Notes on the cyber aspects of the ongoing hybrid war. DDoS in the Marshall Islands. Lapsus$ Group post mortems. US FCC sanctions Kaspersky. CISA adds Known Exploited Vulnerabilities to its Catalog.
Dave Bittner: A look at cyber-operations in the hybrid war. C3 and electronic warfare. The Republic of the Marshall Islands suffers rolling DDoS attacks. Okta gives a detailed account of its experience with the Lapsus$ group. Lapsus$ is under the law enforcement microscope. The FCC sanctions Kaspersky. Malek Ben Salem from Accenture on getting full potential from deception systems. Our guest is Greg Scasny of Blueshift Cybersecurity with remote workforce security concerns. And CISA adds to its known exploited vulnerabilities catalog.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 28, 2022.
Dave Bittner: Western governments continue to warn that Russian cyberattacks remain a real possibility and that organizations should prepare to defend themselves. CISA director Jen Easterly put it this way to CNN over the weekend - she said all businesses, all critical infrastructure owners and operators need to assume that disruptive cyber activity is something that the Russians are thinking about, that are preparing for, that are exploring options, as the president said. That's why we are so focused on making sure that everybody understands the potential for this disruptive cyber activity. And it's not about panic. It's about preparation.
Dave Bittner: The largest Russian cyber-operation of the hybrid war so far still seems to be interference with Viasat ground stations, now pretty clearly attributed to Russia's GRU military intelligence service. There was some spillover of this attack into neighboring countries. Other parties not directly involved have stepped up cyber espionage during Russia's war against Ukraine, as they might be expected to do in any period of crisis and heightened tension. Chinese attempts against NATO networks, for example, are said to have risen by 116% since Russia invaded its neighbor.
Dave Bittner: Russia's failure to execute the widely expected intense cyberattacks is joined by another small but probably related mystery - why hasn't Russian electronic warfare, particularly jamming, been more in evidence? Breaking Defense reports that Ukrainian command, control and communications have gone largely undisrupted. Why that's so isn't entirely clear, but the matter is less mysterious than Russia's failure to engage in widespread cyberattacks against Ukrainian infrastructure.
Dave Bittner: Among the possible reasons, which aren't mutually exclusive for a lack of jamming, are concern that jamming Ukrainian comms would also interfere with Russian comms. Both armies use common or adjacent portions of the electromagnetic spectrum, and jamming must be highly directional to avoid interfering with one's own forces. Such directional jamming might not be feasible when opposing forces interpenetrate one another to the extent seen in Ukraine. They may not want to interfere with cellular communications when both sides are using them. There may be a desire to continue to monitor enemy communications because intercepting them is yielding valuable intelligence. There may be resistance of some Ukrainian tactical communications to jamming. Some of the sources Breaking Defense talked to think that Ukraine may have received enough jam-resistant radios from the West to give Russian electronic warfare units difficulties. And finally, simple combat failure. This seems unlikely since Russian electronic warfare capabilities have for decades been highly regarded, but it's a possibility, especially given the extent of the combat failures on display elsewhere.
Dave Bittner: In a related problem, The Washington Post reports that Russian units are apparently making extensive use of insecure tactical communications, which has enabled Ukrainian forces to collect against and target Russian formations.
Dave Bittner: Last Wednesday, internet service on the Republic of the Marshall Islands began to sustain rolling distributed denial-of-service attacks. RNZ reports that home, business and government DSL and dedicated lines, as well as mobile 4G services, became intermittent or nonfunctional, forcing the National Telecommunications Authority to repeatedly issue messages updating customers about intermittent disruptions and urgent maintenance needed to restore service. By Friday, the NTA had concluded they were under DDoS attack. NTA CEO Tommy Kijiner Jr. said, after several days, it became apparent that NTA systems were shutting down as the result of a large-scale distributed denial-of-service attack. The attackers and their motives remain unknown, although Mr. Kijiner speculates that Russia might be a suspect. Why Russia would have any interest in meddling with internet service in the Marshalls is unclear. In any case, recent reports indicate the attacks are over and service has been restored to normal.
Dave Bittner: Okta has published a detailed timeline of the attack it sustained in January from the Lapsus$ group. The company traced the incident to a compromised account belonging to a Sitel employee, and the company also acknowledged that it was a mistake to have delayed notification of its own customers. Okta's statement said, we want to acknowledge that we made a mistake, explaining that they didn't initially recognize the extent of the issue. At that time, we didn't recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel. Had they realized the extent of the threat, Okta said, they would have made a different decision.
