The CyberWire Daily Podcast 12.14.20
Ep 1233 | 12.14.20

A few predictions, but today’s news is dominated by Cozy Bear’s supply chain attack on Solar Winds’ Orion Platform.


Dave Bittner: FireEye traces its breach to a compromised SolarWinds update to its Orion platform. CISA issues an emergency directive to get control of an attack that's known to have affected at least two federal departments. Rick Howard shares lessons from Season 3 of "CSO Perspectives." Betsy Carmelite from Booz Allen continues her analysis of their 2021 Cyber Threat Trends Report. And while reports attribute the supply chain attack to Russia's SVR, Moscow says Cozy Bear didn't do nothin' (ph).

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 14, 2020. 

Dave Bittner: The Washington Post's reporting on the FireEye breach says that FireEye and the U.S. departments of Commerce and the Treasury were successfully breached through their network management system, a very widely used SolarWinds product. 

Dave Bittner: It seems clear that Russia's SVR is responsible for the attack, in which FireEye lost some of its red-teaming tools. It's also increasingly clear that the initial compromise was a supply chain attack and that a large number of other organizations were also affected. 

Dave Bittner: SolarWinds disclosed over the weekend that it had become apprised of a highly sophisticated manual supply chain attack on SolarWinds' Orion Platform software builds for version 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. This would appear to be the source of the FireEye breach, which is now known to have not been confined to FireEye. The attack involved the introduction of a backdoor into the Orion Platform. That backdoor was subsequently propagated in the form of a software update that contained the malware. 

Dave Bittner: FireEye calls the backdoor SUNBURST. Microsoft's Security Response Center has a detailed account of how the malware functions. Both FireEye and Microsoft have upgraded their security products to include measures for detecting and protecting against the attack. 

Dave Bittner: SolarWinds urges its customers to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. 

Dave Bittner: In response to the incident, late yesterday evening, the US Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21-01, outlining immediate steps federal agencies should take to protect themselves from attacks exploiting the backdoor. The emergency directive has a deadline of noon today for agencies to complete the immediate remediation actions CISA requires. 

Dave Bittner: The agency is particularly concerned to warn enterprises against the possibility of Kerberoasting, an attack technique in which credentials are stolen from memory and then cracked offline. We'll have more on emergency directive 21-01 in this afternoon's Pro Policy Briefing. 

Dave Bittner: Cozy Bear, also called APT29 and a known unit of Russia's SVR Foreign Intelligence Service, appears to have been behind the supply chain attack on SolarWinds and, therefore, responsible for not only the FireEye breach, but the attacks on the US Departments of Commerce and the Treasury as well, The Wall Street Journal reports

Dave Bittner: Cozy Bear earned a reputation during operations against US campaigns in 2015 and 2016 for being quieter and less obtrusive than its GRU cousin Fancy Bear. That seems to have been the case in the SolarWinds incident. 

Dave Bittner: FireEye yesterday afternoon blogged that the threat actor's work was characterized by a light malware footprint using limited malware to accomplish the mission while avoiding detection and, by prioritization of stealth, going to significant lengths to observe and blend into normal network activity and high OPSEC, patiently conducting reconnaissance, consistently covering their tracks and using difficult-to-attribute tools. 

Dave Bittner: While SolarWinds itself believes that exploitation of the vulnerability appears to have been narrowly targeted against a relatively short list of organizations, the potential risk may be very widespread. SolarWinds' customers include large corporations, government agencies, and military services. 

Dave Bittner: As is its custom in such matters, Moscow denies having done anything and regrets, Reuters says, the US rejection of bilateral cooperation. Such calls for international cooperation, usually although this time not yet accompanied by good-citizen expressions of a desire to see and weigh the evidence, routinely accompany the Kremlin's protestations of innocence in such matters. 

Dave Bittner: Gmail and other Google services experienced an outage early this morning. Mountain View sent a text to its very large user base at 7:27 a.m. Eastern Time saying, quote, "we are aware that all Google functions are currently down. We will send a communication when things are back up. Thank you for your patience," end quote. The Google Workspace Status Dashboard noted the outage at 6:55 a.m. and by 7:31 reported that Gmail, at least, had been restored for the majority of users. The cause of the outage is so far unknown and still under investigation. 

