSA to share his insights.
Keith Mularski: [00:06:27] I had spent 20 years at the FBI. And, you know, at that time, you're eligible to retire. It's just a great opportunity to kind of still continue fighting the fight, but just from the other side. Ernst & Young gave me just a great opportunity to come and be a leader in their cyber practice and continue doing threat intelligence and incident response and being able to help clients just from the other side. So it's been a great transition.
Dave Bittner: [00:06:51] What sort of insights have you gained from being on the other side? Has it given you a fresh perspective from what you had before?
Keith Mularski: [00:06:58] I think one of the things was the state of cybersecurity is a lot worse than I thought. You know, being on this side, I thought it was a little bit better. The other thing is just it's all about defense, you know, whereas when I was in the FBI, you know, it was - you're doing offensive, defensive and investigations. So it is a little bit of a different beast, but fun nonetheless.
Dave Bittner: [00:07:22] So in terms of the things you have your eye on these days, particularly when it comes to ransomware, what are you and your colleagues at Ernst & Young focused on?
Keith Mularski: [00:07:30] So when I look at ransomware, I really look at that as probably the biggest cybercriminal threat affecting companies today. You know, in the past, you know, you had different banking Trojans, and they were doing account takeovers. Over the last five, six years, the banks have gotten really good at stopping big wire transfers going out. So these organized crime groups - it's not profitable to do those big wire transfers because they're just not as successful. But they're leveraging that access that they had now to do what we're calling enterprise hunting ransomware, or big game hunting ransomware.
Dave Bittner: [00:08:09] I'm curious, too. I mean, from your point of view, I know the line from the FBI forever has been, don't pay the ransom.
Keith Mularski: [00:08:17] Right.
Dave Bittner: [00:08:17] Now that you're on the other side, has your - do you still believe that's the way to go?
Keith Mularski: [00:08:22] Well, yeah. I mean, I believe that you shouldn't pay the ransom because that's just giving money to a criminal organization.
Dave Bittner: [00:08:28] Right.
Keith Mularski: [00:08:29] And I believe that if you have really good cyber hygiene and security practices put in place that you could prevent the majority of these attacks. And so you shouldn't even be in a position to have to pay these ransoms. So, you know, what you really want to kind of do with these groups is kind of put together a playbook because they all do follow a pattern. And once you know their playbook, you can build defenses around that.
Dave Bittner: [00:08:53] Yeah. Everybody has a limited budget, right? And they have to allocate the various things that - you know, dial in the percentages to various things. What's your tips for folks who have ransomware front of mind? How should they be approaching that from a practical point of view?
Keith Mularski: [00:09:09] Well, I think you have to use intelligence to really drive your business practice. You really need to understand where your crown jewels are. You need to be able to know where your risks are and make a business decision based on a risk, you know? Can you be a hundred percent secure? Absolutely not. But you need to manage, you know, your risk to a level where you're comfortable that, hey, my spend is at this right level to lower my risk to this level, and that's acceptable, you know, for that. And that's what you have to do. And the only way to do that is really to have good intelligence on where your crown jewels are and, also, you know, the techniques and tactics used by the threat actors out there.
Dave Bittner: [00:09:49] Well, what are you tracking in terms of evolution in these ransomware groups, how they're coming at people? What are the trends there?
Keith Mularski: [00:09:56] Yeah. So one of the biggest trends that we're seeing lately is because, you know, people are - don't want to pay the ransom, you know, or they're restoring from backups. You know, what we're seeing then is now a couple of the groups - I just saw DoppelPaymer. Maze is another group right now where - since they're in your network for 30 to 45 days, they're stealing documents. And now they're saying, if you don't pay the ransom, now we're going to post your confidential documents. So we're seeing a trend for them to try to really make sure that they get that money, you know, from you.
Dave Bittner: [00:10:28] Turn up the heat
Keith Mularski: [00:10:29] Turn up the heat a little bit.
Dave Bittner: [00:10:32] Yeah (laughter).
Dave Bittner: [00:10:32] That's Keith Mularski from EY.
