The CyberWire Daily Podcast 11.16.20
Ep 1215 | 11.16.20

Cyberespionage and international norms of conduct in cyberspace. DarkSide establishes storage options for its affiliates. TroubleGrabber in Discord. Unapplied patches.


Dave Bittner: Nation-states continue to probe COVID-19 vaccine researchers. The Global Commission on the Stability of Cyberspace proposes international norms for promoting stability in cyberspace. DarkSide ransomware-as-a-service operators sweeten their offer with storage options. TroubleGrabber is stealing credentials via Discord. SAD DNS code pulled from GitHub. Betsy Carmelite from Booz Allen with a forward-looking view of 5G. Rick Howard takes a look at SOAR. Many patches remain unapplied, and CMMS (ph) wants U.S. defense contractors to move toward positive security.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 16, 2020. 

Dave Bittner: Late Friday, Microsoft said it had detected further activity by nation-state threat actors against companies involved in COVID-19 vaccine research. Strontium, Zinc and Cerium were the groups named by Redmond. Microsoft favors elemental names for threat actors. Others call Strontium Face Bear, familiar as a unit of Russia's GRU, and Zinc is well-known as the Lazarus Group, the premier North Korean cyber-espionage outfit. Cerium is also attributed to North Korea. Redmond's statement is at least as much a denunciation as it is a report. 

Dave Bittner: Microsoft used last week's Paris Peace Forum to call for international restraint in cyberspace, particularly with respect to activities that put biomedical research at risk. At that forum, the Global Commission on the Stability of Cyberspace also released its final report on advancing cyber stability, which Computing characterizes as a proposal for a Geneva Convention for cyberspace and which The Register points out will require a lot of bilateral work before the eight principles the GCSC proposes approach reality. 

Dave Bittner: The report advances four principles. First, responsibility - everyone is responsible for ensuring the stability of cyberspace. Next, restraint - no state or nonstate actors should take actions that impair the stability of cyberspace. Next, requirement to act - state or nonstate actors should take reasonable and appropriate steps to ensure the stability of cyberspace. And respect for human rights - efforts to ensure the stability of cyberspace must respect human rights and the rule of law. 

Dave Bittner: On the basis of those principles, the commission proposes eight norms of conduct for cyberspace. They generally advance confidence-building among nations, including potential adversaries, and they seek to implement versions of the norms of discrimination and proportionality that have traditionally shaped the laws of armed conflict. They would also enjoin responsibility for cyber hygiene and control of nonstate actors that would be consistent with traditional principles of sovereignty. 

Dave Bittner: The Global Commission on the Stability of Cyberspace was organized by the Hague Centre for Strategic Studies and the EastWest Institute. It's a nongovernmental organization funded by numerous governments, corporations and organizations. Its partners, who provide the largest contributions, include the governments of the Netherlands, Microsoft, Singapore's Cyber Security Agency, the Ministry of Foreign Affairs of France, the Internet Society and Afilias. 

Dave Bittner: DarkSide, a ransomware-as-a-service gang, has let it be known that it's established a distributed storage system to hold and leak data obtained from ransomware victims. BleepingComputer says that researchers at darknet monitoring shop Kilo (ph) found the discussion and associated offers on a Russophone hacking forum. 

Dave Bittner: BankInfoSecurity reported last week that DarkSide had established an affiliate program. The gang sees distributed storage as a sweetener for its affiliates. The gang says it intends to host the service in Iran or other unrecognized republics to lend it even more resilience than its distributed architecture already provides. 

Dave Bittner: Netskope has described TroubleGrabber, a credential stealer that infests the Discord gaming community platform. The malware spreads through Discord attachments and reports stolen data back to its masters through Discord messaging. Netskope sees this as another instance of an inevitable trend - criminals abusing cloud apps. There's a social engineering dimension to the phenomenon since users tend to put trust in such apps, and it's precisely such trust the attackers seek to exploit. 

Dave Bittner: We noted last week that researchers at the University of California, Riverside, and Tsinghua University in Beijing warned that a revival of DNS server cache poisoning could be in the offing and that they had a proof of concept - Side-channel AttackeD DNS, or SAD DNS - to prove it. Since then, the researchers have said they pulled the code for SAD DNS from GitHub, lest it fall into the wrong hands. We hope they got it locked down before the hoods noticed. 

Dave Bittner: The SANS Technology Institute's Internet Storm Center got thinking and asked, perhaps in a Bishop Berkeley mood, if no one talks about a vulnerability anymore, does it still exist? Their answer is the firmly realistic, heck yes, it still exists. If a tree falls in the forest and nobody blogs about it, that tree still hit the ground. And Shodan shows that it does. 

Dave Bittner: The title of the blog post from SANS says "Heartbleed, BlueKeep and Other Vulnerabilities that Didn't Disappear Just Because We Don't Talk About Them Anymore." They found about a hundred highly dangerous vulnerabilities, long ago patched, still gurgling around in the wild. They post a list of the top 10, and it's disturbing enough in its own right. 

