Dave Bittner: Hey, everybody. Dave here with an exciting announcement. We are pretty thrilled to tell you about the launch of our new newsletter. It's called Creating Connections, and it's focused on connecting women in the cybersecurity field all across the globe. The official launch date is August 3, and we will continue publishing monthly on the first Monday of every month. Brought to you by the women in the industry, our very own ladies here at the CyberWire, you are invited to join our league of cyber women and create lasting connections. Learn more and subscribe at thecyberwire.com/ccsubscribe. That's thecyberwire.com/ccsubscribe.
Dave Bittner: Microsoft is in talks to acquire TikTok as the U.S. hints it may be considering action against other Chinese software companies. Three young men have been charged in the Twitter hack. An apparent distributed denial-of-service attack turns out to have been a glitch. We welcome Verizon's Chris Novak to the show. Rick Howard talks incident response. And updates on the Garmin hack suggests shifts in the ransomware threat.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 3, 2020.
Dave Bittner: Microsoft said yesterday that it was in continuing talks to acquire TikTok, the social platform currently owned by Chinese firm ByteDance. The company attributes its decision to talks between its chairman and U.S. President Trump - quote, "following a conversation between Microsoft CEO Satya Nadella and President Donald J. Trump, Microsoft is prepared to continue discussions to explore a purchase of TikTok in the United States," quote. Reuters has reported that ByteDance has agreed to divest its holdings in TikTok to a U.S. owner.
Dave Bittner: The announcement came after the president's statement Friday, reported in The Washington Post, that he intended, on security grounds, to ban TikTok from operating in the U.S. The security issue arises because of the large quantity of personal information the company collects on its users, including their connections with other users.
Dave Bittner: TikTok is unlikely to be the last Chinese software firm to face restrictions on its ability to operate in the U.S. According to the Los Angeles Times, Secretary of State Pompeo has suggested that other firms will soon be receiving similar close scrutiny.
Dave Bittner: U.S. federal prosecutors have charged three youths in connection with the Twitter hack. Graham Ivan Clark, age 17, of Tampa, Fla.; Mason Sheppard, 19, of Bognor Regis, England; and Nima Fazeli, 22, of Orlando, Fla., are the three under indictment. The U.S. attorney for the Northern District of California declined to name Mr. Clark because of his age, but his arrest has been so widely reported by the press in Florida and elsewhere that there seems little point in finessing the identification at this point.
Dave Bittner: The three are alleged to have made contact with one another in the OGUser forum and then to have fraudulently persuaded Twitter employees to yield credentials that enabled them to impersonate high-profile Twitter users in a Bitcoin scam.
Dave Bittner: The specific charges are as follows. The young English gentleman, Mason Sheppard, age 19, who goes by the hacker name Chaewon, is charged with federal counts of conspiracy to commit wire fraud, conspiracy to commit money laundering and the intentional access of a protected computer.
Dave Bittner: Mr. Sheppard's alleged colleague, Nima Fazeli of Orlando, Fla., who goes by the handle Rolex and at the advanced age of 22 is, relatively speaking, the graybeard among the accused, was charged with aiding and abetting the intentional access of a protected computer.
Dave Bittner: The third defendant is the 17-year-old Graham Ivan Clark of Tampa. According to the U.S. attorney for the Northern District of California, quote, "pursuant to the Federal Juvenile Delinquency Act, the Justice Department has referred the individual to the state attorney for the 13th Judicial District in Tampa, Fla." The Tampa Bay Times says that Master Clark's bail was set Saturday at $725,000.
Dave Bittner: Described as the mastermind of the Twitter social engineering and the Bitcoin scam it was allegedly designed to enable, Master Clark faces 30 Florida state counts related to the incident - 17 counts of communications fraud, 11 counts of fraudulent use of personal information and one count each of organized fraud for more than $5,000 and accessing a computer or electronic device without authority. Florida prosecutors intend to charge him as an adult in what they're calling the Bit-con (ph) case.
Dave Bittner: ZDNet has a timeline of the investigation. It appears that the FBI tracked online activity in Discord and OGUsers until they came to points where the three accused used either their real identities or their home IP addresses or both. KrebsOnSecurity describes how the trio attempted some misdirection with chatter, but they'd probably have been better advised to keep a lower profile.
Dave Bittner: The difficulty of attribution is a familiar problem. If you're hit with a cyberattack, it can be, and usually is, hard to tell who the attacker is. The feds moved quickly on the people it thinks responsible for the Twitter hack, but that's the exception, not the norm.
Dave Bittner: But there's a prior problem. Before you attribute an attack to a threat actor, it's good to know that, actually, you've come under attack. That's not always clear. There are problems and outages that can look like an attack but aren't.
Dave Bittner: An example of that occurred over the weekend in Australia, where The Guardian reported that Telstra said its users were hit Sunday with a distributed denial-of-service attack. Service had been disrupted in much of the eastern part of the country. The problems extended to some major cities, Melbourne, Sydney and Brisbane among them.
