Dave Bittner: Kittens and pandas and bears, oh my. Ransomware gets its skates on, but it still has loose idiomatic control. CISA has some advice on email. While at home in pandemic lockdown, a lot of people - not you - are spending too much time on unedifying sites. Momentum Cyber looks at the state of the cybersecurity sector in 2020. The SINET 16 have been announced. Chris Novak from Verizon on understanding the complexities of PFI breach investigations. Our guest is Steve Vintz from Tenable on why CFOs should lean into cybersecurity issues. And finally, take a moment today to remember 9/11.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday September 11, 2020.
Dave Bittner: Well, everybody, the bears are back, and so are the pandas and the kittens. Microsoft yesterday described evidence it's developed that indicate extensive Russian, Chinese and Iranian efforts to penetrate or impede U.S. political campaigns. The target selection is about what one might expect, given the three governments' general policy objectives. Tehran really doesn't like President Trump at all. The Iranian group Phosphorus - Microsoft uses elemental names - for threat actors - others call this one APT35 or Charming Kitten - is hitting personal accounts of people associated with President Trump's campaign. Beijing, on the other hand, seems interested in former Vice President Biden's campaign for the presidency. It also wants to keep a close eye on the U.S. foreign policy, establishment probably because of the extent to which American sanctions against and woofing in the direction of Chinese companies have become a thorn in the panda's paws. The Chinese group Zirconium, APT31 or Hurricane Panda is most interested in high-profile individuals associated with the election, including some having to do with the Biden campaign, as well as prominent leaders in the international affairs community. Moscow is looking for opportunistic trouble. Russia's Strontium, APT28, the GRU's very own Fancy Bear, has bipartisan interests and has gone after more than 200 targets. Their list runs to campaigns, consultants, political parties and advocacy groups.
Dave Bittner: Most of the attacks the groups mounted, Microsoft says, were unsuccessful. But as Han Solo would say, don't get cocky, kid. The activities Microsoft describes seem to involve intelligence collection and battlespace preparation for influence operations. There are, however, more direct threats to voting. Since elections depend upon the high availability of voting systems and databases, the publication Governing sees the tendency toward widespread criminal use of ransomware as a problem for election officials. Whether the threat is ransomware or the campaigns Microsoft described in its own warning, much of that threat is email-borne.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday offered advice to all election-related entities on steps they might take to counter email-based attacks. CISA says, quote, "Email systems are the preferred vector for initiating malicious cyber operations. Recent reporting shows 32% of breaches involving phishing attacks and 78% of cyber-espionage incidents are enabled by phishing," end quote. For present purposes, CISA divides email attacks into two general categories - phishing and credential stuffing. Their general advice is directed at election officials and the IT people who support them. But it's generally applicable to any organization that uses email. They include if you're using cloud email, use the protections your cloud provider offers, secure the user accounts on high-value services, use email authentication and other best practices. And if you're running your own email gateway, secure it.
Dave Bittner: Speaking of ransomware, as we heard yesterday, data center provider Equinix was hit with NetWalker over the Labor Day weekend. BleepingComputer reports that the attackers demanded some $4.5 million in ransom in exchange for a decryptor and a promise not to release stolen information. Payment, of course, is demanded in bitcoin. The hoods want Equinix to understand what they've taken and so took what BleepingComputer describes as the unusual step of sending a screenshot of stolen data to their victim. Their ransom note stylistically represents a sample of low-grade Shadow Broker ease. Quote, "Look at this screenshot. If you not contact us, we will publish your data to public access. You can take a look at our blog. You have three days to contact us, or we will make posts in our blog. Contact all possible news sites and tell them about data breach." Yowza. It's all caps in the original, probably more because the cyber goons are too lazy to use the shift key than for the typographical effect of shouting that Caps-Locked text conveys. Equinix's blog, updated yesterday, has nothing new to report. They are continuing to serve their data center clients. And investigation remains in progress.
