The CyberWire Daily Podcast 10.21.20
Ep 1198 | 10.21.20

TrickBot’s return is interrupted. Election rumor control. Supply chain security. Securing the Olympics. NSS Labs closes down.


Dave Bittner: Trickbot came back, but so did its nemesis from Redmond. Microsoft and its partners have taken down most of the new infrastructure the gang reestablished. CISA publishes election rumor control. The Cyberspace Solarium Commission has a white paper on supply chain security. Japan says it'll take steps to secure next summer's Olympics. Joe Carrigan takes issue with Twitter and Facebook limiting the spread of published news stories. Our guest is Carolyn Crandall from Attivo with a look at the market for cyber deception tools. And a familiar name exits the industry.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 21, 2020.

Dave Bittner: Trickbot's infrastructure proved resilient enough to stage a partial recovery from last week's government and industry takedowns, industry takedowns, Dark Reading and others have reported. But this isn't a short, one-time campaign. And the efforts to take down Trickbot might have proven at least as determined to hit the gang's business as the gang itself has been to stay up and operating. 

Dave Bittner: SecurityWeek wrote that threat intelligence shop Intel 471 found that many of the new servers Trickbot's masters had reestablished were not responding to bot requests. There's a reason for that. Microsoft late yesterday published an update on its efforts against the botnet, which it described as following a persistent and layered approach. Redmond identified 59 new servers established by Trickbot's operators and by yesterday had taken down all but one of them. Trickbot may be back again, but governments and companies will be watching for it. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has established a rumor control page for 2020 election security. The page identifies nine myths and offers a debunking of each, covering topics such as voter registration databases, website outages and defacements, mail-in ballots and other misinformation that's making the rounds. It's worth a look and perhaps useful to send around to those friends and relatives who just can't resist forwarding the latest conspiracy theory memes. 

Dave Bittner: So keep calm and keep on, as rumor control sites traditionally say. ABC News quotes senior leaders at the Department of Homeland Security who counsel patience as well as vigilance. 

Dave Bittner: The U.S. Cyberspace Solarium Commission's white paper on supply chain security sees China as the principal threat - quote, "dependency on China and other adversary countries for some of our most critical supply chains threatens to undermine the trustworthiness of critical technologies and components that constitute and connect to cyberspace. This dependency also risks impairing the availability of these same critical technologies and components and compromises American and partner competitiveness in global markets in the face of Chinese economic aggression," end quote. 

Dave Bittner: It outlines five pillars in its proposed approach to supply chain security, a mix of ensuring domestic supplies and providing accurate, actionable intelligence on threats to supply chains. 

Dave Bittner: First, the commission recommends identifying key technologies and equipment through government reviews and public-private partnerships to identify risk. Second, ensuring minimum viable manufacturing capacity through both strategic investment and the creation of economic clusters. Third, protecting supply chains from compromise through better intelligence, information sharing and product testing. Fourth, stimulating a domestic market through targeted infrastructure investment and ensuring the ability of firms to offer products in the United States similar to those offered in foreign markets. And fifth, ensuring global competitiveness of trusted supply chains, including American and partner companies, in the face of Chinese anti-competitive behavior in global markets. 

Dave Bittner: So pillars one and three concentrate on intelligence. Pillars two and four support development and maintenance of a strong domestic market. And the fifth pillar supports closer ties with allied countries' producers. 

Dave Bittner: Japanese authorities and organizers of the Tokyo Olympic Games, now postponed to next summer, say that they intend to increase their vigilance in response to British and American reports that Russian intelligence services were preparing to interfere with the games. Reuters reports that the organizers say any such interference had no effect. 

Dave Bittner: And finally, we close with some industry news. NSS Labs, the well-known specialist in security technology testing, has ceased operations. SecurityWeek points out that NSS has since last year been owned by private equity shop Consecutive Inc. Some good people worked at NSS Labs, and now would be a good time to reach out to them if you're looking for cyber talent. Such talent is famously scarce, and there are now some solid operators on the job market. 

Dave Bittner: Carolyn Crandall is chief deception officer from Attivo Networks, provider of deception technology. I caught up with her recently for an overview of what exactly we're talking about when we refer to deception technology, how it differs from traditional honeypots and where she thinks things are headed. 

