The CyberWire Daily Podcast 10.11.22
Ep 1680 | 10.11.22

An update on the hybrid war, where Russia turns to missile strikes, physical sabotage, and nuisance-level DDoS. Surveys look at the state of the SOC and the mind of the CISO.


Dave Bittner: Russia's Killnet is suspected in DDoS attacks on major U.S. airports. Starlink service interruptions have been reported. Bundesbahn communications network has been sabotaged in northern Germany. Germany's cybersecurity chief faces scrutiny over alleged ties to Russia. Ben Yelin on the FCC's crackdown on robocalls. Ann Johnson from "Afternoon Cyber Tea" speaks with Sounil Yu from JupiterOne about the importance and evolution of cyber resilience. And overworked CISOs may be a security risk, but in an encouraging counterpoint, another study shows a record of CISOs' success during the pandemic.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 11, 2022. 

Dave Bittner: Over the long weekend, Russia's hybrid war against Ukraine saw two major developments on the ground - an attack Saturday, apparently by Ukrainian special forces on the Kerch Bridge between Russia and its illegally occupied Crimean territory, and Russian retaliatory missile strikes against Ukrainian cities that began Sunday, peaked Monday morning and continued on a smaller scale today. Much of the Russian effort in cyberspace has been devoted to influence operations designed mostly for domestic spine-stiffening, but some low-grade cyber operations have continued. 

Russia's Killnet suspected in DDoS attack on major US airports.

Dave Bittner: Killnet is suspected of being behind a wave of DDoS attacks on U.S. airports. Security Week reports that airports in Atlanta, Chicago, Los Angeles, New York, Phoenix and St. Louis were among those affected. The Register, citing researchers at CyberKnow who found Killnet's published target list of U.S. airports, says the nominally hacktivist group Killnet has claimed responsibility. CyberKnow subsequently shared a similar target list from Anonymous Russia. Service was restored quickly, SC Media reported, but more attacks are expected. 

Dave Bittner: U.S. states whose websites were briefly disrupted last week by Killnet remain largely closed-mouthed about their recovery. But recovery seems to have been accomplished quickly. Colorado, according to government technology, is back online and fully operational, but state authorities are providing few details until their investigation is complete. 

Dave Bittner: Lloyd's of London has also recovered from the unusual incident it underwent. Russian operators have been the leading suspects on grounds of a priori probability. Lloyd's had been prominent in its practical support of sanctions against Russia, Infosecurity writes. But as The Register points out, attribution is still up in the air. Lloyd's concluded yesterday that no data was lost in the suspicious incident that came under investigation last week. The insurance market told Reuters, the investigation has concluded that no evidence of any compromise was found. And as such, Lloyd's has been advised that its network services can now be restored. 

Dave Bittner: Two general points are worth making. Russian cyberattacks continue to achieve little more than nuisance-level results. And despite their hacktivist posturing, threat actors like Killnet and Anonymous Russia are agents of the Russian state. 

Starlink service interruptions reported.

Dave Bittner: Ukrainian forces are said to have encountered disruption of Starlink services as they've advanced into formerly Russian-occupied territory, the Financial Times reported Friday. No cause for the outages has been established publicly, but there's been speculation that SpaceX had interfered with service in those areas to deny them to Russian operators but that they hadn't been able to keep up with Ukraine's advances. 

Dave Bittner: There's also been speculation that SpaceX might have put the brakes on Starlink as part of founder Elon Musk's recent suggestion that Russia and Ukraine might be better with a negotiated peace. His suggestions, tweeted on October 3, that a referendum might be the solution to the conflict was well-received in Russia, very poorly received in Ukraine, generally disapproved of elsewhere, The Economist reports. For his part, Mr. Musk dismissed the Financial Times story as bad reporting, especially insofar as it overstated the services Ukraine had bought and paid for. For now, the reported outages remain under investigation. 

Dave Bittner: Starlink's early provision of internet connectivity to Ukraine was widely regarded as crucial to blunting Russian jamming and information operations in the theater. The Washington Post reported in August that the U.S. government had bought and delivered more than 1,300 Starlink systems to Ukraine and SpaceX itself had donated about 3,600. That Ukrainian forces missed their connectivity and raised its loss as a tactical communications challenge attests to how important commercial internet service has become to battlefield command and control. 