Dave Bittner: Late this morning, Momentum Cyber released its Cybersecurity Market Review for the first half of 2020. As one might expect, it represents a tale of two quarters, with swift growth in the first quarter and pandemic-driven retrenchment in the second. That second quarter, however, also saw a tremendous increase in organizations' attack surfaces that has built up a considerable demand for cybersecurity services and solutions that should provide large opportunities for companies in the sector as their customers emerge from their present state of fiscal caution. We'll have more on Momentum's Cyber Market Review next week.
Dave Bittner: A study of user behavior Netskope released yesterday offers a glimpse into how remote work and the blurring of the lines between home and office have increased enterprise risk. There's the expanded attack surface, to be sure, but there's also the matter of people's behavior online. It's not good, and a lot of people really ought to be ashamed of themselves. Not you, of course. We mean other people.
Dave Bittner: Those other people are spending a lot more time thrashing around in eight categories of risky sites Netskope identifies. We won't name them all for reasons of decency and the sort of search engine optimization a family show like ours wants, but the biggest leaders were Gambling and Adult Content - Other. And visits to Adult Content - not other, what we'll call saucy pictures and videos - have increased sixfold over the course of the pandemic. We're pretty sure that the activities of China's ambassador to the Court of St. James's can't account for all of that, and so some people should be ashamed. Not you, of course. Those other people.
Dave Bittner: With its annual recognition of innovative cybersecurity firms coming up at the beginning of November, SINET has released the names of the finalists, its annual SINET 16. The firms recognized this year include Alsid, Axonius, Beyond Identity, Bolster, CipherTrace, CloudKnox, CyCognito, Keyfactor, Medigate, Orca Security, Ordr, ReFirm Labs, Salt, Secure Code Warrior, ShiftLeft and StackRox. Congratulations and best of luck to all the finalists.
Dave Bittner: And finally, today is the 19th anniversary of the 9/11 attacks that took so many lives in New York, Arlington and Shanksville. Pause for a moment and spare a thought for victims of terrorism and for those they left behind. We remember, too, the many acts of sacrifice, valor and compassion that followed in terror's train.
Dave Bittner: There's that old saying that much of what's done in the world is done for love or money. And it's fair to say that cybercriminals targeting businesses are focused on the money side of that particular phrase. The CyberWire's chief security officer and chief analyst Rick Howard spoke with Steve Vintz, chief financial officer of Tenable, on why CFOs should lean into cybersecurity issues.
Steve Vintz: In terms of the essay that I wrote that appeared in CFO Magazine Australia, we talked a lot about the maturation of the role of the chief security officer and the chief information security officer and how the security team needs to evolve their strategy and become better partners with the C-suite. In turn, I believe the C-suite needs to also evolve and recognize the value and the contributions of the chief security officer as an important executive on the team. And I believe there is a disconnect in how businesses understand and manage security risk.
Rick Howard: Well, I totally agree. And I've been part of that problem myself in my former CSO roles - right? - that my peers and I have always had trouble conveying - transforming cyber risk into business risk. We just didn't have the language to do it. And I was wondering if the CFOs of the world could help us figure that out.
Steve Vintz: Well, I think we need to. I think it's important. If you think about it, cybersecurity threats, you know, are thriving amidst the climate of uncertainty, making it a topic certainly worthy of board-level visibility.
Steve Vintz: This move to work from anywhere, you know, digital transformation was well underway, and it was a major secular change in the industry. But COVID has probably catapulted digital transformation 10, 15 years into the future. And so with that comes a whole host of problems. The compete is changing. The attack surface is expanding as companies undergo digital transformation. Malicious activity is on the rise. There's more sophisticated bad actors. And there's an increasingly complex threat environment. And all this creates the perfect storm, if you will, for cyberthreats.
