Looking toward tomorrow’s Russo-American talks about the Ukraine crisis. A memorandum gives NSA oversight authority for NSS. A look at the C2C markets.
Dave Bittner: As Russian forces remain in assembly areas near the Ukrainian border, the U.S. and Russia prepare for tomorrow's high-level talks in Geneva. NATO members look to their cyberdefenses. U.S. President Biden issues a memorandum on improving the cybersecurity of national security, Department of Defense and intelligence community systems. Notes on C2C markets - Mirai is exploiting Log4j flaws. Verizon's Chris Novak shares insights on Log4j challenges. Our guest is Ryan Kovar from Splunk with a look at the year ahead. And Olympic athletes heading to China - better grab that burner phone.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 20, 2022.
Dave Bittner: Despite Russian statements placing little hope in diplomacy and despite Moscow's expectation of receiving a formal response to its soft ultimatum sometime today, the New York Times reports that U.S. Secretary of State Blinken still plans to meet Russian Foreign Minister Lavrov in Geneva tomorrow.
Dave Bittner: U.S. President Biden said at a news conference yesterday that he expects Russian President Putin to direct incursions into Ukraine. The New York Times quotes him as saying, quote, "my guess is he - President Putin - will move in. He has to do something," end quote. In answer to a question about Russian intentions and why threats of sanctions should be expected to deter further incursions into Ukraine, President Biden said...
(SOUNDBITE OF ARCHIVED RECORDING)
Joe Biden: Well, because he's never seen sanctions like the ones I promised will be imposed if he moves - No. 1. No. 2, we're in a situation where Vladimir Putin is about to - we've had very frank discussions, Vladimir Putin and I. And the idea that NATO is not going to be united, I don't buy. I've spoken to every major NATO leader. We've had the NATO Russian summit. We've had other - the OSCE has met, et cetera. And so I think what you're going to see is that Russia will be held accountable.
Dave Bittner: That recording was made by C-SPAN at yesterday's media availability. President Biden also indicated that Russia could be expected to test NATO's resolve.
(SOUNDBITE OF ARCHIVED RECORDING)
Joe Biden: The answer is that I think he still does not want any full-blown war - No. 1. No. 2, do I think he'll test the West, test the United States and NATO as significantly as he can? Yes, I think he will. But I think he'll pay a serious and dear price for it that he doesn't think now will cost him what it's going to cost him. And I think he'll regret having done it.
Dave Bittner: President Biden saw challenges in maintaining NATO unity, saying, quote, "it's very important that we keep everyone in NATO on the same page. That's what I'm spending a lot of time doing. There are differences. There are differences in NATO as to what countries are willing to do, depending on what happened, the degree to which they're able to go," end quote.
Dave Bittner: President Biden's suggestion that minor incursions might not lead the U.S. to exact as serious and dear a price as major incursions would struck some observers as introducing a deliberate element of ambiguity. But White House press secretary Jen Psaki subsequently issued a statement clarifying the U.S. position on the crisis over Ukraine in a way that seems to resolve any such diplomatic ambiguity. It's brief and clear enough to warrant quoting in full.
Dave Bittner: Quote, "President Biden has been clear with the Russian president. If any Russian military forces move across the Ukrainian border, that's a renewed invasion, and it will be met with a swift, severe and united response from the United States and our allies. President Biden also knows from long experience that the Russians have an extensive playbook of aggression short of military action, including cyberattacks and paramilitary tactics. And he affirmed today that those acts of Russian aggression will be met with a decisive, reciprocal and united response," end quote.
Dave Bittner: This will not be received as a positive response to the Russian government's proposals for resolving the crisis. Those proposals would have required an extensive and public treatment by NATO from the forward defense of its eastern member nations. Ukraine is not a member yet, and forestalling Ukrainian admission to NATO is a central Russian objective.
Dave Bittner: Note that the White House statement refers to aggression short of military action, including both cyberattack and paramilitary operations - that is plausibly deniable action by proxies, irregulars or special forces - and promises not a proportional or asymmetric response, but a reciprocal response.
Dave Bittner: CISA has urged organizations to take steps to shore up their defenses in advance of possible Russian cyber operations. Last week's data-wiping attacks against Ukrainian targets are seen, according to BleepingComputer, as a bellwether. The Drive says the U.S. government's assessment is that such attacks could produce widespread damage to U.S. infrastructure.
Dave Bittner: U.S. President Biden yesterday morning signed National Security Memorandum NSM-8, Memorandum on Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems, which specifies how Executive Order 14028, Improving the Nation's Cybersecurity, will apply to national security systems, most of which are operated by the Department of Defense and the Intelligence Community systems. It brings these systems' cybersecurity under the supervision of the National Security Agency, and it gives NSA authority to issue binding operational directives to the organizations that operate the systems.