Dave Bittner: Only it wasn't so. It turned out that while there were outages, there was no attack. Telstra backtracked on its diagnosis soon after it made it. A few hours after warning of the attack, the company announced that it had determined that it was a domain name server issue. The Islander quotes company representatives as saying, "the massive messaging storm that presented as a denial-of-service cyberattack has been investigated by our security teams, and we now believe that it was not malicious, but a domain name server issue. We're really sorry for getting in the way of your weekend plans," end quote. The problems were resolved by 2:30 in the afternoon, local time.
Dave Bittner: BleepingComputer confirmed Saturday that Garmin, indeed, obtained a key for WastedLocker. The outlet says that it knows of no way Garmin could've obtained the key other than by paying the ransom the hacker demanded, the hacker widely believed to be the Russia-based Evil Corp gang. WIRED sees the Garmin attack as a disturbing harbinger of more to come. The gangs appear to be hitting more sophisticated, richer and better-protected targets, and they're asking for an order-of-magnitude more ransom.
Dave Bittner: There are some implications for election security as well. Both the U.S. departments of Justice and Homeland Security have warned of the disruptive effects on election systems that a ransomware attack can have.
Dave Bittner: And joining us once again with a preview of his "CSO Perspectives" podcast is our own Rick Howard, the CyberWire's chief analyst and chief security officer. Rick, welcome back.
Rick Howard: Hey, Dave.
Dave Bittner: So this week, you are covering a topic that I find endlessly fascinating, and I'm not being sarcastic there; I'm being sincere, and that is - yeah, and that is incident response. Take us through how you're coming at this this week.
Rick Howard: Well, here's my big, fat hot take. All right, you ready for this?
Dave Bittner: Yeah.
Rick Howard: Incident response is not rocket science, OK? So...
Dave Bittner: OK.
Rick Howard: Now, if you look at the documents that NIST have put together - they've put a couple of them together. This is the National Institute of Standards and Technology.
Dave Bittner: Right.
Rick Howard: And they say, you know, it's only - you only have to do five things for incident response. You plan, you detect bad guys, you respond to it and then you communicate what you did and then do a post-mortem so you do it better the next time. That sounds pretty simple.
Rick Howard: Right? And - but the complicated part, though, is managing all the pieces within your organization. That's where it starts to get a little tricky, right?
Dave Bittner: Yeah.
Rick Howard: Because it turns out that if there is something material to the business going on, some penetration - all right? - somebody in the organization has to coordinate all these activities across multiple functions of the company because as soon as the technical teams discover that it's real, as opposed to maybe it's real, all right, now we're talking lawyers, we're talking PR people, we're talking finance people. Everybody has a say about how to do this, right? And it turns out that most CSOs, they don't own most of those functions in terms of responsibility, right? In fact, you know - and that's a big deal, all right?
Dave Bittner: Yeah, yeah.
Rick Howard: That's a huge deal. In fact, most cases, they're pretty much low men on the totem pole for these kinds of things. So it is difficult to coordinate that when you're not the one in charge of everything.
Rick Howard: But I was talking to an old friend of mine whose name is Jerry Archer. He is the CSO of Sallie Mae Bank. He's been there for 11 years. And I talked to him or convinced him to sit down at the Hash Table with me to discuss, you know, how he does incident response, and I discovered that his organization is unique and will probably be the envy of every CSO in the business, right? He - because he owns the entire security function inside Sallie Mae, and he built it that way from scratch when he first started. So let me run a clip from him. Here's what he said.
Jerry Archer: The organization that's under me is basically a converged security organization that has both physical and logical security merged into one organization. So we manage everything security-related for the firm.
Jerry Archer: One of the things that's probably most interesting about that model is, as we're going to talk about incident response, because we have a converged security organization, we have a very robust capability that we use a lot of our physical security guys as part and parcel to our incident management scheme. So the converged organization works very well in that incident management or incident response kind of a scenario.
Jerry Archer: We, early on, Rick, created a strategy that we called aggregate, automate and accelerate. And so the theory of the case that we presented to executive management and got by into early on was the idea that we needed to leverage scarce security resources. So a lot of resources associated with security are very scarce, hard to find, hard to keep. And so we said, look; we need to aggregate everything security so we can take advantage of that. So that was the aggregation part. And, again, we got synergies from both sides working together in a holistic manner to create a strong security presence in the firm.
Jerry Archer: And then the next thing that we said to the executives and, frankly, the board of directors was we wanted to automate. So again, we could use the tools that - you know, all the tools that we could find to heavily automate our environment, take advantage of the automation to get rid of routine kinds of work and focus on more relevant things and strategic things versus just doing the arms and legs work every day.
Jerry Archer: And then the idea was accelerate. By doing all those first two things, it gave us the ability to accelerate and keep up with the business as the business changed and new products evolved and so forth. So that was why we - how we sold it to the organization, and I think it's worked very well since then.