Carolyn Crandall: We worked with a company called Deceptive Defense. Its founder is Kevin Fiscus. And we wanted somebody to run an independent study, right? We didn't just want to have something provided with a vendor where they reiterated what we were saying. And so they used a combination of industry information - so using things, like, from Ponemon Institute and Mandiant and other well-known, reputable organizations that have done a lot of research on the core data. And then what we did is we merged those things together, along with actual customer experiences, to be able to quantify what those benefits might be. 

Carolyn Crandall: And so taking those pieces, we then started to break it down because it's one thing to produce a number. It's another thing to produce the methodology behind it. And we set up a structure so people could follow us through things like, OK, well, breach avoidance and data breach savings - what does that look like, and how do you come up to the numbers? 

Carolyn Crandall: And same thing with the SOC side of things. What inefficiencies do you address and make better? And we boiled those down into being able to articulate savings that reflected, you know, a 51% savings in reduction of breach costs and SOC efficiency savings of about 32%. 

Dave Bittner: Well, I mean, let's dig into some of the specifics of what you found here and what you believe the impact will be. What were some of the things that really struck you? 

Carolyn Crandall: Yeah. You know, it's interesting. On the data breach side of things, I mean, obviously, you have to have had a breach. And so some people will go, well, you know, how do I leverage or use that? 

Carolyn Crandall: And although I think it's useful, again, as you pull the pieces apart to go, OK, what was the main catalyst for the breach savings - and that's associated with reduction in dwell time, the amount of time it takes to detect an attacker. And there are different stats that show just the time to detect and then the time to detect and to remediate. And whichever number you use, you can bring that down to a 90% to 97% reduction in dwell time. 

Carolyn Crandall: And so being able to get people to think about being able to respond more quickly to attacks that may have bypassed a prevention defense or the endpoint defenses - and even that in itself is an interesting discussion because if you think a lot about the endpoint technologies that are there today, they're really focused on preventing that initial compromise, but they don't really kick in as well when the attacker starts to move laterally off the endpoint. And so when we look at the value of deception technology and what Attivo does as a company, it's to prevent the attacker from getting off of the endpoint. And in that action, when they do, we're going to be able to set up, you know, traps, lures, misdirections with deceptive technologies that will reveal that attacker very quickly. 

Carolyn Crandall: As an alternative, you would weigh that against waiting for the attack to try to detonate malware or take an action where the exploit triggers an alarm - and again, assuming that it triggers an alarm. And so there are some direct correlations to the amount of time it takes to be able to detect that adversary to the amount of mess that that attacker can make and the damages that they can cause. And so I think that's the big takeaway on the breach savings - is that early detection has a lot of benefits, especially when that detection is actionable. 

Dave Bittner: That's Carolyn Crandall from Attivo Networks. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, we've seen some interesting movements from some of these big social media platforms, particularly as we've been getting closer and closer to the election. And as we... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Record this and air this, we are days away from said election. You know, for example, we've seen Twitter, you know, putting some tags on some of the president's tweets when they've determined that there could be some potentially dangerous, some misleading information when it comes to medical information or things like that. 

Joe Carrigan: Right. 

Dave Bittner: They don't delete the tweets, but they say, hey, you know, we're just tagging this so you know that maybe you should take an alternative look at this if it's something you're interested in. This whole thing... 

Joe Carrigan: And here's a link with some other information in it. 

Dave Bittner: Right, right. 

Joe Carrigan: Right. 

Dave Bittner: Exactly. This whole thing kind of came to a bit of a head recently when both Twitter and Facebook kind of put the brakes on a breaking story from the New York Post... 

Joe Carrigan: Right. 

Dave Bittner: ...That had some potentially damaging, October surprise kind of information about presidential candidate and former Vice President Joe Biden... 

Joe Carrigan: And his son. 

Dave Bittner: ...And his son. 

Joe Carrigan: Yeah. 

Dave Bittner: The Ukrainian story. 

Joe Carrigan: Correct. 

Dave Bittner: So putting aside, you know, the politics of the story itself... 

Joe Carrigan: Yes. 

Dave Bittner: ...You've got some thoughts on this action itself, what... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Facebook and Twitter have done here. 

Joe Carrigan: That's right. I want to be clear about this. I'm not upset that they're holding back a story from one political party or that benefits one political party or another or from one side of the political spectrum. My concern is that they're holding back a story from a news outlet and not letting users share this story on their platform, or when they do let them share it, in Facebook's case, they demote it in the algorithm that they use to provide information that shows up on your feed, so a lot fewer people are going to see it when you post it. 

