The CyberWire Daily Podcast 8.5.21
Ep 1390 | 8.5.21

CISA’s new Joint Cyber Defense Collaborative. C2C market update: Prometheus TDS and Prophet Spider. And naiveté about a gang’s reform, or optimism over signs the gang is worried?

Transcript

Dave Bittner: CISA announces a new public-private cybersecurity initiative. Prometheus TDS and Prophet Spider take their places in the C2C market. The money points to BlackMatter being a rebranded DarkSide. Andrea Little Limbago from Interos on divergent trends of federal data privacy laws and government surveillance. Tonia Dudley from Cofense checks in from the Black Hat show floor. Our guest is Simon Maple from Snyk with a look at cloud native application security. And where some see naivete, others see cautious optimism about putting fear in the hearts of ransomware gangs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 5, 2021.

Dave Bittner: Late this morning, CISA, the U.S. Cybersecurity and Infrastructure Security Agency, issued a media advisory announcing the launch of a new Joint Cyber Defense Collaborative. The goal of the Joint Cyber Defense Collaborative is to integrate unique cyber capabilities across multiple federal agencies, many state and local governments and countless private sector entities to achieve shared objectives. Specifically, the new initiative is expected to first, design and implement comprehensive whole-of-nation cyberdefense plans to address risks and facilitate coordinated action; second, share insight to shape joint understanding of challenges and opportunities for cyberdefense; third, implement coordinated defensive cyber operations to prevent and reduce impacts of cyber intrusions; and fourth, support joint exercises to improve cyberdefense operations.

Dave Bittner: The initial private sector partners include Amazon Web Services, AT&T, CrowdStrike, FireEye, Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks and Verizon. Interagency federal partners include the Department of Justice, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation and the Office of the Director of National Intelligence. Sector Risk Management Agencies are expected to join as the initiative expands.

Dave Bittner: Group-IB describes a significant entrant into the criminal-to-criminal marketplace, the Prometheus TDS - that's Traffic Direction System - which distributes malicious files and directs victims to malicious sites. Prometheus is widely used by a surprising range of criminals, and one of the prices quoted for a subscription comes in at just $250 a month. Customers aren't just cybercriminals. Conventional fraudsters are in on it, too, like the all-too-familiar spammers on behalf of sketchy Canadian pharmacies counting on doing business with Americans too gullible to see emails offering off-brand Viagra for what they are - scams, Yankee Doodle, scams. Buyer beware.

Dave Bittner: CrowdStrike late yesterday published a description of Prophet Spider, a criminal gang that's been active since 2017 at least. Active against both Windows and Linux systems, the gang has recently been observed exploiting CVE-2020-14822 and CVE-2020-14750 to gain access to unpatched Oracle WebLogic servers and thence to victims' environments. CrowdStrike told us through a representative that Prophet Spider is opportunistic in its choice of targets, which have included energy, financial services, manufacturing, retail and technology companies. The gang has also been selling initial access to a variety of ransomware operators, and it may aspire to be a player in that corner of the criminal-to-criminal market.

Dave Bittner: Chainalysis says that tracing money through the blockchain has enabled it to confirm that BlackMatter is indeed a rebranding of DarkSide and not merely a newly formed group that's learned from its predecessor's best practices. So this may unravel a whopper someone claiming to represent BlackMatter has been telling.

Dave Bittner: With this year's Black Hat conference in full swing, we've been checking in with attendees for their perspectives on the show. Today's contributor is Tonia Dudley, strategic adviser at Cofense, who shares her approach to getting the most from a conference like Black Hat.

Tonia Dudley: When I'm here, I really want to be in sessions where I'm going to, you know, hear what's going on and what others are observing. So for me, it's really looking at the - first of all, starting with the keynotes - right? - making sure that I'm there, present and listening to what they have to say. And then also for - you know, as I'm going through the session list, just looking for things that are important to the phishing front landscape, which could impact Cofense as a whole, and just really kind of observing what's on the horizon or what we really need to pay attention to as it - as we design our products to help defend against the threat.

