Updates on the cyber phases of Russia's hybrid war, including the role of DDoS and cyber offensive operations. Ransomware, bad and sometimes bogus
Dave Bittner: DDoS as a weapon in a hybrid war. Resilience in the defense of critical infrastructure. Offensive cyber operations against Russia. LockBit claims to have hit Mandiant, but their claim looks baseless. Rick Howard joins us with thoughts on trends he's tracking at the RSA Conference. Our guest is Dr. Diane Janosek from NSA with insights on personal resilience. And the effects of ransomware on business.
Dave Bittner: From the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Tuesday, June 7, 2022.
DDoS as a weapon in a hybrid war.
Dave Bittner: Distributed denial of service attacks have become a defining feature of Russian cyber operations in its war against Ukraine. Search Security, quoting research by NetBlocks, notes that DDoS attacks have affected connectivity in Ukrainian cities and have also spilled into countries sympathetic to Ukraine. Operators sympathetic to Ukraine have also conducted DDoS operations against targets in Belarus and Russia. In these operations, the preferred targets have been media outlets. DDoS has been a nuisance-level threat and not a decisive or even significant weapon.
Resilience in the defense of critical infrastructure.
Dave Bittner: A point that SSSCIP deputy director Zhora made during his media call yesterday was to credit Ukrainian defenders with having blunted the effects of Russian cyberattacks. The Observer Research Foundation has an independent report on the resilience Ukraine has shown in the cyber phases of the hybrid war. Among the most consequential Russian operations was the campaign to take out ground stations essential to the operation of the Viasat network in Ukraine. Disrupted service was either restored or replaced quickly, and the report speculates that Russia, expecting a swift victory, was reluctant to strike Ukrainian infrastructure in ways that would render it inoperable after a Russian conquest. This speculation is perhaps belied by subsequent Russian willingness to reduce entire cities and their infrastructure to rubble.
Dave Bittner: The report draws three conclusions important to the cyber phases of any hybrid war. First, despite its impressive modernization and known capacity for electronic and cyber warfare, the Russians have found the going in the cyber battlefield difficult. Of course, we cannot accurately assess the extent of assistance that the Ukrainians are getting from cyber powers like the U.S. and the U.K.
Dave Bittner: The second is the importance of resiliency of the digital systems, which means there must be sufficient redundancy built in to be able to take on a determined cyber adversary. Associated with this is the importance of the quality of the EW personnel since there is little room for error in the cyber battlefield, especially when you are seeking to advance in contested territory. Next-gen systems will probably have to incorporate artificial intelligence and machine learning systems to achieve some of these goals.
Dave Bittner: Another important lesson is the important role that the private sector has, especially in the area of cyber warfare. Ukraine has acknowledged Google's contributions with a peace prize, and Starlink made an important contribution to the quick restoration of satellite communication.
Offensive cyber operations against Russia.
Dave Bittner: Ukraine has disclaimed any offensive cyber operations against Russia, saying they're either the work of hacktivists or of sympathetic nation-states, effective allies. In any case, Ukraine lacked the organizational capacity to mount such offensive operations. So if indeed the U.S. and presumably other cyber powers generally hostile to Russia are indeed conducting offensive operations, as General Nakasone said last week, tersely and without elaboration, does this make the U.S. a belligerent?
Dave Bittner: In its journal Articles of War, the Lieber Institute has published a thoughtful essay on the application of the laws of armed conflict to cyberspace. It notes first that not enough is known yet about U.S. cyber operations to draw an informed conclusion. From what is known, however, it seems likely that U.S. operations qualify as either lawful collective self-defense or qualified neutrality.
Dave Bittner: For its part, Russia hasn't cared much for the intervention General Nakasone alluded to. A report carried by UNI/Sputnik quotes senior Russian officials to the effect that Russia is the one who's standing up for good behavior in cyberspace, that Russia is ready to work out appropriate international legal arrangements with all states that are sober about the threat of cyber warfare. The source quoted is Andrey Krutskikh, a senior Russian information security official. He goes on to denounce U.S. support in cyberspace for the Zelenskyy's regime's attacks against Russia and warns that should the U.S. continue in its policy, it should expect a firm and decisive response from Russia.