Dave Bittner: OK. 

Joe Carrigan: Twitter said, we're not going to do it because this post contains material that was obtained via hacking. 

Dave Bittner: Well, I mean, it's interesting to me, you know, you mention the word censorship. And... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, these are private companies. 

Joe Carrigan: These are private companies. You're right. 

Dave Bittner: Censorship has to do with the government... 

Joe Carrigan: Agreed, agreed, agreed. 

Dave Bittner: ...Controlling what you can and cannot see. So this is a private company deciding what they - how they want their platform used, how they want things spread on their privately owned platform. So isn't that within their right to do so? And in this age of, you know, things spreading around at the speed of light, which is something we complain about a lot, especially, you know, when it comes to disinformation, maybe it's a good thing that they're pumping the brakes here. 

Joe Carrigan: Yeah. I think what needs to happen is there needs to be some kind of statement from government, from regulators here that says what Facebook is and what social media companies are, like Twitter. There's the big question of, are they a platform or are they a publisher, right? 

Joe Carrigan: Here, they're behaving very much like a publisher, where they're limiting what goes on the page. Now, a platform - you think of a platform like the phone company. The phone company is not held liable for misinformation spread across the phone lines because of the nature of the phone company. And should we treat social media platforms like that, or should we treat them like publishers, who are responsible for their content? 

Joe Carrigan: Now, it's a very different situation with a phone call and with a social media platform. When I pick up my phone, I can only call one, two, three people. It takes a lot of time for me to do that. There's a physical limiting factor there that's not existent on these social media platforms, right? 

Dave Bittner: Right. 

Joe Carrigan: So I think there needs to be some kind of a statement from regulators about this. 

Joe Carrigan: And this is one of the big reasons I say over and over and over again, don't get your political news from Facebook or Twitter or any social media platform. You're already in an echo chamber, and now they're controlling that echo chamber and what you hear and you see. You're going to have to take it upon yourself, good citizen, to go out to these sources that you should be reading from and look at them yourself. You're not going to be able to get your news - I don't think you should even try to get your news from Facebook or Twitter. 

Dave Bittner: Yeah. Yeah, I mean, I guess coming at it from another side, it seems to me that if these platforms have reason to believe that this news story is being put out there and it's not being done in good faith - you know, this isn't a situation where The New York Times, The Washington Post, the LA Times, the - you know, half a dozen of the big newspapers of the world simultaneously come out with - are in agreement about any particular story. You know, this is a tabloid newspaper who - known for such headlines as "Bezos Exposes Pecker" and "Headless Body in Topless Bar." 

Joe Carrigan: Well, yeah. 

Dave Bittner: You know? So I guess I'm saying, as long as it's labeled, it's not like if you're interested in this story, you couldn't go to the New York Post's site to find it. I guess I don't have a problem with these platforms saying, we're going to pause here until more people look into this because there's a high likelihood, in our opinion, that this story is not being shared in good faith. So we're not going to let it - we know what happens when a story like this goes out. We know better than anybody what happens when a story like this goes out, which is that it explodes and spreads around the world. 

Joe Carrigan: Right. 

Dave Bittner: And there's that old saying from Mark Twain about how a lie spreads around the world while the truth is still tying its shoes. So I - we can't have it both ways, you know? We complain about these platforms - and that's the difficulty here, right? 

Joe Carrigan: Right, absolutely. 

Dave Bittner: And it's to your point about what are they? Are they a platform? Are they publishers? I think it's difficult. These are difficult fits and starts that we're going through to try to figure out how we're going to deal with this stuff... 

Joe Carrigan: Yeah. 

Dave Bittner: ...And what's in our best interest, both as a nation and around the globe. 

Joe Carrigan: Yeah, agreed. I think I'm going to change my profile pic to just big words that say, don't get your political news here. 


Dave Bittner: All right, well, this, too, will play out, right? 

Joe Carrigan: It will. 

Dave Bittner: I mean, it's going to be interesting to see, both from a regulatory point of view, from a - just establishing norms, both socially and within the publishing industry. You know, we're all watching this play out in real time. 

Joe Carrigan: Yeah. 

Dave Bittner: And it's fascinating. 

Joe Carrigan: Pay attention, everybody. 

Dave Bittner: All right, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's a floor wax and a dessert topping. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.