The US Executive Order on cybersecurity is out. Colonial Pipeline, its security and response under scrutiny, resumes deliveries. Verizon’s DBIR is out.
Dave Bittner: Hi, everybody. We're excited to let you know that we're adding an incredible new show to the CyberWire podcast network. It's Microsoft's "Security Unlocked: CISO Series with Bret Arsenault." Listen in as Microsoft's chief security officer, Bret Arsenault, talks one-on-one with industry's leading CISOs, as well as technology leaders at Microsoft. In each episode, Bret and his guests will dive into the biggest challenges in cybersecurity, sharing new ideas and perspectives and provide practical guidance based on the actual strategies implemented by Microsoft and Microsoft's biggest customers. You're not going to want to miss this one. Check it out on our website at thecyberwire.com/security-unlocked. And be sure to subscribe wherever you get your favorite podcasts. A big welcome to Microsoft to the CyberWire podcast network.
Dave Bittner: The U.S. executive order on improving the nation's cybersecurity is out. Colonial Pipeline partially resumed delivery of fuel yesterday evening as its preparation for and response to the cyberattack it sustained receives scrutiny. The DarkSide's extortion of the U.S. pipeline company seems likely to prompt regulatory revision. DarkSide operators say they've gotten busy against other targets. Our own Rick Howard speaks with Aaron Sant-Miller, chief scientist at Booz Allen Hamilton, on developments in artificial intelligence. And Verizon's Database Investigations Report (ph) is out. I check in with Verizon's Chris Novak for highlights from the DBIR.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 13, 2021.
Dave Bittner: U.S. President Biden yesterday evening signed his administration's long-anticipated Executive Order on Improving the Nation's Cybersecurity. Quote, "It is the policy of my administration that the prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security," end quote. The president says he expects the federal government to lead by example. The order calls for bold changes and significant investments to protect and secure its computer systems. Quote, "the scope of protection and security must include systems that process data, information technology and those that run the vital machinery that ensures our safety, operational technology." The executive order formalizes and enhances the Cybersecurity and Infrastructure Security Agency's responsibilities for functional oversight of the federal civilian executive branch agencies. But it also prescribes important roles for the National Institute of Standards and Technology, the FBI and defense agencies, notably the National Security Agency. The measures prescribed are complex and organized along an ambitious timeline. But in general, the government will start with its own security and move from there to address industry, eventually reaching as far as consumer software. Some of the commentary on the executive order has framed it as a response to the Colonial Pipeline ransomware attack. While that incident may well have affected its final content, the order itself has long been under preparation. Should you wish to point to any single incident as the one that prompted the order, look to the SolarWinds supply chain compromise.
Dave Bittner: But speaking of Colonial Pipeline, the energy company continues its recovery from the ransomware attack it sustained last week. Colonial Pipeline restarted its pipeline operations yesterday evening at about 5 o'clock p.m. Eastern Daylight Time. Full service will be restored, the company expects, within several days.
Dave Bittner: The AP reports that a six-month technical audit delivered to Colonial Pipeline in January 2018 found significant issues with the company's networks. Robert F. Smallwood, a principal at the consultancy IMERGE, told the AP he prepared the report. And he characterizes Colonial Pipeline's then-practices as atrocious. The AP quotes Smallwood as saying, "We found glaring deficiencies and big problems. I mean, an eighth grader could have hacked into that system," end quote. The report is described as having focused on data loss prevention and smooth operations. The AP writes, Colonial's statements Wednesday suggest it may have heeded a number of Smallwood's recommendations. In addition, it says it has active monitoring and overlapping threat detection systems on its network and identified the ransomware attack as soon as they learned of it. Colonial said its IT network is strictly segregated from pipeline control systems, which were not affected by the ransomware.