LockBit claims to have hit Mandiant, but their claim looks baseless.
Dave Bittner: The LockBit gang version 2.0 claims to have successfully hit Mandiant, but CyberScoop and BleepingComputer both report there seems to be nothing to those claims. Mandiant has seen no evidence of any successful attacks, and the purported evidence LockBit has been woofing seems to have been culled from earlier hits unrelated to Mandiant. Mandiant suggests an explanation for the imposture. They say based on the data that has been released, there are no indications that Mandiant data has been disclosed, but rather the actor appears to be trying to disprove Mandiant's June 2, 2022 research blog on UNC2165 and LockBit. LockBit was especially exercised by Mandiant's association of the ransomware-as-a-service gang with Evil Corp and by its suggestion that they operated in the interest of the Russian government. They're apolitical, says LockBit, and they've got affiliates all over the world.
Effects of ransomware on businesses.
Dave Bittner: Cybereason has released the results of a study detailing the effects of ransomware on business. It was found that 73% of respondents have been the target of a ransomware attack in the last two years, up from 55% in 2021. It was also found that paying the ransoms didn't make for better outcomes, with 80% of respondents that paid noting that they were victims of a second attack. More than two-thirds of those surveyed report that their combined losses were between $1 million and $10 million. And some organizations reported significant boosts in their security programs and budgets as a result.
Dave Bittner: A few of the more interesting trends the study discovered were the weakest link may be in the supply chain. They said nearly two-thirds of companies believe the ransomware gang got into their network via one of their suppliers or business partners. Ransomware disrupts business operations. Nearly one-third of businesses were forced to temporarily or permanently suspend operations following a ransomware attack. They also noted that organizations have trouble coping with double extortion. They said 60% of organizations admitted that ransomware gangs were in their network up to six months before they discovered them. This points to the double extortion model, where attackers first steal sensitive data, then threaten to make it public if the ransom demand is not paid.
Dave Bittner: Palo Alto Networks' Unit 42 has also been looking at trends in ransomware. They see an increase in ransom payments. "The average ransomware payment in cases worked by Unit 42 incident responders rose to $925,162 during the first five months of 2022, approaching the unprecedented $1 million mark as they rose 71% from last year. And as Cybereason also found, the damage extends beyond the direct cost of any ransom payment. Cybereason says that's before additional costs incurred by victims, including remediation expenses, downtime, reputational harm and other damages.
Dave Bittner: It's easy to get caught up in all of the technology on display here at the RSA Conference, but it's just as important to focus on the human element of the industry. Dr. Diane M. Janosek is deputy director of compliance at the National Security Agency. Her presentation here at the RSA Conference is titled "Unleash Your Inner Resiliency."
Diane Janosek: It's not sustainable on a personal level to be in a constant surge. We all have the ability to ramp up and to really charge hard. But cybersecurity, you can't be in a sprint every day. And because the threats are, you know, increasing in velocity, in sophistication, we can't - you know, cyber defenders can't sleep. I absolutely love the cybersecurity field. People are so committed to getting things done, to being secure, to keeping the business running, keeping Americans secure. But then you have to balance that. If everyone's looking at you, what are you doing for yourself?
Dave Bittner: Do you think that it's a particularly American problem? It strikes me that we wear exhaustion as a badge of honor sometimes. You know, look how hard I'm working. I haven't slept in X number of days, and I haven't taken a vacation in two years. But it's diminishing returns, right?
Diane Janosek: Right. I'm so glad you mentioned that, Dave. So people look at really hard chargers and they realize what happens. And I think a lot of times, it's forced recovery. Something happens and they have to, you know, take a break. You don't want to be in a position of forced recovery. And so what you want to really make sure that you do is don't use dedication as an excuse.
Diane Janosek: Being overworked is not healthy. It's not a badge of honor. It's showing that you don't trust your teammates. You can't delegate. People want to know that you have trust in them, that you believe in them, that you know that they've got it. And if you're constantly there, never taking your own break, they won't feel that from you, that you believe in them. And when people don't feel like you believe in them, they're not willing to give their best.
Dave Bittner: What about for the team leader? How do - how does that person go about making sure they're checking in on the folks that they work with, that they're taking care of themselves and also that that leader is doing everything they can to make sure everybody's in a good place?