Dave Bittner: A Washington Post report suggests that Huawei's collaboration with companies to develop products that serve social control extended beyond the work with Megvii that critics have called a Uighur alarm. Huawei describes that project as a test and says it takes allegations that its products might be used for repression seriously, especially since, Huawei told the BBC, ethnic targeting would be contrary to the company's principles. The company told the Post it's opened an investigation into the matter. 

Dave Bittner: Among the 38 projects currently listed on a Huawei Chinese-language website, down from a high of about 2,000 before the site was temporarily taken down and restored, is a product developed with Vikor that can alert authorities to the formation of crowds. It can be set to trip by clusters of between three and 50 people. 

Dave Bittner: Anyway, Huawei is investigating what it says, in a subjunctive mood, would amount to a departure from the company's core commitment to nondiscrimination and so on. 

Dave Bittner: The supply chain attack Cozy Bear executed through SolarWinds' Orion Platform rightly dominated today's news, but we'll close with a few reminders of where security firms think things are headed, generally speaking, in 2021. 

Dave Bittner: Recent speculation about the near future continues to see 2020's threats shaped by the conditions the COVID-19 pandemic has imposed on commerce, work and study. Orange Cyberdefense argues that the rewards the pandemic presents in the form of distributed workplaces, stressed organizations and equally stressed individuals will tend to push cybercriminals in the direction of greater professionalism. That trend is reinforced by the widespread availability of more effective commodity attack tools and services. Orange says, quote, "while highly critical attacks are still kind of rare, we've seen in the past few years a massive shift from low to medium criticality among the incidents we've recorded, reflecting the availability of fairly sophisticated attack tools to less-skilled criminals," end quote. They're also seeing an increase in the level of insider threats, and they expect that to continue as well. 

Dave Bittner: A Code42 study reaches a similar conclusion about insider risk. Remote work, complicated new working arrangements, a looser grip on access control and a lack of planning adequate to the sort of improvisation organizations have been forced into all make their contribution. It's worth noting that much, probably most, of the insider risk people worry about is unintentional and not necessarily malicious. 

Dave Bittner: And data-rich, poorly resourced and defended organizations with large number of users in their networks will remain attractive targets. Government Technology suggests we think of elementary through high school education. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief analyst, also our chief security officer. Rick, great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: Well, my hat is off to you. 


Dave Bittner: You have done it, my friend. You have made it to the end of the year. And more importantly than that, you have completed your third season of CSO - yeah, I know, right? - "CSO Perspectives." I'm looking back at Season 3. What are some of the big take-homes for you? 

Rick Howard: Well, first, you're so right, Dave. And like the rest of your listeners, I am sure, you know, I'm ready to put this dumpster fire of a year behind us, right? So... 


Dave Bittner: I know. Yeah. 

Rick Howard: I'm so looking forward to starting to begin to get back to normal sometime in 2021, so let's just... 

Dave Bittner: Right. 

Rick Howard: ...Keep our fingers crossed about that. 

Rick Howard: For Season 3, we covered a lot of ground on topics that I was either ignorant on or - before we started - or I had developed some misconceptions about these ideas along the way that needed some tuning. And so my big takeaway, I think, is how the business of security has kind of seeped out of the traditional and stovepipe infosec channels and spread across this entire business in ways that I had not anticipated. 

Dave Bittner: How so? How do you mean that? 

Rick Howard: Well, for example, one of the - we did two episodes on SD-WANs. And what's interesting is that SD-WANs is kind of an interesting networking idea until you realize in order to make it viable for the enterprise, you have to secure it. And the only way to secure it, really, is with some version of the SASE model, or secure access service edge. So that's all security for this kind of interesting networking idea. 

Dave Bittner: Right, right. Yeah, I see your point. Now, my recollection is that you made a similar argument about containers and serverless functions as well. 

Rick Howard: That's right, and how these two ideas are key components to the now 10-years-old DevOps movement. But until the security professionals squeeze into the discussion and make it truly DevSecOps, we're not going to make the enterprise more secure. 

Dave Bittner: Yeah. I remember you saying that. I also remember that you were talking about how we might all start focusing on SOAR. Now, just back up for a second. What does SOAR stand for? 

