The CyberWire Daily Podcast 9.3.20
Ep 1166 | 9.3.20

Cyberattacks in Norway under investigation. Developments in the criminal marketplace. Scammers do TikTok. Disrupting school, from Florida to Northumberland.

Transcript

Dave Bittner: Updates on cyberattacks against Norway's Parliament and the Hedmark region; a popular TikTok page is infested with scammers. Magecart's Inter scanner gains criminal market share; Thomas Etheridge from CrowdStrike on the many potential benefits of outsourced threat hunting. Our guest is Lauren Bean Buitta from Girl Security on closing the gender gap in national security. And are you heading back to school in Miami? Not so fast, kids.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 3, 2020. 

Dave Bittner: The cyberattack Norway's Parliament sustained last week has been followed by a second series of attacks directed against public employees in the Hedmark region. The attacks on the Parliament involved unauthorized access to email accounts of members and employees, according to The New York Times. The campaign was well-distributed across party lines, with members of Labour, the Conservatives and the Center Party affected. Norway's PST police intelligence agency is investigating. So far, the origin and motive of the attacks on parliamentary email are unknown, but a hostile intelligence operation hasn't been ruled out. The Hedmark attacks, on the other hand, are being attributed to foreign swindlers, News in English reports

Dave Bittner: While scrutiny of TikTok has concentrated on the platform's potential national security threat, Tenable finds that TikTok's loose moderation practices may have made it an actual haven for criminal activity. Tenable researchers say that TikTok's popular For You page is infested with fake mobile applications, diet pills, drop-shipped goods, fake gift cards and other scams. 

Dave Bittner: Researchers at RiskIQ say they found Magecart's Inter Skimmer active in more than 1,500 sites. The Inter Skimmer kit is now a popular criminal-to-criminal product. 

Dave Bittner: The Miami-Dade School District attempted to open online learning Monday, but with decidedly mixed results, WPLG reports. The district seems to have faced a cascading series of problems - some glitches, some attacks - and has responded with a mix of remediation and delegation of improvisation to individual teachers. Miami-Dade County Public Schools Superintendent Alberto Carvalho said the problems Monday arose from what he called the catastrophic failure of a Cisco software connectivity switch, which required an upgrade. They worked with Cisco overnight and had the switch issue resolved Tuesday. When school opened Tuesday, however, students and parents were effectively blocked from accessing distance learning resources by a distributed denial-of-service incident, which Superintendent Carvalho characterized as an attack. The district has been working with its internet service provider, Comcast, to resolve the attack. The district has been paraphrased in local media as saying that its cyber wall held, which is probably true enough but also beside the point, since a DDoS attack is generally used to keep people out and not, unless it's being used as a misdirection, to break into an enterprise. The Miami-Dade School Police are investigating and doing so in conjunction with both the FBI and the Secret Service. 

Dave Bittner: Miami-Dade had contracted with the company K12 for its distance learning services, and the board is now looking into the $15.3 million contract and asking what would seem to be obvious questions like, who actually signed that contract? The Miami Herald says it was a no-bid contract and that the superintendent's signature isn't on the actual contract itself, so who actually bought the services? And, of course, people are upset about the services' lack of resilience. The district will be busy looking into these matters for some time to come. These observations are not intended to pile onto Miami-Dade, which is surely having more than its fair share of trouble this week, but rather to take note of how difficult it is to improvise a comprehensive system of delivering kindergarten through high school education when you're under pressure of time and working under inevitably unfamiliar circumstances. 

Dave Bittner: Improvisation is going on, however, and much of it seems to be the work of individual teachers who've set up Zoom and other remote collaboration tools for their students. And yesterday, the district delegated authority to improvise. Teachers in grades six through 12 will now have the ability to create their own classroom by way of Microsoft Teams. This is surely to be applauded, but it's also surely destined to come up short for a lot of kids and not only for those who are reluctant to be in school in the first place. If there's a general lesson to be learned here, it's the important of testing and exercising contingency plans. Again, this isn't to pile on to Miami-Dade, but risk managers might take note. 