Dave Bittner: The White House fact sheet that accompanied NSM-8 says, quote, "this directive is modeled on the Department of Homeland Security's binding operational directive authority for civilian government networks," end quote. And the expectation is that NSA will learn from the Cybersecurity and Infrastructure Security Agency's experience in securing the federal civilian networks it oversees. NSM-8 lays out a 180-day timeline, with appropriate milestones, for NSA to formulate guidance and for the affected agencies to complete and report compliance.
Dave Bittner: Russia is not mentioned in NSM-8, but the timing and context of the memorandum clearly suggest that it was issued with current threats from Russia in mind. The White House fact sheet ticks off the customary list of administration accomplishments by way of providing background. Quote, "and internationally, the Biden administration has rallied G7 countries to hold accountable nations who harbor ransomware criminals, updated NATO cyber policy for the first time in seven years and brought together more than 30 allies and partners to accelerate our cooperation in combating cybercrime, improve law enforcement collaboration and stem the illicit use of cryptocurrency," end quote.
Dave Bittner: NSM-8's major near-term provisions touch upon cloud migration, zero trust architecture, multifactor authentication and cryptographic interoperability. Not all of the memorandum's directions are focused on near-term risk management. There is, for example, some discussion of the implications of quantum computing on cryptography, but it's the near-term measures that have drawn the most attention.
Dave Bittner: Cobalt Strike has been seen frequently in recent criminal attacks. Researchers at BlackBerry report that a malware subscription service, Prometheus TDS - and TDS would be traffic direction system - makes extensive use of Cobalt Strike in its offerings. The service is being hawked in Russian-language criminal-to-criminal markets. Its principal use is to stage large-scale phishing campaigns that redirect victims to malicious landing pages.
Dave Bittner: Mirai is back. Security firm Akamai has found the Mirai botnet exploiting Log4j to attack SolarWinds and Zyxel devices. Microsoft warned of the potential problem, The Record reports. And so SolarWinds issued a patch on Tuesday. Zyxel has also updated its products to address the issue.
Dave Bittner: Engineering & Technology describes how botnet scalping has become a preferred criminal method of money laundering. Buy stuff from online markets with ill-gotten cash and then resell that stuff, and the money assumes the legal, if not the moral, appearance of being clean. Security firm Netacea told the publication that scalper bots are, for now, legal, although there's some movement in the U.S. Congress to pass legislation that would outlaw this particular kind of thing.
Dave Bittner: Nextgov reports that the U.S. government is considering shifting responsibility for pipeline cybersecurity from the Transportation Security Administration to the Department of Energy. Industry complained that they were insufficiently consulted when TSA was responding to fallout from the Colonial Pipeline hack, and the House Energy and Commerce Committee is evaluating a proposed bill that would create a self-regulatory body along the lines of the North American Electric Reliability Council that would work under the supervision of the Department of Energy's Federal Energy Regulatory Commission.
Dave Bittner: The U.K. government has opened consultation on measures to formulate cybersecurity professional standards. The goal would be to help organizations understand the kind of skills they need in the people they're hiring and to help education and training institutions develop ways of qualifying people to fill the jobs the labor market is looking for. Comments will be open through March 20 of this year.
Dave Bittner: And finally, if you're a bobsledder, a biathlete, a skeleton racer or any other member of the U.S. Olympic team competing in China this winter, the U.S. Olympic Committee recommends you bring a burner phone in with you and then burn it upon departure. Security Week quotes the committee as saying, quote, "assume that every device and every communication, transaction and online activity will be monitored. Devices may also be compromised with malicious software designed to compromise the device and its future use," end quote. So bring that burner.
Dave Bittner: Ryan Kovar is a distinguished security strategist at Splunk. And I checked in with him for insights on what's got his attention as we face the coming year. Like most security professionals, he thinks ransomware is here to stay in the near term. But it's not all bad news.
Ryan Kovar: I think there's a lot more awareness around the value of backups. There's a lot of discussion that I've read around the fallacy that decryption works. There's been some great stories that I've actually heard on CyberWire over the last year or so of organizations paying for the decryption key, and it's still taking two or three or four weeks for them to actually decrypt the ransomware. And so at some point, are you better off just biting the bullet and restoring from backups than you are trying to decrypt and recover in place?
Ryan Kovar: So I believe, compared to three years ago where folks might not have realized that, you know, the old standard of just having good backups is an effective ransomware strategy, I think that has changed, and that's much more conscious for organizations, for CISOs and for network defenders.