Dave Bittner: Two of the bugs on the list are, as one would imagine, BlueKeep and Heartbleed, and their presence shows, quote, "that even very well-known vulnerabilities are sometimes left unpatched for years on end," end quote. So again, do apply the patches your systems need. 

Dave Bittner: And finally, Cybersecurity Maturity Model Certification, CMMC, which affects U.S. defense contractors and has been approaching for some time, will come into force at the beginning of December. Breaking Defense summarizes the new certification requirement as a move away from self-attestation of progress toward vulnerability reduction and toward positive verification that a company has met appropriate NIST standards. 

Dave Bittner: Homeland Security Today quotes NIST fellow Ron Ross as saying, quote, "we literally are hemorrhaging critical information" to our adversaries, explaining that "CMMC is aimed at stopping the bleeding," end quote. 

Dave Bittner: Those seeking Pentagon contracts in the future - and that will be about 1,500 vendors in fiscal year 2021 - need to demonstrate compliance with NIST and Department of Defense standards, not just pay lip service to progress towards compliance. 

Dave Bittner: Katie Arrington, CISO for the Office of the Assistant Secretary of Defense for Acquisition, sees CMMC as representing progress toward establishing a level playing field for companies that bid on defense contracts. Contractors should pay heed. As Arrington put it, quote, "we mean it," end quote. 

Dave Bittner: And joining me once again is the CyberWire's chief analyst and chief security officer, Rick Howard. Rick, always great to have you back. 

Rick Howard: Thanks, Dave. 

Dave Bittner: You know, one of the things that gets harder for me the older I get is keeping up with all of the acronyms and abbreviations and names of things. 

Rick Howard: You and me both, my friend. 

Dave Bittner: And, I mean, I know it's the same in every industry, but, boy, it sure does seem like cybersecurity is proud of all of these things. And then this week on "CSO Perspectives," you are taking on the topic of SOAR. And I'm going to go out on a limb here and say that you haven't recently picked up the sport of paragliding, so... 


Rick Howard: Although it is an aspiration for me, yes. 

Dave Bittner: All right. Well, very good. We'll just check your insurance before you go. 

Dave Bittner: Well, what's going on here with SOAR? 

Rick Howard: All right, so SOAR stands for Security Orchestration, Automation and Response. And Gartner tends to coin these things - OK? - and they did this back in 2017. But security leaders and pundits, like Jon Oltsik over at CSO Magazine, they started talking about the concept as far back as 2015 or so. 

Rick Howard: And the problem we're trying to solve here is how to automate the handling of all the messages, alerts and intelligence products we are receiving in the SOC from the technology within our security stack. What's happened over the last few years is the SOC analysts are overwhelmed with the volume of these things that have exploded exponentially in recent years. 

Dave Bittner: What is the cause of that? I mean, why, all the sudden, are the SOCs getting overwhelmed with all this information? 

Rick Howard: Well, there seems to be some disagreement about that. But my own personal theory is that at least a contributing factor was when the entire network defender community started to implement the intrusion kill chain prevention strategy. 

Rick Howard: So before Lockheed Martin published their famous paper in 2010, most of us were using a strategy called defense in depth with mostly three prevention tools. We all had firewalls, intrusion detection systems and antivirus systems. 

Rick Howard: After the publication, vendors came out of the woodwork to provide prevention and alerting tools for each phase of the intrusion kill chain. So as a result, many small organizations today have at least 10 security tools in their security stack. Medium-sized companies have about 50, and large Fortune 500 companies or big governments have at least a hundred. So this is a far cry from the three that we all managed before the paper was published, and all of them are spewing alerts and messages into the SOC. 

Dave Bittner: Well, help me understand here. So is - are the SOAR devices helping the SOC analysts process all this stuff, all the telemetry they're getting from all these devices? 

Rick Howard: That's right. So most times, SOC analysts are just manually deciding to either ignore the messages or delete them or save them for future reference or, you know, pass them up the chain for further consideration. The SOAR tools help automate those decisions. 

Rick Howard: But I will say that there isn't universal agreement from the CISO community that SOAR tools are necessary. Some say, why do you need a tool to do that? Why don't you just tune the security device to not send all those unneeded messages? So I was talking to Rick Doten about this. He is the CISO for Carolina Complete Health, and he's a regular visitor to the CyberWire's Hash Table. 

Rick Doten: It lets you not effectively use the tools you have. It kind of covers up for the fact that, well, I put in this email gateway and I just, you know, left the default settings on and it does - it blocks spam, and it helps you find, you know, bad links and malware and stuff, you know? But I get all these extra things to it, so I'll add a SOAR tool that'll kind of clean it up instead of looking at it and how can I use it to its potential. 

Rick Doten: So you have a lot of tools. You're using 20% of their potential because you don't want to dig into it, and having something kind of pick up all the slack to kind of, like, normalize it so a human doesn't get bombarded. 