Dave Bittner: It's still too early to reach firm conclusions about how Colonial Pipeline was hacked or how well- or poorly prepared it was to defend itself. The company itself remains tight lipped on the topic, but doubtless more will emerge as investigation and remediation improve. Bloomberg reports that Colonial paid DarkSide operators nearly $5 million in cryptocurrency within hours of the attack's discovery. Their sources are two anonymous persons familiar with the transaction. A third source, also unnamed, says the U.S. government is aware of the payment. So did paying up pay off? Yes and no. The DarkSide operators did deliver a decryptor to Colonial Pipeline, but sources say that the tool was so slow that the company continued using its own backups to help restore the system. So they got the decryptor but may not have found it particularly useful. Other outlets reported earlier that Colonial Pipeline had decided not to pay the ransom demanded, and today's Bloomberg story is the first we've seen that offers the contrary. If Bloomberg's account proves true, the payment of ransom is likely to lend further impetus to developing effective laws and regulations governing response to ransomware attacks. There's a growing movement among insurers announcing their decision not to cover ransom payments, and governments are likely to make it more difficult for victims to pay up. Doing so fuels a bandit economy, and there's a growing consensus among legislators and regulators and in industry, as well, that only disrupting ransomware's business model will clap a stopper over this corner of the criminal market. That the ransom is said to have been paid in cryptocurrency will also lend momentum to government attempts to regulate altcoin generally.
Dave Bittner: The ransomware attack has, The Wall Street Journal notes, drawn scrutiny by Congress and others of how well the Transportation Security Agency, the TSA, familiar to anyone who's transited a U.S. airport over the last decade and a half or so, is actually overseeing pipeline security. Many have fastened on TSA's voluntary assessment program as particularly worthy of review. Officials at the Federal Energy Regulatory Commission - that is FERC - think there are security lessons the electrical power grid could teach the pipeline industry. FERC Chair Richard Glick said this week, quote, "For over a decade, the Federal Energy Regulatory Commission, in coordination with the North American Electric Reliability Corporation, has established and enforced mandatory cybersecurity standards for the bulk electric system. However, there are no comparable mandatory standards for the nearly 3 million miles of natural gas, oil and hazardous liquid pipelines that traverse the United States. It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend," end quote.
Dave Bittner: DarkSide, the Russia-based criminal group that's, by consensus, responsible for hacking Colonial Pipeline, hasn't pulled in its horns. Reuters reports that the gang has claimed three more targets, a Brazilian battery firm, a Chicago-based tech company and a British engineering firm. Reuters says it hasn't been able to verify that the attacks actually succeeded. But DarkSide has threatened to dox its targets by publishing stolen sensitive information if they're not paid.
Dave Bittner: Verizon's annual Data Breach Investigations Report is out. In brief, ransomware is up, as are social engineering in general and misrepresentation in particular. Verizon found 85% of breaches involved the human element. Phishing was present in 36% of breaches, up from 25% last year. Business email compromise were the second most common form of social engineering. And there's a good news, bad news story here, too. The report says, the good news - 14% of simulated breaches had no impact. But don't count on that for your organization's security plan. The median for incidents with an impact was $21,659, with 95% of incidents falling between $826 and $653,587. As they say, read the whole thing. It's only 19 pages long, and there's not a dull one among them. And stay tuned for my conversation with Chris Novak from Verizon. We'll be discussing the DBIR.
Dave Bittner: CyberWire's chief security officer, Rick Howard, recently checked in with Aaron Sant-Miller from Booz Allen Hamilton on the latest developments in artificial intelligence. Here's Rick.
Rick Howard: If you've been listening to the CyberWire for any length of time, you know that many practitioners have been trying to build machine learning systems using artificial intelligence concepts in order to automatically discover and prevent the success of cyber-adversaries. I thought it was time to level set on just where we are in that regard. I asked Aaron Sant-Miller, the chief data scientist at Booz Allen Hamilton, to tell us just exactly what he is trying to accomplish with his machine learning research efforts.
Aaron Sant-Miller: How do we detect attack and detect adversaries in an intelligent way that uses tradecraft with AI and analytics? That's always going to be the place where we're investing a lot of our energy.