Dave Bittner: How does this year compare to the last time you were there? Is the feeling similar, or do things feel a little different this year?

Tonia Dudley: Probably a little different with so many - you know, starting with SolarWinds and the supply chain attacks, the increase in ransomware that we've been hearing about in the news lately. So it's really probably a little bit different atmosphere - right? - as we pay attention to, you know, the impacts of what these are going to have and then along with the executive order and what impact that's going to, you know, drive for policy and changes in the landscape.

Dave Bittner: What about beyond the show itself? I mean, how much time do you spend at an event like this networking, you know - attending those events that happen before and after the show?

Tonia Dudley: Sure. I try to find individuals that either I don't know or just, you know, kind of participate in some conversations that might be happening around me to meet with people and really just understand what it is that they are looking for in their defenses, what are the things that they might be observing in their organization, just to really kind of get a gauge for what's the temperature for, you know, how organizations are adapting to the threats that they're currently dealing with.

Dave Bittner: Do people seem to be in good spirits? Is - are people seeming optimistic and like they're happy to be there?

Tonia Dudley: Yeah. It's funny to just watch people recognizing people that they haven't seen, you know, in a few years and being able to just kind of be in their presence.

Dave Bittner: That's Tonia Dudley from Cofense.

Dave Bittner: The Record reports that U.S. Deputy National Security Advisor Anne Neuberger sees BlackMatter's policy of not hitting critical infrastructure as a hopeful sign that the U.S. message about prohibited targets is getting through. She said, quote, "as we looked at that interview, we took it as evidence, or perhaps as a sign, that the message regarding the disruptive ransomware activity against critical infrastructure is unacceptable. And we will address it. We felt that message was reflected in some of that," end quote.

Dave Bittner: Neuberger's remarks have been greeted with some skepticism by NBC's Kevin Collier, for example, who regards them as reposing unwarranted trust in the word of a criminal. Collier tweeted, "hoo boy. Neuberger is the de facto voice of the Biden administration's response to ransomware. A rebranded DarkSide hacker says in a single softball interview that they're avoiding critical infrastructure in their ransomware relaunch, and that's a win?," end quote.

Dave Bittner: Any thinking person would indeed agree with Collier that the avowals of a criminal who's already been caught in one lie are worth little. How little? Well, our classical desk says they're worth less than what Catullus thought of his girlfriend's flattery. Ah, write it on the running water; write it on the air, as that raffish Roman poet had it. And it's easy to feel his frustration.

Dave Bittner: But in fairness, Neuberger's comment isn't really that naive. The goons who represented themselves as DarkMatter numeros say they were acting out of self-interest, concern over government countermeasures. And Neuberger did say that the proof would be in the pudding. Fear of the long arm of the FBI or the cyber reach of NSA is a good thing. And even if the goons were insincere, well, hypocrisy is, after all, vice's tribute to virtue. So maybe the message is indeed being received by someone.

Dave Bittner: Neuberger added, quote, "we're looking to see the changes in addressing disruptive cyber activity over time," unquote, adding, according to The Record, that she realizes it's quite possible their interview wasn't, in fact, with an actual BlackMatter representative. We've heard that people sometimes misrepresent themselves online. Have you heard that? Our classics desk informs us that once, while hanging out in a chat room devoted to heavyweight boxing, someone falsely claimed to be former champion Larry Holmes. But a lot of the chatters were really excited to be in proximity to the champ - so naive but cautiously optimistic. Still, sound bites going to bite, which is always an issue when you talk to the media, except, of course, with us. And what was the classics desk doing chatting with a bogus Larry Holmes, you ask? Who knows? With those guys, write it on the running water. Write it on the air.

Dave Bittner: Security firm Snyk recently published their Cloud Native Application Security report highlighting security concerns from organizations who have adopted cloud native computing. Simon Maple is field CTO at Snyk, and he joins us with insights from the report.