Diane Janosek: I think saying exactly what you just said - when you start the meeting, say, hey, I just wanted you to know that I'm here to talk. If you don't talk to me afterwards, I do want to make sure I check in with you. Let me know how I can help you. Where is there - you know, can I offload something, give you more? Are you ready for more? You want team more? They may want to take more responsibility.
Diane Janosek: So if you just say - communicate that, hey, we - I'm looking at this to make sure that you're the whole person when you're here. And when you're here - maybe not physically, if you're doing remote work - you still want them to be physically present when they are there, and really charged and energized, and be like, hey, this is what I want to do. Yeah, I'm going to take a break to take my child to soccer, but when I come back, I am fully present, and I want to be fully present, and I'm fully loyal. So being loyal does not mean you have to be exhausted.
Dave Bittner: It really strikes me that the leaders modeling the behavior they want to see from the folks they work with is really key here because a leader can say anything they want about taking time off, taking care of yourself. But if they're not actually doing it, everyone else is going to interpret that as being what the standard has been set at.
Diane Janosek: I agree. And I'm probably not the best example - right? - 'cause I...
Dave Bittner: Do as I say, not as I do.
Diane Janosek: But, however, you know, I don't believe in forced recovery. I want - if I feel like, oh, my gosh, I'm - you know, I really kind of feel worn down, or I'm getting grumpy or...
Dave Bittner: Yeah.
Diane Janosek: ...I'll take a break, right? So I really - I mean, I am high energy, and I work all the time, but I have to have that insight. So the way that I look at it is you have to have the insight into how you're physically responding and emotionally responding to the environment around you. And if that's changing for some reason, look at yourself. It's like, oh, so-and-so's always giving me a hard time. Maybe they're not. Maybe you're the one that's actually just not having the patience that you usually have because you're just - kind of just worn out, and you don't - you have to recharge. So having the insight into your own reaction to people's behaviors - it's not always them.
Dave Bittner: What are your recommendations, then? I mean, clearly this is a problem. And my sense is that we're - if we are gaining ground, it's not happening very quickly. So how do we - within cybersecurity, how do we move the culture change forward?
Diane Janosek: Make a decision for yourself. I mean, look around you. You're going to see people that you believe have, you know, a positive outlook. And see what they're doing. How are they handling their life? Learn from them, and then apply that to yourself.
Diane Janosek: There was a study done back in the '70s on happiness, and it's still true today. And it said, you know, with success doesn't come happiness; with happiness comes success. So if you can, you know, find people that say, hey, that person's - they're always - they're just happy to be here, and they always are delivering. And what's their trick? Talk with them. If you surround yourself with people that - and then kind of say, what can I learn from that? And then also invest in yourself. So you're constantly having to do the job right, making sure your team is doing the job right, making sure the company stays, you know, profitable or your business line stays, you know, up, especially with my world, in the area of national security. So doing all that - staying that - but what are you doing for yourself for the longer term and setting the example? Because at the end of the day, Dave, we all know this - people want to work for inspiring, amazing, empowering leaders.
Dave Bittner: That's Dr. Diane Janosek from the National Security Agency.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, you and I are walking the floors here at the RSA Conference here, and I'm eager to check in with you to see what sort of things are catching your eye so far.
Rick Howard: I love RSA. It's kind of like a high school reunion for cybersecurity nerds. You see all your old friends from years gone by, and the conversations just pick up where they left off. I love coming here.
Dave Bittner: Yeah. Yeah. So first off, you're spending some time over at the RSA bookstore?
Rick Howard: Absolutely, 'cause the Cybersecurity Canon Committee is out in force at the RSA Conference. We've set up a shelf or a desk where all of the Hall-of-Fame books are available for buying at the bookstore, and the bookstore has arranged some of the authors to come in and sign them. So if you're looking to get the next big read in cybersecurity, wander over to the bookstore, see the authors, shake their hands - they would appreciate it - and pick up the next great book in cybersecurity.
Dave Bittner: They may even see you there.
Rick Howard: They may.
Rick Howard: Which is different than we've done all of the last two years.
Dave Bittner: Yeah. Yes, absolutely. Well, let's dig into some actual, you know, cyber topics here. I mean, you've been having some meetings. What are some of the things that folks have been talking about?