Rick Howard: Machine learning thinking has been around for a while now, but many of us practitioners have yet to deploy anything meaningful. There hasn't been a lot of progress. Aaron thinks that some of this friction is caused by the same issue that is preventing the community from more speedily adopting the DevOps model. Namely, the security people and the developer people are staying in their silos and not working as a combined task force team. According to Aaron, that's exactly what's going on between the security people and the data scientists, too.
Aaron Sant-Miller: It has to start with the domain expert and the person who knows cyber well saying, this is what we need to detect, and here's how I think we detect it. They need to then sit in a room with the data scientist or AI developer who can say, all right, here's where I can help you, and here's where I can't. And here's what I need to help you the right way. And what are the things that you want me to find for you? That conversation needs to happen. And I think that's sometimes where it breaks down because the data scientist thinks about data, and the cyber analyst or cyber expert thinks about threats and tactics. They need to find a common ground to talk about those things.
Rick Howard: One popular myth in the security community today is that somehow, somebody is going to build a giant, monolithic AI system that will magically sift through the mountains of telemetry that we are all collecting and storing in the cloud somewhere and miraculously prevent the next SolarWinds attack, kind of like The Architect AI in "The Matrix" movies, trying to fend off Neo and his gang of red pill swallowers. But I'm pretty sure that's not how it's going to work. More likely, the AI system we will get in the future will be a collection of very small and independent machine learning algorithms forecasting answers to tiny problems and delivering the result to larger machine learning systems, who will try to make sense of it all in a meta kind of way. For the nerds out there, a better example from pop culture than "The Matrix" movies is the subprogram AI called Wintermute that is part of a larger AI called Neuromancer in the sci-fi classic of the same name.
Aaron Sant-Miller: There's a growing area of work around tiny AI, which is packaging models into their smallest form factor to get them closer to the center. There's that tradeoff of, do we make the AI super small and specific, or do we keep it a little bit more broad and probably more robust? But then there's the engineering question - where does this live in our overall data pipeline when we're pulling data feed from the endpoints, from the network level, bringing them together? And they all need to end up in a tool that an analyst likes and is comfortable using. You might deploy the smaller AI model or package it as small as you can to analyze files on endpoints to detect whether or not there's malware on a specific endpoint. And then that risk score of, hey, there is a malicious file gets fed up through a data pipeline to a larger model of doing some contextual learning around, hey, was there a network intrusion, or was there some type of spear phishing attempt that caused this particular endpoint to go out and get malware? Not like, we just saw a file that we think is bad. It's like, we saw a file that we think is bad, and we also, based on a larger contextual analysis, think this is how the adversary got in, got that file onto the host and caused this action.
Rick Howard: For the past year or so, the big buzzword in artificial intelligence circles is adversarial AI. In other words, once you have a Neuromancer AI running in your SOC, how can you protect it from adversaries who attack its blind spots?
Aaron Sant-Miller: And then the final piece that we're looking at is obviously a hot button topic that's talked about a lot now, which is adversarial AI, which is, in the cases that somebody is attempting to poison or disrupt your AI model, how do you harden your capabilities against those types of acts, that you have good assurance that when you have AI deployed the right way in the right pipeline to the analysts in the right way, that you're robust against the more advanced actor, who's not necessarily trying to hack your system but may be trying to disrupt your model from detecting it based on something the adversary knows about the model you're using.
Rick Howard: Make no mistake - we will be using machine learning algorithms even more than we already are in the very near future. We have some hurdles to get over, for sure. But however this goes, it's definitely going to be interesting.
Dave Bittner: That's our own Rick Howard.
Dave Bittner: And I'm pleased to be joined once again by Chris Novak. He is the global director of Verizon's Threat Research Advisory Center. Chris, it's always great to have you back. It is that time of year, what I think is a lot of people's favorite time of year. It's time for the annual Verizon DBIR report. Let's touch base. What are we in for this year?
