Cyberattacks with kinetic consequences. Thunderspy and evil maids. Developing background to the US bulk power security executive order. Conspiracy theories and the culture of social media.

Dave Bittner: [00:00:04] A cyberattack with kinetic effect. Shiny Hunters post more stolen wares online. Thunderspy and evil maids. Some developing background to the U.S. bulk-power state of emergency executive order. Contact tracing apps - reliability, privacy, security, familiarity and rates of adoption all raise questions. The economic consequences of the pandemic emergency. Caleb Barlow provides historical context for incident action plans. Our guest is James Yeager from CrowdStrike with results on their latest Global Threat Report. And the reappearance of the yellow press in social media. 

Dave Bittner: [00:00:45]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:17]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 11, 2020. 

Dave Bittner: [00:02:26]  Israeli authorities now see the April incident that affected the country's water system as an Iranian cyberattack, the Washington Post reports, and various unnamed sources in other nations' intelligence services have reached the same conclusion. Axios says that an Israeli cabinet meeting last week took the matter up. A range of defensive and retaliatory operations are under consideration, but these are being balanced against the risk of escalation. An attack on water distribution systems is especially troubling since it aims at producing kinetic disruption of a system that broadly supports ordinary, daily civilian life. 

Dave Bittner: [00:03:05]  The Shiny Hunters gang has continued to post stolen data for sale on the dark web, according to BleepingComputer. The databases so far on offer contain 73.2 million user records stolen from 11 different companies. More are probably on the way. The companies whose data have so far been exposed include Tokopedia, Home Chef, Bhinneka, Minted, StyleShare, GGuMim, Mindful, Star Tribune, ChatBot (ph), The Chronicle of Higher Education and Zoosk. 

Dave Bittner: [00:03:38]  The Eindhoven University of Technology has issued a report on a new vulnerability, Thunderspy. PCs manufactured before 2019 that use the Thunderbolt connection are affected, The Verge reports. Exploitation requires physical access to the device, an effectively executed evil-maid attack. That is, someone with unsupervised access to the device could compromise it rapidly. Remote exploitation is not regarded as a realistic possibility. 

Dave Bittner: [00:04:07]  A US Department of Commerce Section 232 investigation that followed issuance of Executive Order 13920, "Securing the United States Bulk-Power System," suggests that concerns the executive order addressed may amount to more than a priori possibilities. Commerce is considering national security grounds for extending tariffs on steel to cover material used in fabricating transformer cores. Control Global cites sources who say acceptance testing found hardware back doors in, quote, "a very large bulk transmission transformer from China," end quote. Thus, the Department of Commerce will determine whether national security requires tariffs to support a domestic transformer industry. The presence of hardware back doors in imported equipment, if confirmed, would seem to move the executive order away from a play in Sino American trade competition and clearly into the realm of national security. 

Dave Bittner: [00:05:04]  An essay in Foreign Policy describes how Germany's push to deploy a contact-tracing app has flagged. A symptom-tracking app produced by the Robert Koch Institute achieved gratifyingly high rates of initial voluntary adoption before falling from favor after researchers belonging to the Chaos Computer Club, an association of independent researchers, reported that the app ran large quantities of private data through centralized servers and data repositories. 

Dave Bittner: [00:05:32]  The German-led Pan-European Privacy-Preserving Proximity Tracing Initiative was also initially well received, but it, too, fell out of favor after a mid-April open letter from a group of scientists and researchers made a general criticism of contact-tracing apps and their susceptibility to mission creep against the background of European privacy rules. The current position is to default to decentralized exposure notification systems like those jointly developed by Apple and Google. 

Dave Bittner: [00:06:02]  So there's a dilemma. The original domestic systems touched national sensitivities about surveillance grounded in the experience of both the National Socialist period and the more recent East German communist system of social control by the Stasi, and defaulting to Apple and Google is seen by many as handing tech leadership over to foreign companies. 

Dave Bittner: [00:06:23]  The security research team at CrowdStrike recently released the latest edition of their Global Threat Report. James Yeager is vice president - public sector at CrowdStrike, and he joins us with their findings. 

James Yeager: [00:06:34]  Yeah. So there's a number of significant trends that we can highlight from this past year's report. I think one of the first things to point out is a shifting threat landscape of malware versus malware-free originated attacks. And the trend towards malware-free tactics has accelerated over the past year, with malware-free attacks finally surpassing the volume of malware attacks in an exponential way. So in 2019, 51% of the attacks used a malware-free technique, compared to 40% of the malware-free - of the attacks being malware-free in 2018. So pretty significant rise there. 