Rick Howard: Well, I got to go over to the Mandiant press conference, right? And Mr. Hultquist is the VP of threat intelligence over there.
Dave Bittner: Sure.
Rick Howard: And he was talking about Ukraine and Russia and why we haven't seen the giant cyber war that we thought we were going to see on the runup to that effort, right? And he made one interesting point - is that the reason we haven't seen a big cyber operation could be because the Russians are having trouble managing their infantry and artillery - right? - coordinating what they're supposed to do on the battlefield. Looks like cyber might be third or fourth priority. It's the reason we haven't seen major things going on in the country, and I thought that was a really interesting point.
Dave Bittner: So they're just busy with other - with the kinetic.
Rick Howard: Yeah, more important things.
Dave Bittner: Yeah. Yeah. That is a fascinating possibility. What else out on the floor here? I know you've been hearing a lot of people talking about virtual CISOs?
Rick Howard: Yeah, you know, this is a kind of a phenomenon that's popped up in the last couple years, and I never really paid that much attention to it, but it looks like it's gathered some legs. A lot of my old friends who were big-time CISOs for Fortune 500 companies have decided they don't want to be real CISOs anymore. They're going to be these virtual CISOs, and...
Dave Bittner: OK.
Rick Howard: ...They kind of fly in and drop into an organization that needs some help and gets everything organized, and then they get out the door.
Dave Bittner: They show up as like - there's a hologram or something?
Rick Howard: Yeah, that's the next thing.
Dave Bittner: (Laughter) Right.
Rick Howard: The next innovation. All right. But it's a really interesting topic, and it's - my hot take on this is I think that's the wrong direction. I mean, I like that my friends can do this and make some money doing that.
Dave Bittner: What's in it for the organization engaging - instead of hiring, you know, a real CISO, in air quotes?
Rick Howard: Yeah, it's a good question, though what I hear people talk about is, you know, real CISOs are expensive, you know, because they have all this experience, and maybe they don't want to bring them on to the staff. And that's odd because they pay for other executives to be on the staff. Why would they need...
Dave Bittner: Right.
Rick Howard: ...To be cheap about this?
Dave Bittner: Have you looked at the cost of a data breach lately?
Rick Howard: Yeah, you know, that's...
Dave Bittner: (Laughter).
Rick Howard: We've never broken through that discussion.
Dave Bittner: Right, right.
Rick Howard: Right? And, you know, I was - we were talking earlier today with some of our customers that walked by the booth that, you know, five years ago, we were expecting that CISOs were going to be on the senior executive team, right? And it was just a matter of time till that was just a normal thing.
Dave Bittner: Right.
Rick Howard: And that doesn't look like it's happening. It's happening somewhere. In some places, it's like that. But if this virtual CISO thing catches on - and I think it is...
Dave Bittner: Yeah.
Rick Howard: ...We have lowered the gravitas of that position down to a contractor who comes in and fixes some things and then - and leaves later. And to be optimistic about it, some of my friends said, well, one outtake of this could be they bring in this guy or gal to fix things, and then they eventually hired a CISO because now there's a program to run. You know, they come in and establish a program and then go, and then they might hire that person to be the CISO.
Dave Bittner: Right.
Rick Howard: Or they might do something else. But it's a new phenomenon, and we don't know how it's going to go in the future, right?
Dave Bittner: So it could be level-setting that that person comes in and says, hey, this is what you didn't know you didn't know?
Rick Howard: Yeah, yeah. It could be, right? It could be the company's or the organization's first steps into cybersecurity. We don't want to commit fully to an executive, but let's bring in someone to get us going, and then we'll see where we go from there. It's an interesting idea and something I did not see coming.
Dave Bittner: Yeah, absolutely. Anything you're looking forward to out there walking the show floor?
Rick Howard: I have yet to go around the booth to see all the new companies out there. That's...
Dave Bittner: Yeah.
Rick Howard: ...My favorite part about RSA - right? - because it's like Mardi Gras over there, right? So...
Dave Bittner: (Laughter) That's true.
Rick Howard: And I will be doing that later on today, so I'll tell you later.
Dave Bittner: All right. Sounds good. Well, Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachael Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.