Dave Bittner: The challenges of distance learning aren't confined to primary and secondary education, nor are they confined to North America. In the U.K., Northumbria University has shuttered its Newcastle upon Tyne campus because of a major cyberattack it sustained. Computer Weekly reports that the university said that an unspecified cyber incident had caused significant operational disruption. More than that Computer Weekly couldn't say. They tried calling the university, but the phones were all down. Infosecurity magazine said this morning that, while the university hasn't said what hit it, the incident looks like ransomware to them and to others. The story is still developing. 

Dave Bittner: And to return to Miami-Dade, Superintendent Carvalho has said, earlier this week, that the cyberattack his schools sustained appeared to come from both foreign and domestic sources. That's to be expected in a DDoS attack. The bots, after all, really don't pay too much attention to their nationality or home-of-record. But a root cause may be very close to home. This morning WPLG reports police arrested a 16-year-old high school junior who admitted to setting up the DDoS attack that took the district offline. WPLG gives the kid's name. We won't because as bad as the behavior is, he's only 16. And they say he has no prior criminal record. The student at South Miami Senior High School - go Cobras, by the way - confessed to orchestrating eight distributed denial-of-service cyberattacks designed to overwhelm district networks, including web-based systems needed for My School Online. He's been charged with computer use in an attempt to defraud - that's a felony - and with misdemeanor interference with an educational institution. The district thinks there might be other people involved, and it wants any other perpetrators to know that they're going to be tracked down and apprehended and that this time, it won't be detention. 

Dave Bittner: Girl Security is a nonprofit organization whose mission is to close the gender gap in national security through learning, training and mentoring support for girls. Lauren Bean Buitta is founder and CEO of Girl Security, which she founded in 2016. 

Lauren Bean Buitta: We have three kind of pieces to our model. We call it our SEA model, which is securing with information, empowering with training and advancing with mentoring. All of our content is developed by women national security practitioners. So we develop learning modules on the different national security topics like national security decision-making, national security ethics and then topical themes like cybersecurity, terrorism, immigration. And we typically deliver those in the classroom with teachers and schools across the U.S. 

Lauren Bean Buitta: And then for those girls and young women who are interested in careers, we onboard them into our mentor network. And so they commit to six months of really wonderful and supportive mentoring with women mentors who represent many diverse pathways in national security. And then they kind of continue through their career, so we pair them with a woman one step ahead of them in their career. So as they move through - if they move through college, if not career, they're connected with women who are one step ahead of them who can kind of set the roadway for them so they know what to expect and how to position themselves better. 

Dave Bittner: Well, and you've been at this for a few years now. How do you measure the success along the way? Have you had enough - a long enough view of that pipeline to see how it's working out? 

Lauren Bean Buitta: I think we have. I mean, I always kind of joke it's like asparagus - takes seven years to grow. And it's also a really bad funding pitch because, you know, we're working on the long-term, right? But this is similar to STEM. So we, you know, measure retention - or measure success by retention of partners, whether it's schools or girl youth organizations, and then the retention of those relationships year over year. We have 100% retention. We measure it kind of by geographic metrics, right? So we're working with girls in communities across 20 states. So there is this kind of vast interest generally in national security and what's happening in the news - and then, of course, following those mentees who are now in college, some of whom have started careers as they move through those pathways to, of course, measure points of attrition or other types of impediments that they confront as women in still a male - a very male-dominated field. 

Dave Bittner: You know, I would imagine a number of our listeners would be interested in your organization from a couple different directions. I mean, we've got young women who are coming up, who are students. Certainly, we have professionals who have daughters who are interested in it as well but also a lot of folks who have experience in national security. In terms of outreach for those folks, what's the best way for them to get in touch? 

Lauren Bean Buitta: The best way is our website, which is girlsecurity.org. There, girls and young women can register to be mentees. Practitioners can register to mentor. We'll also have more public events. Of course, in the pandemic, everything's virtual. So we'll have more events that are available to others outside of our kind of traditional network. All of that's on our website as well. 

Dave Bittner: That's Lauren Bean Buitta from Girl Security. You can find out more about them at girlsecurity.org. 