Rick Howard: I agree with Rick to a point. If you are just trying to reduce the noise volume in your SOC, there might be a cheaper way to do it. But if you're using SOAR tools to help with infrastructure-as-code projects or your DevSecOps projects, SOAR tools might be a nice lever to pull to help you on your way. And we're going to talk about all of that in this episode of the "CSO Perspectives." 

Dave Bittner: All right. Well, you can check that out and much more over on CyberWire Pro. That is on our website, It's "CSO Perspectives." Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, it is always great to have you back. I wanted to touch base with you today about 5G and where we stand right now, the deployment in the United States and some of the things that you're tracking there. What do you have to share with us today? 

Betsy Carmelite: I wanted to start with some of the foundational points about 5G as we do see its popularity increase and enterprises and consumers anticipate the gains from 5G networks. There are really three main concepts for enterprises to understand as this 5G adoption takes hold. 

Betsy Carmelite: First, 5G is really the convergence of the physical device realm and the digital environment at scale. That's really important both at the consumer level and at the critical infrastructure level. 

Betsy Carmelite: Secondly, because of this convergence and scale, security really has to be part of the design of 5G because any breach or attack, and we'd be looking at, like, high-impact, high-probability events across this ecosystem, which would really affect multiple components of the 5G ecosystem. We'll touch on a couple of these threat scenarios in a moment. 

Betsy Carmelite: And lastly, 5G may be popular and gaining popularity, as we see from advertising, prevalence of discussion in the media, but 5G is really in its nascent stage right now, and we're looking at pervasive adoption in the coming three to five years. 

Dave Bittner: Yeah. You know, I really wanted to touch with that specific point on you 'cause, you know, I'm on the verge of upgrading to my first 5G device. But the reviews that I'm seeing on the consumer side of things - the folks in the tech world are saying, you know, it's not quite there yet. We're not seeing those promised high speeds. And, you know, it's - maybe it's yet to come. But the excitement seems to be waning a little bit. 

Betsy Carmelite: Yeah. I would say that that's an opportunity, and what this means is that we have time to get the security application of 5G right - get it right now to get ready for what's on the horizon. 

Betsy Carmelite: So we've seen statements from the White House earlier this year that malicious actors are already seeking to exploit 5G technology and that it's a target-rich environment because of the scale of the devices 5G will connect and the amount of data that will be transmitted. So this is an opportunity now to get this right and get it secure. 

Dave Bittner: So what are some of the specific technologies that are going to make this transition possible, and how is that going to affect organizations and their ability to use it? 

Betsy Carmelite: I wanted to touch on a couple of these technologies, and they also demonstrate where new components from 5G come into play, as well as a couple of threat scenarios that could impact organizations' use of 5G. 

Betsy Carmelite: First, I'm going to touch on MEC, which is multiaccess edge compute. And MEC distributes data and computation-intensive tasks to resources to the radio interfaces. The radio interfaces are the standard frameworks for communication between wireless devices and base stations through radio waves. So rather than relying on traditional remote centralized cloud computing environments, the MEC works closer with those radio access networks. 

Betsy Carmelite: The benefit there is that MEC increases streaming and processing efficiency, decreases congestion on the broader mobile network, which is one of the things that many people are looking forward to, as you mentioned, and it brings higher performance capabilities to less powerful devices, like virtual reality, video analytics and connected vehicles. 

Betsy Carmelite: One of the threat scenarios we're looking at - possible to imagine, for instance, a disgruntled employee who might want to modify data that's being processed on an industrial manufacturing MEC deployment, maybe at an autonomous smart factory. If that data modification falsely indicates more resources are being consumed than they really are, this could cause additional perishable materials to be ordered, could result in waste and increased operating expenses. 

Betsy Carmelite: And in this case, mitigations could be to conduct validation to ensure the data being processed is the same data that was reported from the smart sensors in the factory or use a privately hosted MEC instance that's not shared to reduce chance of unauthorized access to the MEC. 

Dave Bittner: So it really - I mean, it strikes me that what we're looking at is an enabling technology with a lot of potential. Perhaps a little patience is in order here, but there's good things to come. 

Betsy Carmelite: Yup. That's right. That's right. I think for the future, next steps and looking at resilience of 5G, to make all these components work together and ensure the security and effective policies for 5G deployment - all of this, again, is still a few years away. It's really going to take public and private industry cooperation. We've already seen CISA released its policies on 5G, and that cooperation should foster a collaborative partnership across industry. There are so many technologies, new and existing, to consider and to protect, and the stakes are really too high. 

Betsy Carmelite: So what's in the realm of the here and now is to do what we actually see the Department of Defense doing - pilot the technologies, get messy with them and determine what does the practical application of 5G look like. Where will it work? Where is the environment right? Where did we get it wrong? Really recommending moving into real-world testing and away from, like, the five-year research study. At Booz Allen, we're doing the same thing, and it's really best practice for any company to do real-world testing around this technology. 

Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's fresh and clean as a whistle. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.