Dave Bittner: [00:07:13]  And what does that mean, malware-free? What falls into that category? 

James Yeager: [00:07:17]  Right. So, you know, the TTP is going to be using lateral movement, living-off-the-land techniques, using known systems, applications and processes versus having a payload be predominately delivered by malware only. 

Dave Bittner: [00:07:32]  What are the takeaways from this year's Global Threat Report? What are the things you want people to learn from it? 

James Yeager: [00:07:38]  Yeah, so I do think that, you know, we should take a step back from a security policy development perspective. You know, a lot of security - you've probably heard the term - a lot of security - attention is being shifted towards hygiene, and rightfully so, right? So some basics, like making sure that two-factor authentication should be established as a baseline for all users - you know, today's attackers have proven to be adept at accessing and using valid credentials quickly, leading to deeper compromise. 

James Yeager: [00:08:07]  And then the other thing to do is really try and figure out how you can employ speed - right? - 'cause speed is a highly coveted asset in cyber, and the adversaries have it. They harvest it. They gain it. They leverage it. And it's a major disadvantage for our defenders, right? So we are encouraging our, you know, protectors to find ways that they can be more proactive and hunt to not always be on their heels and playing that game of whack-a-mole. 

James Yeager: [00:08:36]  And one of the concepts that we're urging organizations to pursue and a model that we want them to develop is the 1-10-60 rule. If you're unfamiliar, it's a model that effectively allows cyberdefenders to combat the most sophisticated cyberthreats. And the construct is built this way. So the 1 stands for, you know, one minute to detect intrusions. The 10 stands for 10 minutes or less to investigate and fully understand the full depth and breadth of the threat. And the 60 stands for contain and eliminate the adversary from the environment with confidence. And so it's a high benchmark, right? But in today's day and age, for cyber, we should be ambitious, right? Our standards of excellence and performance for defending our nation's most precious assets should be very high. And so we're asking all of our customers to try and develop their security program around that model. 

Dave Bittner: [00:09:32]  That's James Yeager from CrowdStrike. 

Dave Bittner: [00:09:36]  In the US, state and federal public health agencies have been reluctant to adopt too many technological adjuncts to the traditional contact-tracing practice during epidemics. The states, WIRED reports, have shown divergent willingness to automate contact tracing, with Utah being most interested in doing so but with New York, California and Massachusetts having turned down offers of automated tools. These decisions seem to be based more on varying judgments of effectiveness than on concerns about privacy or security. Manual analog approaches are familiar and proven. Automated contact tracing is not. 

Dave Bittner: [00:10:14]  The British government is considering requiring people to install two contact-tracing apps before they're permitted to cross the border between Northern Ireland and the Republic of Ireland, The Telegraph reports. One app is the one developed by the UK's NHSX app, the other an app under development in the Republic. 

Dave Bittner: [00:10:34]  And finally, for all their efforts at de-platforming conspiracy theorists, the ability of social media accounts to monetize their content by maximizing clicks, views and other engagement has outrun the ability of the social media to moderate content and exclude fringe theories from their services. MIT Technology Review sees conspiracy theories as being especially deeply rooted in YouTube culture, and that culture is, above all, one of speed. One video that pushed an anti-vaccine line was posted on a Tuesday afternoon and was taken down Thursday morning for violating the platform's policy against medical misinformation. But in less than two days, it accumulated more than a million views. So various social media seem to be repeating the successful history of yellow journalism. A 19th century publisher might quickly come to feel at home on YouTube. 

Dave Bittner: [00:11:33]  And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:13:16]  And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. We wanted to talk today about incident action plans. You have some specific things you want to cover there. What do you have to share with us today? 

Caleb Barlow: [00:13:30]  Well, so first of all, Dave, this really serves as an introduction to one of my heroes, who I think most people in the security industry have probably never heard of but probably want to learn a lot about, a guy named Alan Brunacini. So Alan Brunacini was the chief of the Phoenix Fire Department. And he's - if you ever spent any time in fire or EMS, and I actually grew up in that world, this guy is a god. And he is the original father of the Incident Command System. And interestingly enough, I'm guessing - I never met the man, but I'm guessing he probably didn't know a whole lot about cybersecurity. But some of the things he thought about and taught have directly parlayed into a lot of the things we're trying to do in responding to cybersecurity incidents. 