Dave Bittner: Several arrests have been made in the Lapsus$ case. They're all teenagers, and the case indicates the degree of damage relatively inexperienced attackers can work. Gizmodo over the weekend took a look at a paradoxical criminal operation that took advantage of weaknesses in their targets, which were by no means amateurish, bereft or ill-prepared organizations and caused considerable disruption to their operations. At the same time, the Lapsus$ gangs showed an ultimately fatal inattention to its own security, leaving clues that enabled law enforcement to run them to ground much faster than would have been the case with more sophisticated professional criminal organizations.
Dave Bittner: The U.S. Federal Communications Commission has added Kaspersky to its list of communications service and equipment providers who pose a threat to U.S. national security, Reuters reports. U.S. concerns derive from Kaspersky's obligation under Russian law to provide certain kinds of cooperation with the Russian government. Kaspersky's official statement Friday deplored the FCC's action as unconstitutional and baseless, adding, Kaspersky will continue to assure its partners and customers on the quality and integrity of its products and remains ready to cooperate with U.S. government agencies to address the FCC's and any other regulatory agency's concerns. It is, indeed, a political judgment - that is, one involving a judgment of Kaspersky's exposure to irresistible pressure from the Russian government. But that doesn't mean it's not a security judgment. In this case, the ultimate threat isn't Kaspersky's code or its behavior, but rather its awkward position with respect to the Kremlin.
Dave Bittner: And finally, the U.S. Cybersecurity and Infrastructure Security Agency has added 66 entries to its known exploited vulnerabilities catalog. If you're responsible for a U.S. federal civilian agency, take note. Your organization is expected to remediate each vulnerability by the deadline specified in the catalog.
Dave Bittner: As we've settled in to the new normal, with many workers connecting remotely from home networks into work networks, the traditional ways of achieving visibility aren't necessarily cut and dry. Greg Scasny is CEO at Blueshift Cybersecurity, and I spoke with him about the growing spectrum of monitoring options available to security teams.
Greg Scasny: There are all kinds of telemetry agents. And I won't mention any by name, but, you know, there are telemetry agents you can put on equipment to watch what's happening - right? - and pipe that into your SOC or your MSSP. I think that's important. And then depending on the risk - like, you have to understand the risk of individuals that are working from home, what they have access to. You can go all the way to the point of even putting, you know, packet capture type nodes on their home networks, right? It's not hard to do. The hardware is very, very inexpensive. You know, that's not a barrier to entry any longer to be able to get that information into your SOC, right?
Greg Scasny: But you just have to plan that out, right? People need to think just differently about - you know, zero trust is part of that, too, so I do want to get - I'll get off on tangents because it's the way my brain works. But you need to kind of sit down and think about that and plan those things out. And you can do that with all kinds of stuff, whether it's a tabletop exercise or just sitting and thinking creatively about, OK, here's what we have. Here's the risks of what these people have access to. What do we need to put there? Is it just an agent that we can get security telemetry from? Is it, hey, I need an agent, and I need some, you know, packet capture type devices because they're very, very effective? What is it? You know, what is the threat model we have with this - with these - this group of employees? You know, executives going to be a little different than end users. What do they have access to? And how can we best protect that and detect and respond should something bad happen?
Dave Bittner: To what degree is it a challenge that everybody's environment now is a little bit different? They're using different providers. You know, their home networks are set up differently. It's not like they're all hosed in through that office network anymore.
Greg Scasny: Right. And that's - you know, that's part of the challenge. But I think it still comes down to networks are networks. And even though you may have, you know, your kids doing some things in the network and you doing other things, you know, having those devices that you do use for work, you know, monitored appropriately, to me, that's the biggest thing that needs to happen is that - you know, defensive security, there's a lot of ways to go about it, right? But it really comes down to a big data issue is that when something goes bad, how quickly can you detect and how quickly can you respond to to make that just a nonissue, right? The earlier you get to those things in the kill chain, the better off it is. So, you know, planning out what you can do in your environment. And again, it sounds difficult coming from a guy who's technical. I get that. But it's really not. It's really not all that hard. If you - again, if you plan it out correctly, it doesn't take that much. It doesn't take that much budget. It can be done cost effectively, and it can be very effective for the organization, right? So again, it - the faster you can get to those things, the better it's going to be. And it's not - that's not going to stop anytime soon.