Dave Bittner: [00:10:35] To return to RSAC 2020, what's our sense of the conference this year? We will say that the event is well-attended despite the last-minute high-profile cancellations announced last week. It is perhaps a bit more subdued than we've seen in previous years. Some of the sense of reserve is no doubt due to concerns about COVID-19, the coronavirus strain that prompted those eleventh-hour withdrawals. Hand sanitizer stations are much in evidence, and people seem less apt to shake hands. More generally and with respect to the business of cybersecurity, we're getting a vibe that people see small businesses, the mom and pops, as underserved by the sector.
Dave Bittner: [00:11:15] Finally, inspired by Cisco's launch of its SecureX platform at RSAC and especially by the news that SecureX's internal name had been Thanos, MarketWatch wonders what superheroes exemplify the spirit of various cybersecurity companies. Technically, Thanos is a supervillain, but we'll leave that aside. They confined themselves to the Marvel Universe, so DC superheroes need not apply. Iron Man was the superhero most companies chose as their muse and role model, followed by captains America and Marvel, with Sue Storm, Vision, Shuri, Dr. Strange and Ant-Man - the Hank Pym version, thank you very much - also crossing the finish line. To our industry's shame, not a one of them chose Dr. Charles Xavier, the Silver Surfer - an obvious choice, one would think, for any browser security vendor - or the Ancient One - sad. MarketWatch had some suggestions for the various companies they talked to. And their suggestions struck us as better than the company's preferred superheroes - again, sad. For our part, we call J. Jonah Jameson. He's what you call high energy.
Dave Bittner: [00:12:30] And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:13:45] And joining me once again is Justin Harvey He's the global incident response leader at Accenture. Justin, great to have you join us here at RSA 2020.
Justin Harvey: [00:13:54] It is great to be here.
Dave Bittner: [00:13:56] (Laughter).
Justin Harvey: [00:13:56] Hopefully, we're coronavirus free.
Dave Bittner: [00:13:58] I know. I know. Everybody's fist-bumping and rubbing elbows...
Justin Harvey: [00:14:01] (Laughter) Yes.
Dave Bittner: [00:14:01] ...Instead of shaking hands.
Justin Harvey: [00:14:02] Exactly.
Dave Bittner: [00:14:02] There's lots of hand sanitizer being distributed just about everywhere. You've had a little bit of time to walk around and take in some of the sights to see. What's your sense so far on this year's RSA Conference?
Justin Harvey: [00:14:15] Well, my sense so far is it is - there are so many vendors out there.
Dave Bittner: [00:14:20] Yeah.
Justin Harvey: [00:14:21] You have Moscone North, which is several football field-size...
Dave Bittner: [00:14:25] (Laughter).
Justin Harvey: [00:14:26] ...Full of vendors. Then you've got the tunnel between the two. It has a lot of startups, smaller booths.
Dave Bittner: [00:14:31] Right.
Justin Harvey: [00:14:32] And then you have Moscone South, which is, again, the same footprint as Moscone North - several football fields of vendors.
Dave Bittner: [00:14:39] Right.
Justin Harvey: [00:14:39] And we're seeing a few common themes. The first theme is that it seems that there is a lot of technical solutions looking for business problems.
Dave Bittner: [00:14:48] Oh.
Justin Harvey: [00:14:49] So there are so many vendors out there - and I often wonder if I was a CISO or part of the C-suite of a, heck, even a small-, medium-sized business, let alone a G2000 company - it is absolutely overwhelming, all of the blitz of vendors. There are intelligence vendors. Everything is intelligence-led or intelligence-embedded.
Dave Bittner: [00:15:12] Right.
Justin Harvey: [00:15:12] There are platform plays. And everyone says they have a platform. Even if you have a little point solution, it's better to...
Dave Bittner: [00:15:19] Right.
Justin Harvey: [00:15:19] ...Call it a platform...
Dave Bittner: [00:15:20] Right. That's like...
Justin Harvey: [00:15:20] ...Than a point solution.
Dave Bittner: [00:15:21] ...Years ago, it was not just a product; it's a solution.
Justin Harvey: [00:15:23] Exactly.
Dave Bittner: [00:15:24] Now it's a platform, right?
Justin Harvey: [00:15:26] Exactly. And I - you know, there's all of the normal cast of characters that you would expect - all of the big vendors out there, like the FireEyes, the Ciscos, the Gigamons, the Palo Altos. They're all out there.
Dave Bittner: [00:15:38] Yeah.