Simon Maple: So beyond the cloud native adoption being very, very strong, particularly in containers, a couple of things that struck me as very important and interesting is, first of all, the fact that security hygiene misconfigurations and known vulnerabilities were key in terms of the areas in which respondents said that they were most concerned as well as where they have incidents today. So the survey showed misconfigurations were the biggest area of increased concern. In fact, over half of respondents stated that it's a bigger problem for them since moving from a non-cloud-native platform to a cloud native platform. And I guess that's, you know, using, whether it's Docker or cloud environments or your infrastructure as code, there being so much more configurations. Also, there was a really strong correlation between deployment automation and people being successful with cloud native adoption. So seeing automation really driving where people test, what are people testing and also the ability to fix much, much quicker and really fix critical issues faster when you have a good automation in place.

Dave Bittner: Yeah, one of the things that struck me about the report was you all noted that developers are really taking responsibility for security. It's not being handed off to folks down the line.

Simon Maple: Yeah, absolutely. And it's always an interesting question when we ask, you know, who has responsibility for security. And it's a kind of a very loaded question in, you know, whether any one individual or role should own security. I think that, you know, there are different areas of application development or general security that different roles will have more of a leading role in. So for example, when we think about peer application, you know, securely developing code, so secure development, there's a lot that developers need to own, right? They need to be responsible for the code they write. They need to be responsible for when they push code into repositories whether it's DoCA files, whether it's Terraform scripts, whether it's their own Java node code. Whatever it is, they need to make sure that they've done the necessary tests, et cetera, before they're just pushing code into those repositories.

Simon Maple: So from that angle, you know, a developer should own the responsibility for that. And it's very interesting that when we asked that question, we actually did the split by respondent to see how developers and security team answers differed. And yeah, absolutely. When we asked the question of who should own cloud native app security, less than 10% of respondents in security roles believed that developers were responsible for the - for securing those cloud native environments. And from a developer point of view, over 36% of developers stated that they were responsible. So developers are much, much more forthright in saying that they should own security than the security team would be at saying developers are.

Dave Bittner: So based on the information that you've gathered here, what are your recommendations? What are the take-homes?

Simon Maple: Yeah, great question. I mean, I think a lot of the take-homes are to make sure that when you are - from a security point of view, to make sure that when you look at your cloud native applications, you're focusing on the right areas. And when we look at where the risk areas are, we need to look at where incidents people are find - people are having incidents. That is largely around the misconfiguration. It's largely around known vulnerabilities, about API configurations as well. So make sure that our efforts are being put into where, you know, actual incidents occur. And of course, that's going to be different based on org to org. We've seen that big correlation there around that security hygiene. Typically, these are not the complex issues. This is general security hygiene issues.

Simon Maple: My second area which is a big recommendation here is to - that automation pipeline. Automation is really important. And pushing security into that automation is clear as the value it provides not just from the visibility point of view and testing regularly but the impact that then makes on your ability to react to security issues and security incidents. And so automation - and put some security into that automation - is key to being able to fix faster and react to security issues much, much, much, much quicker.

Dave Bittner: That's Simon Maple from Snyk.

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is the vice president of research and analysis at Interos. Andrea, it's always great to have you back. You know, we've been seeing a lot of federal data privacy laws being passed, but I guess on the other side of that bit of tension, we're also seeing plenty of stories about government surveillance. Can we dig into that some? I mean, what's - what direction are we headed here in your estimation?