Dave Bittner: What about the need to respect people's privacy? This is a blended network, and they're probably doing stuff at home that they wouldn't be doing at the office, but that's OK.
Greg Scasny: Yeah, but those things are risky, too, right? So depending on what those things are - and I won't - I mean, I won't get into things that we detect, but you do have to kind of blend that. You know, things that - I think there are things you can do, right? I think there are things you can do like not breaking SSL and things like that that while that does give you good security telemetry, that gets you on the fence of, OK, that privacy piece that you just don't want to step on. So you have to come up with strategies to be able to utilize technology - and it's out there - to not trample on people's privacy but still give you the telemetry that you need from a defensive standpoint to be able to detect and respond to alerts and events that happen when you're accessing corporate data.
Dave Bittner: Do you have any practical tips for rolling out a program like this to make it so that it's, you know, not overwhelming all at once?
Greg Scasny: You know, it's so custom to businesses, it's hard to give out those practical tips, right? So - but you need to understand - you know, understand where your data sits. You know, people talk about data classification, but, I mean, truly understand what that means if that data gets out, right? Some data is more important than others. Some data have worse repercussions should that fall into the wrong hands than others. So, you know, that's a hard task to do, but it's something that you need to do and you need to sit down with - it's not just IT's job. It's not just the security department's job, right? It's kind of everybody's job. Then you need to start that educational campaign - right? - to teach people why it's important. And then the very last thing you need to do is implement the technology, right? So - and I'm a tech guy, right? I sell technology solutions, you know, and people need to realize that technology is that last step, right? The people in the process need to come first. You need to get the buy-in, and then that makes the technology part easy. And then when you do that, the solutions almost become self-evident, right? It's one of those things that, OK, I know what I need to do. I know where my risks are. I know that these are where my people need to be and where my data is at. Now I need to find X, Y, Z solution to reduce that risk, eliminate that risk or provide some compensating control around that risk.
Dave Bittner: That's Greg Scasny from Blueshift Cybersecurity.
Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the technology research director for security at Accenture. Malek, it is always great to welcome you back to the show. You and I have been talking about deception systems. And I want to dig in today and really talk about ways to maximize their full potential - if this is something that you're going to deploy to get the most out of it. What can you share with us?
Malek Ben Salem: Yeah. So we talked about the potential use of deception systems for resilient design of software - right? - and this notion of expanding the users of deception systems or the folks who benefit from deception systems beyond the security community. As we talked before, you know, information security professionals are comfortable or familiar with this idea of honey files and honey tokens, but application developers, software engineers, system admins are not familiar with that concept. And there is a big opportunity for them to use this technique, this deception technique and these deception systems to gather more information about attackers and how they behave and to use that information in their software system design.
Malek Ben Salem: So that's one big opportunity. The way they can do that is this information that they gather can expose opportunities for architectural improvements in operability and in simplicity of the software systems. For instance, you know, spotting a remote interactive shell as a consistent attacker behavior that is seen in the deception environment, they may decide to disable that as they, you know, deploy a real-world system. They can monitor attacker behavior, and they can - you know, through that attacker tracing, they can develop attack trees that they can leverage for threat modeling. You know, one of the assumptions that we typically make about attacker behavior is that attackers will always take the path of least resistance when moving laterally within the network. But that may not be the, you know - that assumption may not be correct, right? They may be motivated with something specific. They may be motivated by a target they want to attack. So if we have these systems in place and we're monitoring the attacker behavior, then we can correct our assumptions. And then we can leverage that information again in threat modeling.
Malek Ben Salem: Also, that information can be even used to design, if you will, experimentation platforms, right? We can start playing with, you know, what are the defenses that are, you know, most useful to deploy within a real-world environment? What deters these attackers from going further into your environment? Maybe what's something that triggers them that this environment is not realistic? Maybe if they see certain monitoring tools that would make the environment more believable to them - and if they don't see those tools there, then, you know, that could tell them that this environment is not valuable to the organization and therefore is not worth deploying ransomware on. So there is a huge opportunity for learning a lot about how these attackers are behaving, and then, again, how do we design the real-world environments so that they are resilient to any type of attack?
Dave Bittner: All right. Interesting for sure. Malek Ben Salem, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire Team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.