Chris Novak: Yeah, so always great to be on the show, Dave - thanks. So yeah, you're absolutely right. It's that time. We've got some new, exciting elements to share about the report, kind of fresh, hot off the press. One, you know, I'll say that, you know, the data continues to be extraordinarily strong. You know, every year, we're looking to see how we can add more partners, add more geographic coverage. And, you know, I'm happy to say that we're seeing exactly that same kind of contributor success again this year. So we have more countries covered than, I think, ever before. I think we're up to 88 countries covered. And I guess you can look at that as a positive or negative. We're seeing breaches in more parts of the world. But I think the reality of it is they were happening there already. It's just a question of whether or not we were investigating them. And so now I think we've got a good kind of - you know, the way I put it is a broader aperture on it. And increased breaches being analyzed - we've seen roughly a 2x increase in the amount of breaches in the data set. And, you know, one of the things I always kind of caveat that with is it's not to indicate that, you know, breaches have doubled year over year. It's just a matter of the sample size of what we're looking at has doubled. And so generally, my takeaway from that is it generally means we can produce better and more detailed findings because we have more that we can really kind of churn through.
Dave Bittner: I think it's fair to say that last year was atypical, dealing with a global pandemic and all of that. I mean, how much did that play into the approach to this year's report?
Chris Novak: Yeah, actually, that's a great point. It did actually quite a bit. In fact, you know, last year when we were looking at the report, one of the challenges we had was you know that these typically come out kind of a bit in the rears. So we take the data from the prior year, analyze it, produce a report. So it's kind of a bit of a retrospective a little bit. And the last report came out right as kind of we were walking into kind of the heavy peak of COVID around the world. And so it was kind of interesting because we looked at it at the time, and there was not a lot of COVID data in it because COVID was just starting at the time the report was being released. Now we kind of have an entire year of COVID kind of in the report. And, you know, as you probably would imagine, we're seeing a lot of the things that we were starting to see back then. But, you know, now we actually have metrics on them in terms of the amount of social engineering campaigns that are happening around everything from, you know, testing to vaccines, to, you know, distribution of, you know, PPE, to, you know, return to office scenarios. And we're seeing that, you know, pretty much wherever there is chaos in the world, that is typically where the hackers like to plant themselves. And they have not disappointed with this as well. They're trying to land themselves right in the middle of a lot of what's going on in COVID, as well.
Dave Bittner: Yeah. What were some of the highlights for you? I mean, what are some of the things that stand out in this year's report?
Chris Novak: Yeah, so I'd say there's, you know, some - I would like to kind of give a little bit of a balanced view as much as I can in terms of some positives and some negatives or maybe some areas where things have improved and areas where we could improve more. But when we look at that, we see, you know, some small decreases or improvements, I guess, in things like misconfigurations. That's gone down a couple of percentage points. And a lot of that, honestly, previously revolved around organizations migrating from, you know, on-prem to cloud-based environments. Historically, they'd have misconfiguration on the way, and things would fall apart after they've landed in some cloud-based environments not because cloud is in any way specifically insecure but that their migration was maybe not necessarily well-planned out or thought out. And I think we saw some improvements in that over the course of the last year. We've also seen a decrease in things like misdelivery of information. We've just seen some tighter controls get wrapped around a lot of those things. But areas where I'd say we've seen kind of an uptick or areas where we probably need to crack down a little bit more still is in the areas of social engineering. We've seen phishing increase yet again by 11%, ransomware increase by 6%. The variants of ransomware are also continuing to evolve. You know, we're seeing a growth in ransomware variants that also have data exfiltration components to them. So, you know, like we're seeing kind of in a lot of places, it's not now just about, can you pay the ransom to get your data back? It's, you know, you pay the ransom and maybe get your data back. If you don't pay the ransom, we publish the data. And that's obviously a whole new other kind of, you know, concern. And we're seeing that continuing to be absolutely on the rise.
Dave Bittner: Yeah, all right, well, plenty to see as always every year. As I say, it's one of the reports that everybody in the biz looks forward to checking out. It's the Verizon 2021 DBIR report. Chris Novak, thanks for joining us.
Chris Novak: Thanks, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.