Dave Bittner: [00:14:24]  Well, fill us in on some of the details here. 

Caleb Barlow: [00:14:27]  OK. So he founded this concept called the Incident Command System, and we're not going to go into a lot of detail on that in today's podcast. Maybe we'll pick up that at another day. I want to talk specifically about one of his things called an incident action plan. But before we do that, we've got to at least give you a little bit of a broad brush of why the Incident Command System is so unique and why it really matters with cybersecurity. 

Caleb Barlow: [00:14:54]  So the Incident Command System is all about putting together an organized system of roles, responsibilities and operating procedures used to manage an emergency incident. And it's tactical by definition. In other words, it's an org structure when you're in a crisis. And Alan Brunacini came up with this idea when he was dealing with these large wildfires that were spreading across Arizona and California and he needed to coordinate a response between lots of different cities, towns and across two states. And who's in charge? Who's going to make decisions? And how are you going to process through it? 

Caleb Barlow: [00:15:36]  Now, why this is so important in today's world is think about what we're all dealing with as we deal with coronavirus - right? - where, hey, we may need to respond to a cybersecurity incident. Who's going to be in charge? Who's available? Everybody's at home. Who's not sick and can help? And how does that command and control roll from one person to the next? So that's what Alan Brunacini pioneered, and these concepts of the Incident Command System are used everywhere. They're used in governments. They're used in the military. And it's all about how you get organized in a crisis. 

Dave Bittner: [00:16:11]  So what are some of the specific lessons that resonate with you? 

Caleb Barlow: [00:16:15]  Well, one of the things he came up with is this concept called an incident action plan. And remember - and anytime you're responding to a crisis, it's just really about management by objectives. He came up with this concept called an incident action plan or an IAP. And what it does is it lays out a series of events and phases that a response needs to go through. 

Caleb Barlow: [00:16:42]  So if I think about how would I write an incident action plan for cybersecurity, as an example, well, think about our response to, you know, kind of your typical malware infestation. You need to prepare for that ahead of time. You need to identify that, you know, you've got a problem, that you're infected, you know, your SOC needs to fire on this. You need to contain it. You need to eradicate it. And then you need to recover and ultimately go through your lessons learned. Laying out, for example, those six steps would be a very good example of an incident action plan. And what you're going to do in that incident action plan is you're going to talk about the tactics. You're going to commit the resources. And you're going to get everybody rallied around executing on it. 

Dave Bittner: [00:17:28]  So what do some of the elements of an incident action plan look like? 

Caleb Barlow: [00:17:32]  Well, so there are four principal elements of an incident action plan. What do we want to do? Who's responsible for doing it? How do we communicate with each other? And what is the procedure if someone is no longer available to execute the plan? You know, in the case of a wildfire, that would be what happens if somebody gets injured? In the case of a cybersecurity incident in today's world, that might be what happens if someone comes down with coronavirus? We still need to execute the plan. And these plans, Dave, they're typically short. They fit on one page. But the brilliancy of it is, remember; you're working across departments, across agencies, across companies to get this IAP executed. 

Dave Bittner: [00:18:16]  You know, one of the things that strikes me about the incident that we're in right now with coronavirus is that I think it has a lot of people taking a closer look at the depth of their bench because I think a lot of organizations had sort of planned around what happens if one person gets sick, what happens if a couple people are unavailable. And this is a situation where it could become more serious than that. 

Caleb Barlow: [00:18:41]  It absolutely could. And I can tell you the biggest failure most people have in responding to a large-scale cybersecurity incident is they're looking to their org structure to make decisions. You know, the CEO is not the right person to decide when and how you need to eradicate malware on your environment and probably also not even the right person to decide whether you're going to pay a ransom. You really need those things thought out, ideally ahead of time. But then you want to bring expertise to the table. So one of the things, again, that Alan Brunacini pioneered is it doesn't matter what your title is. The person in charge is the person that's most trained in the type of response that you need, regardless of who they work for or where they work. And that command and control can pass from one person to the next person to the next as more seasoned and skilled people respond to the incident. 

Dave Bittner: [00:19:37]  All right. Well, some good lessons there. Caleb Barlow, thanks for joining us. 

Dave Bittner: [00:19:47]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:20:07]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a ProofPoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:19]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.