Andrea Little Limbago: Yeah, I mean, so we're very much, you know, at this inflection point. I feel like I've talked about it for a couple of years, but it keeps getting pushed farther and farther, and we're actually starting to see the divide starting to happen. And, you know, so there are, you know, roughly a hundred countries that have a data protection law now, a federal data protection law. You know, for those who are in favor of data protection and security, that's great. There are many other countries as well that have passed laws that just have not enacted them yet. So you know, the number is even higher. But at the same time, as - you know, some of these same countries that are passing some of these laws also have some competing forces that are also leading toward either censorship or surveillance as well. And so even if you think about, you know, just Brazil, in its recent history, has passed a pretty large data protection law mirrored on the GDPR. At the same time, in their recent history, they also have censored WhatsApp and then, you know, a variety of other temporally quick censorship and surveillance issues linked back. So, you know, they kind of - they don't go together, right? They're - it's almost like, well, how can you have a data privacy law if then there's some surveillance and censorship going on? They're just competing forces.

Andrea Little Limbago: And it's - on the one hand, it's hard, I mean, because especially when you think about, you know, for national - like, for legitimate national security reasons, there may be reasons for accesses to certain kinds of data. The problem is that that argument is being used for almost anything, and it's certainly for - you know, politically, can be used for political motivations. And so we do see this push and pull going on where you do have a big push towards data privacy and protection. And that's what a lot more of the people, even across the globe, are demanding that kind of protection.

Andrea Little Limbago: At the same time, governments, you know, now that there are these tools that are out there that enable them to have, you know, easy access to data, you're trying to circumvent some of that. Like, even if you just think about some of the, you know, the NSO tools and Pegasus and the spyware, that became so accessible to so many authoritarian governments. And so even in those cases, you have some - you know, countries - you know, Africa has - over half of the African countries - I think it's maybe 24 - roughly 24ish - have data privacy laws. But the same time, we also see a lot of these, you know, sort of spyware tools being used across the continent as well. So it's really just competing forces going on. And I'd argue it's unclear which one will prevail. And I'd also say it's going to be a patchwork. You know, it's going - some are doing better than others in different parts of the globe.

Dave Bittner: What about here in the U.S.? I mean, we've seen reports, even recently, about, you know, watchdogs saying that our FISA courts are just sort of rubber-stamping requests from the FBI, you know, those sorts of things where perhaps there needs to be some more recognition of the privacy laws or of the people keeping an eye on them. Who's watching the watchmen, I guess?

Andrea Little Limbago: Well, I mean, that's always the question, right? And that's where the rules of - rule of law and transparency just becomes so, so, so important. Because even, like, Australia passed their - basically, you know, what they're calling the Anti-Encryption Law I think about two years ago now. And there hasn't been a ton of transparency there. So there isn't a - there just isn't a widespread knowledge as far as how much it is being used or whether it was, you know, almost more a formality for just - you know, for the very few cases like the - you know, like the government said. And so without that transparency, it's hard to know exactly whether there needs to be the watchmen watching them. And so that, I'd argue, is also where the, you know, the freedom of the press becomes so very important. And so any kind of attacks on the press, you know, directly go into this.

Andrea Little Limbago: But in the United States, you know, without a federal, you know, data privacy law - because we don't have one yet, and it would be great if at some point, with input from the private sector, we had a coherent one. In the absence of that, we're just - we're seeing a patchwork across the U.S. I mean, even Virginia, where I live, just passed a data privacy law and - you know, a fairly comprehensive one. And we're just seeing this popping up across the U.S. And so I'd argue for both the government - you know, for the federal government, but also for corporations - the United States dealing with, you know, 50-plus different data privacy laws at some point - you know, that's sort of the direction that we're going - you know, is not terribly efficient. Or how do you keep track on any of those? I would - and I - 'cause also, it'll get to the point where some of them will probably - will contradict each other. Like in the data breach notification laws, some of them contradict each other from state to state. So it becomes really hard. But I do think - I mean, it's - that's where your democratic institutions just become so, so important to ensure that those exceptions are truly exceptions and that there are - you know, that there's good accountability going along with it.

Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us.

Andrea Little Limbago: Thank you.

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. If your company would like to reach a quarter million unique listeners every month, send us a note at thecyberwire.com/sponsor.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.