Dave Bittner: And I'm pleased to be joined once again by Thomas Etheridge. He is the senior vice president of services at CrowdStrike. Thomas, it's always great to have you back. I wanted to touch today on threat hunting and your take on how teams can make the most of threat hunting. You've got a few tips you want to share. 

Thomas Etheridge: Certainly. So CrowdStrike's a huge proponent of engaging in proactive threat hunting across client environments. Endpoint detection technologies are advancing to the point where we're able to see and prevent a lot of known and in some cases unknown but suspect threat actor activity. But doing active threat hunting is something we strongly recommend and encourage most organizations to invest in. And if you can't afford it internally, then there are certainly outsourcing options that are available, some of them exceptional in terms of providing really rich threat hunting capability that integrates threat intelligence and large datasets to make sure that you're getting that rich visibility across your environment and can take advantage of the speed of alerting to try to stem the tide of threat actor activity. 

Dave Bittner: So for an organization who's not yet doing threat hunting, how do you make that - how do you make the case for the value proposition there? How do you convince them that this is money well spent? 

Thomas Etheridge: Our philosophy on threat hunting is that it's critical to ensuring that you have a comprehensive approach to securing your environment. We always talk about threat detection and endpoint security as being a team activity. It's not just about a technology solution. It requires people and processes, as well. Threat hunting is very - you know, considered proactive targeting - targeted searches across your environment to make sure you understand the difference between what is normal and what should be expected in your environment and things that are not normal or unsuspected in your environment. 

Thomas Etheridge: One of the advantages of threat hunting is that if you're doing it properly and at scale, the ability to actually catch an attack scenario early in the stages of the attack goes up significantly. And CrowdStrike always talks about the speed at which we're able to detect and respond and remediate events - the 1-10-60 rule. Threat hunting provides that early-stage detection, in many cases, at the early stages of an attack so that organizations can better and more efficiently respond to threats before they become a big problem. 

Thomas Etheridge: A good example of the benefit is what our overwatch team has done. In the first half of last year, we were doing about four advanced ransomware campaigns per month. That's what we were seeing in our threat hunting platform. So far this year, we're looking at a little more than double that - so about 9 per month. So the increase in that type of activity - the objective of threat hunting will be to identify that activity before ransomware gets deployed. And if you can do that, the likelihood of mitigating the impact to your organization goes up substantially. 

Dave Bittner: When an organization is looking to get started at this and they're shopping around with other companies who can provide threat hunting, what are some of the things they should be looking for? What are the things they should be asking in order to make sure that it's a good match? 

Thomas Etheridge: What we talk to clients about, Dave, is kind of, what's the overall methodology for threat hunting? Our methodology - we define it as SEARCH - sensing, enablement, analyzing, reconstructing, communication and then honing. Searching and sensing really is about, what's the dataset that you're looking at for your threat hunt? CrowdStrike threat hunting looks at over 3 trillion events a week. We're looking at millions and millions of endpoints, and we're categorizing activity across a hundred different event types. So having a broad sense of data that you're looking at is really critical. 

Thomas Etheridge: Enabling and kind of enriching that content through additional intel is also critical. So understanding and providing context as to what you're looking at through integrated intelligence and looking at data in context, I think, is really important. In terms of analyzing that, threats happen every day, 24/7, 365. Your threat hunting team, if it's not in-house and can't be operating around the clock 365, 24-by-7, you should look at outsource providers that can provide that threat hunting capability. 

Thomas Etheridge: In terms of being able to provide very prescriptive advice, that's also critical. So taking an alert and being able to provide actionable data as part of that so that the response team can quickly respond is very, very essential. And then lastly, being able to communicate that event to those folks that can respond and then take the lessons learned and embed that back into the overall threat hunting process - so at CrowdStrike, we are doing about 650 unique learning opportunities every single week from threats that we're seeing in our threat hunting activity. And it drives about 30% new threat hunting techniques that we deploy every single year. 

Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us. 

Thomas Etheridge: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed. It tastes great, and it's less filling. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. I'll be off tomorrow, and Elliott Peltzman will be filling in behind the mic. I'll see you all back here next Tuesday.