Justin Harvey: [00:15:39] And then you've got your medium and smaller players out there. There's an equal mix of cloud and threat detection, endpoint, network. But we're also seeing a resurgence of identity and access management solutions and privileged access monitoring, so I think that's really picking up, and less and less on the GRC side and less on regulation.
Dave Bittner: [00:16:05] What do you think is driving those trends?
Justin Harvey: [00:16:07] Well, I think just like we put out in our Cost of Cybercrime report a few weeks ago, the number of incidents and number of breaches are going up, and the average cost of breaches are also going up. We've been tracking it with the Ponemon Institute for the last five years, and it has gone up 72% in the average cost of a breach. And just in this last year alone, it's gone up 13.7%. So there are more breaches happening, clearly.
Dave Bittner: [00:16:38] Right.
Justin Harvey: [00:16:38] And they are costing a lot more. So we're seeing a lot more vendors out there. But I do believe this is probably - I think we're nearing the end of the line here.
Dave Bittner: [00:16:49] (Laughter).
Justin Harvey: [00:16:49] I think the bubble is about to burst (laughter) on these companies.
Dave Bittner: [00:16:53] Just earlier this week, I was talking to someone who is a VC funder. And she was saying that there's so many of these companies where it seems as though they don't have so much a product as they have a feature...
Justin Harvey: [00:17:08] Right.
Dave Bittner: [00:17:08] ...You know, something that would be nice to add to the things that we already have, but it probably can't stand on its own. I wonder how much is this a result of there's so much money in the sector right now that maybe it's not hard to get someone to put a little, you know, juice behind you when you're getting started up - enough to come here and show your wares at RSA.
Justin Harvey: [00:17:30] Yeah. I think that there are a lot of point solutions and add-ons out there. But I think the market for those types of organizations with their products is maybe dwindling because if you put yourself in the mind or in the shoes of a CISO, he or she grapples every day with a very large technology stack. It's really hard to continue to add little point solutions on. And every time you buy a piece of software, there is the time invested in procurement and doing the contracts. Then you've got to install and configure it. Then you've got to maintain it and monitor it. So it becomes quite difficult to keep up with all of them.
Dave Bittner: [00:18:08] What's your strategy for a show like this in terms of takeaways, of getting out there? You know, what are the things that you want to learn from a big show like this?
Justin Harvey: [00:18:17] Well, I'm out here primarily to talk to you, Dave.
Dave Bittner: [00:18:22] Oh, brother.
Justin Harvey: [00:18:24] A little pandering there.
Dave Bittner: [00:18:25] Yes (laughter).
Justin Harvey: [00:18:26] So I'm out here to talk about our services and what we're seeing in the market.
Dave Bittner: [00:18:30] Sure.
Justin Harvey: [00:18:30] I'm also here to talk to our biggest clients and customers.
Dave Bittner: [00:18:33] Absolutely.
Justin Harvey: [00:18:33] And I think the tertiary goal is to really walk the floor and look for those nuggets, those diamonds in the rough, because I know I'm not going to find the diamonds in the rough in the big halls, really.
Dave Bittner: [00:18:45] Yeah.
Justin Harvey: [00:18:45] It's going through investment alley, the startup alley with all these little vendors. And you'll find one or two of these that perhaps make good acquisition targets or good partners or allies in the fight. And being able to find these innovative solutions is really core to our business.
Dave Bittner: [00:19:06] All right. Well, as always, Justin Harvey, thanks for taking the time out of a busy show to come visit us.
Justin Harvey: [00:19:11] Thank you.
Dave Bittner: [00:19:17] And that's the CyberWire. For links to all of today's stories, check out our daily news briefing at thecyberwire.com And don't forget you can get the daily news briefing as an Alexa flash briefing, too.
Dave Bittner: [00:19:27] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. Funding for this CyberWire podcast is made possible by RSA Conference, where the world talks security. Through global events and year-round content, RSAC connects you to cybersecurity leaders and cutting-edge ideas for a safer, more secure future. Learn more at rsaconference.com.
Dave Bittner: [00:19:58] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. A quick thanks to everyone who stopped by to visit us here at the RSA Conference. We will be here through the week, and it's really great to meet you all. Come on by. Grab some stickers. Say hello. Thanks for listening. We will see you all back here tomorrow.