Rick Howard: Now, his strategy of aggregating, automating and accelerating was way ahead of its time. You know, and it's so compelling that when he told his board that's what he wanted to do, they gave him permission to do this. So it's really amazing stuff.
Dave Bittner: You know, I have to ask you, Rick, I mean, my perception on incident response is that - I don't know - almost - I guess it's almost funny to say it, but it seems to me like your success in responding to an incident is directly proportional to your amount of preplanning for the incident. Is that accurate to say?
Rick Howard: It absolutely is, and you can look at some of the public incident responses - you know, things we've seen in the news. And we all can sense the companies that are doing it wrong because they appear to be fumbling. Like, this is the first time they've ever considered it, that they might have to explain this to the public.
Rick Howard: And then there's other companies that do it completely right. You know, they're rolling it out, and it's, yeah, that sounds reasonable, and the news kind of goes away. So the reason those companies are good at it is that they've actually practiced, and that's one of the things we talk about in the show - that you need to have very simple exercises where you run your executives through potential scenarios not so they can do it verbatim, but so they're not being exposed to it the first time when the big crisis happens.
Dave Bittner: Yeah. All right, well, it's "CSO Perspectives." It is part of CyberWire Pro. Do check it out. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And I'm pleased to be joined by Chris Novak. He is the director of the Verizon Threat Research Advisory Center. Chris, it is great to have you on board. We're excited to have you join us as a partner here, along with Verizon. Welcome to the CyberWire.
Chris Novak: Thanks. Happy to be here.
Dave Bittner: So before we get going, I just figured we'd use this first opportunity together to get to know you a little bit, let our audience learn a little bit about you. Can you take us through your career journey? How did you get your start, and what led you to where you are today?
Chris Novak: Sure, yeah. So kind of an interesting journey, indeed. Actually started with an electrical engineering background, playing with hardware, circuit design, things like that and started out thereafter moving into industrial control systems and operational technology and then eventually going into the IT and IT security side. And the whole cybersecurity aspect really just fascinated me. And so from there, I kind of went into the journey of helping organizations build security apparatus for their IT infrastructure. And as things went on, organizations started recognizing, hey, something looks funny with my website. Looks like someone might've defaced it. Let's do an investigation. And then that led to the growth of incident response.
Chris Novak: And I'm actually one of the co-founding members of the incident response team here at Verizon and, you know, help organizations all around the world to deal with, you know, incidents of various, you know, shapes and sizes, from financial fraud to theft of intellectual property to, you know, cyber-espionage and terrorism and, really, has kind of just kind of taken off into an interesting journey down the incident response and digital forensics and threat intelligence side of things ever since, and it's just been an exciting journey.
Dave Bittner: Can you give us some insights? What do having the resources of an organization like Verizon behind you - what does that bring to bear in terms of the capabilities that you and your team are able to bring to the table?
Chris Novak: Yeah, it's a really interesting aspect. So actually, before I came to Verizon, I worked at an organization called Cybertrust. Verizon acquired them in 2007. And initially, the reaction a bunch of us had was, we're being acquired by a telephone company. And then we started looking at it, going, whoa, we're being acquired by a telephone company.
Dave Bittner: (Laughter).
Chris Novak: This company has access to all sorts of interesting resources, and one of them being, you know, a giant portion of the internet backbone. Think about that from an incident response standpoint, if you can actually see what's happening on the internet. The way I describe it to people who don't quite get it is, you know, if you've ever seen the movie "The Matrix," that point where you can suddenly start to see how it all fits together. And I tell people when you have access to the internet backbone and you're doing incident response, you can start to see how packets flow in ways to places from places that if you didn't actually have optics into the backbone itself, you'd really be missing a big piece of the picture.
Chris Novak: So that's honestly been a fantastic and an exciting part of kind of the interesting capabilities and resources that we can really bring to bear when we do an incident response or when we're researching something from a threat intelligence perspective.
Dave Bittner: And so what is your day-to-day like these days? What sort of things keep you busy?
Chris Novak: Everything. Ransomware has been a big thing on the rise. I think everyone has seen quite a bit of that. In fact, you know, we produce our annual Data Breach Investigations Report, and we saw so many ransomware cases just in the last year, it actually had almost a skewing effect in the data. We had to actually produce some of the charts that show, this is what it looks like if you include ransomware in the data, and this is what it looks like if you exclude it, depending on, you know, what your threat model looks like.
Chris Novak: But then we also see a fair amount of, you know, everything from your credit card breaches to, you know, your, like you said, intellectual property theft. And then also, you know, as it relates to things like, you know, COVID, there's obviously a lot of new and interesting angles in which we're seeing organizations be targeted from a - you know, purely from a social engineering as well as in a phishing perspective.
Dave Bittner: All right. Well, Chris Novak, welcome to the CyberWire. We're looking forward to continuing discussions with you. Glad to have you on board.
Chris Novak: Thanks.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.