Dave Bittner: So moving beyond ransomware, what other things are on your radar for the coming year?
Ryan Kovar: Perhaps not surprisingly, with some bias over the last 375 days or so, I'm still somewhat focused on supply chain. My team did some research on supply chain attacks last year. I've been working on more things around this concept put forward by ENISA around the concept of supplier and consumers and that people should be looking at their organization from different lenses of responsibility. And I feel like if you're able to identify if you are a supplier of software or a consumer or software - and many organizations, I would argue any Fortune 1000 and above organization is both a supplier and a consumer of software - people should start looking at how they're defending their networks a little bit differently.
Ryan Kovar: And I think that's something that's going to come up more and more is this, you know, the software supply chain. It's just - it's coming up often. It's coming up frequently, and it's getting more news, and I don't think that's going away.
Dave Bittner: Is there anything in your estimation that isn't getting the attention that it deserves, that people aren't focused on, that leaves you scratching your head?
Ryan Kovar: It's very wonky, and I've already alluded to it a bit, but the software bill of materials work that's being done by legislators, I think, is going to change the world in unexpected ways. And I - I'm often drawn to the comparison of when Walmart required barcodes. When Walmart required barcodes as the largest, you know, consumer of products in the world, everyone had to have them.
Ryan Kovar: If the federal government makes a decision on requiring an S bomb for the purchase of software, the trickle-down effects on that will be startling. And every software vendor just about in the world will have to start having a S bomb available for the federal government, which then, in my opinion, will have a trickle-down to commercial entities asking to see the S bomb. Then you're going to have questions, you know, going further into cyber insurance, where cyber insurance is going to be asking for verification of S bombs and all sorts of areas like that. And I think those are things that we could look at and will see a big change in the future.
Dave Bittner: How about for you personally? Are you heading into this year with a sense of optimism or pessimism or practicality? Where do you sit?
Ryan Kovar: I am in a practical mindset, probably. I don't think it's going to be worse than the last year. I don't think it's going to be much better. I think the, you know, things like Log4j have shown how vulnerable some areas of our entire infrastructure are. And, you know, if I was an adversary, I'd probably be digging in to GitHub and looking at some really in-the-weeds libraries right now, as I'm sure people are.
Ryan Kovar: But I think Log4j also showed how a global event can really unite an entire community of getting data out quickly. And we have a little bit of a reflex from that from SolarWinds. And so I hate to say practice makes perfect, but we certainly did better as a entire holistic community, in my opinion, for Log4 or Log4Shell than we did for SolarWinds. And I - that does bring me some hope.
Ryan Kovar: And I look at things like CISA. I'm a huge fan of what's been done at CISA, JCDC, all these outreach programs. There's just things in place now that a year ago were only dreamed of, two years ago weren't even thought of. And that brings me a lot of hope for that private-public partnership aspect.
Dave Bittner: That's Ryan Kovar from Splunk.
Dave Bittner: And I'm pleased to be joined once again by Chris Novak. He is the global director of the Threat Research Advisory Center with Verizon. Chris, it is always great to have you back.
Dave Bittner: You know, I don't think it's surprising to anybody to say a hot topic lately has been Log4j, Log4shell. And I just want to check in with you to get your take on where we stand with this. What's your outlook here?
Chris Novak: So it's been a wild ride, I'll tell you. It's - I swear we can set the calendar sometimes by the events that pop up. And this one is no surprise here.
Chris Novak: I think, you know, the reality of it is that what we're seeing around Log4j and 4shell - you know, talked with a lot of organizations, and the challenges that it seems many still are facing - you know, if you break up, you know, your large enterprises, your medium-sized businesses, and then, you know, maybe even your small businesses, the largest enterprises, I'd say they've got a pretty good understanding, if not a great understanding, of what this is, what it entails and how they're going to deal with it. They probably have dealt with things like this before.
Chris Novak: And many people may say, OK, that's great; then we've got our bases covered. But the reality of it is if you kind of look at it like a pyramid, we're talking about that top of the pyramid that's probably got a pretty good handle on this problem. But that is the smallest piece of it, right? As we move down the pyramid, the challenge we face is the maturity is not there. And what a lot of organizations seem to be struggling with is even understanding where they might have it if they might have it, right.
Chris Novak: You know, when SolarWinds happened, a lot of organizations could fairly, readily and easily determine whether or not it's an application that they use or that they have. They might be able to go through procurement logs and figure out if they've ever purchased it or whatnot. Log4j - essentially, it's a component in something else. So it's not something you're ever going to see on your procurement list. And it's really going to come down to, you know, how mature are you with things like asset and application inventories or your ability to scan for the inclusion of this kind of code within other applications that you might use?