Steve Vintz: In terms of business leaders, you know, what I can tell you is business leaders want a clear picture of their organization's cybersecurity posture, but their security counterparts struggle to provide one. And so as a CFO, the organization's risk profile is something that's important to me. I report to the CFO, but I spend a lot of time with the audit committee. And the audit committee often, for companies of our size, has the de facto responsibility for risk. And it's a simple question - how secure are we? - but the answer is seemingly complex.
Steve Vintz: And as I thought about that, you know, what I realized is that most every major functional department within the enterprise has a common language that's universally understood throughout the organization. And so when we look at security, I think the problem today, given all of this that we just talked about, is that there's no common language. When you pose that question - how secure are we? - you don't get - typically get an answer that's based on the maturity framework of an organization and a couple of key metrics. There's not clear articulation on that.
Rick Howard: Well, I would pose to you that that's the wrong question - right? - or at least a hard question to answer. The real question that CSOs should be answering to people like you, the CFO, is, what's the probability that we are going to be materially impacted by a cybersecurity event in, say, the next three years? I think that's an answerable question. Now, I don't know. What do you think about that?
Steve Vintz: Rick, I agree with where you're coming from because you cannot - I'm not proposing that you can eliminate security risk. But I'm a CFO. I'll stay in the shallow end of the pool when it comes to technical matters on security.
Rick Howard: (Laughter).
Steve Vintz: But I do think that I understand, you know, business risk. And you can't - the only thing you can do, I believe, is do a series of things that reduces risk to a relatively acceptable level. And so - and often, CFOs are on the sidelines as a passive observer of security.
Steve Vintz: And one of the things I've learned since I've been at Tenable - I've been here for 5 1/2 years. And while I have - you know, I've worked with technology growth (ph) companies most of my career in the past 30 years. I'm a bit of a neophyte when it comes to security. You know, I've just - I've spent the last five years in security. I've learned a lot about it. And one of the things I'm encouraging my CFO counterparts, and really the rest of the C-suite, is to take an active role. I think CFOs have a responsibility to ensure security teams are resourced, understand, you know, the struggles within those departments and become better partners.
Steve Vintz: You know, people like me who don't speak the technical language and other executives will look at things like maturity frameworks. You know this better than anyone. But you can pick one. It could be this. It can be SOC 2. It could be ISO 27001. And then the next logical question is, like, what's the effectiveness of that? And I don't think there's a clear articulation. I think we're becoming better as an organization. I think boards are becoming better. But I think there's a long ways to go in that regard.
Dave Bittner: That's our own Rick Howard speaking with Steve Vintz from Tenable.
Dave Bittner: And I'm pleased to be joined once again by Chris Novak. He's the director of the Verizon Threat Research Advisory Center. Chris, it's always great to have you back. I wanted to touch on some of the complexities that you and your team track when it comes to certain breach investigations. What sort of things can you share with us today?
Chris Novak: Yeah, sure. I'd say probably the area that sometimes is a bit new and different for organizations is the realm of PFI, or payment card industry forensic investigations. You know, a lot of organizations tend to look at the incident response world in a purely technical perspective. But obviously, as I think people are kind of growing to become more familiar with, there's a lot more laws and regulations that dictate how a number of those things really need to take place. And PFIs are sometimes a type of investigation that can get organizations a little tangled up if they don't quite know what they're doing.
Dave Bittner: Well, walk us through. What does an investigation look like?
Chris Novak: Sure, yeah. So typically, many PFI investigations are actually not discovered by the victims themselves. So if you're a merchant, for example, or an e-commerce shop, you obviously deal with credit cards in order for, you know, your customers to make purchases. And in many cases, the way that someone may identify the fact that you've had a breach is typically that - you know, think about it. If you've ever gotten a credit card statement and you notice a charge that you didn't make and you call up your credit card company and say, this wasn't me. They say, OK, no problem. We'll take care of it.