Rick Howard: Yeah, I know. I have to look it up every time I see the acronym. It stands for secure orchestration, automation and response. And for those tools, the immediate benefit was to automatically eliminate the tier-one noise coming into the SOC. You know, all these security stack devices generate all these alerts, and so we can automate that process of handling them. 

Rick Howard: But SOAR tools can do so much more than that, you know? And they can be used by the infosec teams to create their own infrastructure-as-code projects for more efficiency and more speed. 

Dave Bittner: So in order to make security a priority that goes across the entire business and not just have it be technical silos, you know, buried underneath the CIO's organization, where should the chief security officer sit in terms of authority within the organization? 

Rick Howard: Well, for sure, the industry has no consensus answer to that point. But from talking to our subject matter experts around the CyberWire's Hash Table, most feel the best practice for the chief security officer is to be an essential member of the organization's C-level leadership team. 

Dave Bittner: Yeah. Well, it's good stuff, Rick. What's coming up next? What do you have in mind for the next season? 

Rick Howard: Well, we've begun work on Season 4, and your listeners will be able to start hearing those episodes appear somewhere in the week of January 11. In the meantime, sir, happy holidays to you, and I guess I will talk to you next year. 

Dave Bittner: Happy holidays to you, too, Rick. It's been a real treat having you join us this past year, and I'm looking forward to what's to come. 

Rick Howard: Excellent. Thank you, sir. 

Dave Bittner: And joining me once again is Betsy Carmelite. She is a senior associate at Booz Allen Hamilton. Betsy, it's great to have you back on the show. You and I have been going through some of the highlights of the 2021 Cyber Threat Trends Report that you and your colleagues at Booz Allen Hamilton have released, and I wanted to touch base on one of the things that was in there. You touch on this notion of intelligent cybercrime - you know, the bad guys making use of things like artificial intelligence, evasion, things like that. What can you share with us there? 

Betsy Carmelite: Here, we're looking at how threat actors will use the same artificial intelligence that nearly all industries use to revolutionize services to develop AI-based tools to build malware that can reliably defeat AI-based security solutions. So we see this as, indeed, the next step in intelligent cybercrime for threat actors to remain undetected. 

Betsy Carmelite: In cybersecurity, one of the most significant advances in AI has been in malware detection, so that's where we move into this idea of evasion. Among the most mature of these AI security solutions is the use of machine-learning algorithms and antivirus engines. 

Betsy Carmelite: Malware developers have really sought to stay a step ahead of the static signatures used in AV engines. They use tactics like polymorphic or self-modifying malware, and that's led to exponential growth in the samples of that malware observed in the wild. One of the most powerful tools in detecting this rise of previously unobserved malware is the AI-based antivirus engine. 

Betsy Carmelite: So the premise here is that we think threat actors will turn their sights on AI-enabled tools to aid their malware development process, for instance, incorporating AI-enabled tools to finalize malware payloads before use like encoders, packers, obfuscators use today. 

Betsy Carmelite: We've seen some researchers demonstrate tools that can be used to defeat, really, the most advanced AV systems. So the takeaway here is that threat actor use of AI means that antivirus will be less effective against malware that can be modified and difficult to detect, so really beneficial if you're the attacker. 

Dave Bittner: Well, I mean, let's talk mitigations then. I mean, is it defense in depth, you know, some of the old things? I mean, what are you all recommending from that point of view? 

Betsy Carmelite: Yeah, really, defense in depth to limit these threats of malware payloads specifically designed to defeat AI. Organizations should implement a defense in depth strategy to disrupt these attacks elsewhere in the kill chain. We're looking at hardening internet-facing infrastructure, again, training employees, which can limit the likelihood of successful delivery. Network security tools such as IDSs can be used to detect command and control traffic. 

Betsy Carmelite: One of the other things that we're recommending for mitigation - because sometimes the actual threat is targeting the underlying data models and associated intellectual property of creating the AI services, we're concerned around that secret ingredient in the AI services not really being the algorithms, but the data used to build that trained model capable of producing true positive results. So if that's stolen, basically, you know, you steal the model, and you save yourself the trouble of building it. Organizations really need to treat and think of AI models as proprietary intellectual property and protect them as they would any proprietary software. 

Dave Bittner: Wow. Yeah, that's an interesting insight for sure. All right, well, Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - the quicker picker-upper. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.