Dave Bittner: What sort of questions should I be asking? You know, if I'm that that medium-sized business and somebody comes knocking on my door and says, hey, you know, we're providing services here to scan the things that you use to audit your vulnerability to Log4j, how should I respond to an offer like that?
Chris Novak: I mean, I think, you know, it's a great point. And to be honest, we're having a lot of those conversations with organizations today. And, you know, typically the way it starts with is first just understanding, does the organization have a familiarity of what this vulnerability is? You know, some of us who are in the industry might be thinking, wow, you've got to be living under a rock not to know what this is. But again, you know, you kind of have to take a step back and look at this and understand not everybody is watching this kind of stuff day in and day out. Whether they should be is another story, but they're not.
Chris Novak: And so the first piece is, I think, just educating, you know, kind of that audience of this is what the vulnerability is. This is how it works. This is some examples of where this vulnerability has been known to live. Here are some applications that you might have heard of. But the reality of it is this is open source, and it could be part of any and many other applications that you may have.
Chris Novak: And I think a key thing in terms of any engaged conversation around, you know, scanning or assessments of your Log4j, you know, susceptibility, if you will, really has to, you know, happen around things like, you know, what kind of environment do you run? And what does that organization's scanning or assessment have the ability to tackle, right? If you're a largely Windows shop, are there tools and scanning technologies - you know, set up for that? If you have a mixed environment of, say, you know, Windows, Linux, Unix, Mac OS, whatever may be, you know, what does that environment look like, and what do their capabilities look like there?
Chris Novak: You know, I always suggest, you know - ask for templates. Ask for examples of the output. What can I expect to get out of an assessment or a scan that a vendor might do? You know, show me some finished products, even if it's just a redacted version of a report. Give me a sense of what it is that I'm going to get out of it - because, you know, I think when you look at things like the Log4j issue, it's not going to just be, let me scan and find it.
Chris Novak: But, you know, really when we look at this, we look at it as a multi-step approach. It's going to be, do you have it in your environment? If you have it, can we determine whether or not it has been exploited? And then if it's been exploited, you then have to go to the next step to figure out, where did it go after that?
Dave Bittner: Do we have any sense at this point how long a tail this is going to have, what we're in for over the long haul?
Chris Novak: Ooh, a crystal-ball kind of question.
(LAUGHTER)
Dave Bittner: I know. It's not fair, is it?
Chris Novak: Oh, no. They know I love them.
(LAUGHTER)
Chris Novak: They're fun nonetheless. You know, to be honest, I'm going to go out on a limb and say that I think this one is going to be hanging out there probably for the better part of two years. And I think - the reason why I say that, to be honest, is I think you have an incredible amount of awareness about this problem right now, and it's on everybody's mind - everybody who is wanting and choosing to pay attention to it.
Chris Novak: But like anything, there is a subset of the population that is not wanting or choosing to pay attention to it, or they are distracted by other things. And again, it's not to say this isn't an important thing. It may just be an organization may be in the middle of something else, right? They're having financial troubles. They're dealing with COVID issues. They're dealing with labor issues. They're dealing with, you know, employees in many countries. And this may just not be the thing that's getting all of their attention.
Chris Novak: And so what I think's going to happen is we're going to see these, you know, kind of almost like a wave that's going to go up and down over time over the next couple of years as this gets hammered out. And I think the other thing, too, kind of going back to our earlier part of the conversation, that you're going to face is lots of organizations are not even going to be aware that it exists as a problem in some of the applications that they use. So they may not even recognize it to find it and address it for, you know, six months, a year or maybe even more.
Chris Novak: And I think the other thing that's worth highlighting here, too, is that a lot of organizations, I think, have a misunderstanding that, well, the solution is just patching. And patching is part of the solution. But the challenge also is this is being heavily exploited. We see a tremendous amount of activity across our network or when we're doing monitoring of organizations where they're being tested for this vulnerability right now.
Chris Novak: Patching - it's kind of like locking your front door. After you've locked it, someone's probably not going to walk in. But if it's been wide open for a month or a year, who knows how many people are already inside when you decide to lock it, right? Nobody new comes in after you lock it. But if they were already in, have already exploited it, may already have brought other malware in the environment, at that point, you've just stopped future exploitation. You also need to do some level of due diligence to determine whether or not the problem has already made its way in.
Dave Bittner: Yeah. All right. Well, Chris Novak, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.