Chris Novak: Well, what happens behind the scenes that a lot of people don't realize is they amass all the data on all those charges that people called in and said, this wasn't me, and they start doing analytics across all of those fraudulent charges to try to identify something that they refer to in the industry as a common point of purchase, or a CPP. And once they've identified that, kind of think of that as, these are the only things in common across all these fraudulent transactions. Usually what happens is it triangulates and points back to a specific merchant - maybe an e-commerce shop, maybe brick-and-mortar. It could be any kind of organization.
Chris Novak: And in some cases, what's surprising to many is that they can typically come to that analysis with a very small number of transactions. It may only take three, four, five.
Chris Novak: Now, they may also amass thousands of fraudulent transactions. And that only makes their triangulation easier. But sometimes organizations will push back because they'll go, ah, it's only two or three transactions. I do, you know, 100 transactions, 1,000 transactions a day. What's a couple, you know, fraudulent transactions? How does that identify that I've had any kind of breach? And so that's usually one of the first stumbling points that organizations will face, is that pushback and that denial that it can't be right. It can't be them.
Dave Bittner: You know, I'm imagining you standing in front of a big bulletin board with three-by-five cards and strings of yarn with tacks, you know, connecting all the different points together.
Chris Novak: (Laughter) Right.
Dave Bittner: I suspect it's probably a bit more complex and automated than that. But when it comes to making these connections, you know, behind the scenes, when the connections are made, do the credit card companies - is it a matter of going after the people who are doing this or shutting them down? In other words, do we inform law enforcement? Do we try to cut them off so they can't do it anymore? What's the spectrum of responses?
Chris Novak: Yeah. So it can be varied. It depends typically on the size and scope of the losses that they're seeing. But usually the first step that they'll do is they'll usually reach out. When that triangulation has pointed to merchant ABC, for example, they will typically reach out to merchant ABC's bank and say, hey, this is what the triangulation has pointed to. We'd like to get in contact with your merchant to see whether or not they know what's going on and maybe conduct the PFI investigation to figure out if they've had a breach, and if so, what the scope of it is. And that would typically be the first foray into the incident response and investigative side of things.
Chris Novak: And then typically as an offshoot of the investigation, you know, in the course of our work, if we find that, hey, we can actually identify who may be behind this, or, you know, we can link it to other cases that we may be working, much like you would see in a typical law enforcement investigation. You know, we see a common fingerprints across 10 or 20 cases, we may actually be able to tie this breach back to a potential threat actor. And when we have the opportunity to do things like that, you know, quite often the merchant, the bank, the credit card companies will often, you know, encourage the possibility of actually working with law enforcement to see what we could do in terms of actually prosecuting that. And you know, to be honest, the success rate of that has only gotten better over the years.
Dave Bittner: So it really sounds like it's a collaborative process when you get to that point.
Chris Novak: Yeah, I would say it absolutely is. And you know, I would I that the other thing that a lot of organizations struggle with there in terms of understanding even how to start that process and who to collaborate with is how they even find PFIs. Because that's one area where it's a - I'd say it's a rather specialized area of incident response and investigations. Because the investigative team needs to actually understand how the payment card process works.
Chris Novak: A lot of times, you know, people will take for granted that when they swipe or dip or tap their card, that transaction data may hop through 10 or 20 different points across the world and back in a split second in order to get your transaction approved. And when you do the investigation, you kind of need to understand how all those linkages work so that you can investigate and figure out where along those chains might that problem actually be.
Chris Novak: So many of the organizations that actually work in that industry are actually known as PFIs and certified accordingly. And so it's important that when organizations suffer, you know, from a potential breach of a credit card or debit card kind of situation, that, you know, they know what to look for when they're looking at PFIs to pick from.
Dave Bittner: All right. Well, Chris Novak, interesting insights, of course. Thanks so much for joining us.
Chris Novak: My pleasure. Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. No assembly required. Listen for us on your Alexa smart speaker, too.
Dave Bittner: Be sure to check out this weekend's "Research Saturday" and my conversation with Jon DiMaggio from Symantec. We'll be talking about Sodinokibi. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.