Bundesbahn communications network sabotaged in northern Germany. 

Dave Bittner: Rail travel in the north of Germany was disrupted over the weekend by sabotage that took down communications used for train control. The incident was one of deliberate physical sabotage. Cables were cut and remains under investigation. Bloomberg quotes German police as calling the sabotage targeted and professional and says that they have so far developed no clear suspects. 

Dave Bittner: Nonetheless, initial suspicion turned to Russia. The Telegraph reports that Anton Hofreiter, a member of the Green Party who chairs the Bundestag's European Affairs Committee, said the Kremlin may have issued a warning because of Germany's support for Ukraine. To pull this off, you have to have very precise knowledge of the railway's radio system. The question is whether we are dealing with sabotage by foreign powers. 

Reports: Germany's cybersecurity chief faces scrutiny over alleged ties to Russia.

Dave Bittner: Reuters reports that Arne Schonbohm, president of the BSI - Germany's federal information security agency - is under scrutiny for contacts with Russia he may have developed through his participation in the Cybersecurity Council of Germany. Interior Minister Nancy Faeser is said to be seeking his dismissal. The story is still developing, but sentiment in Berlin seems to be moving in the direction of Herr Schonbohm's replacement. 

SOC performance report released.

Dave Bittner: Devo's annual SOC Performance Report was released today. The survey asked security professionals for their views on the state of the SOC. The results show that 77% of respondents believe that their SOC is essential or very important to their company's cybersecurity strategy. While most respondents considered their SOC effective, those that didn't believed that their SOC had a lack of visibility into the attack surface, as well as challenges hiring and retaining skilled employees. Cyber-risk compliance, threat detection and incident response and remediation were found to be the most prominent SOC services provided by organizations, with threat hunting and cloud-native capabilities listed as the top two services they expected to add within the next year. 

Dave Bittner: The role of a security information and event management system is also discussed. For respondents with organizations that utilized a SIEM, threat detection, threat investigation and incident response were among the most common services provided by the SIEM. Ninety percent of respondents rate their SIEM as effective to very effective, with 25% of respondents giving it a nine or a 10 on a 10-point scale. Surveyors also asked about the downfalls of respondents' SIEM capabilities, with a lack of machine learning capabilities by far being the largest reason the system is found to be ineffective, with cost and lack of integration trailing behind. 

Overworked CISOs may be a security risk. 

Dave Bittner: Is overwork a security risk? There's some evidence that this may well be so. Tessian released a blog today detailing the results of its study of overworked CISOs and how fatigue and burnout pose a security risk to their companies. Results found that CISOs are working significant amounts of overtime - upward of two extra days a week, working on average 16 1/2 extra hours a week. This is an increase of 11 hours over the past year. On top of that, three-quarters of CISOs report not being able to switch off from work, with 16% saying that they never switch off. 

Dave Bittner: The larger the company, the more overtime the CISO seems to be pulling. CISOs at companies with 10 to 99 employees work an average of 12 extra hours a week, while their counterparts at large companies with a thousand or more employees work an extra 19 hours. But it was also found that work-life balance, despite the lower number of excess hours, is harder for CISOs at small companies. Only 20% of CISOs from small companies report being able to always switch off, while 31% of their counterparts at large companies say the same. 

Dave Bittner: Forty-seven percent of employees report distraction as the main reason for falling for a phishing scam, with 41% citing distraction as the reason for sending an email to the wrong recipient. These incidents contribute to CISOs' work time, with reference to a separate survey by Forrester, which found that security teams can spend up to 600 hours per month on threats caused by human error. 

Encouraging counterpoint: another study shows a record of CISO success during the pandemic.

Dave Bittner: Finally, however, we are pleased to end on a moderately encouraging note. Deloitte has released a study on a related topic - the relative positions CISOs have achieved in organizational hierarchy and influence. Their study, "State Cybersecurity in a Heightened Risk Environment," concludes that U.S. state CISOs have gained strength and authority following their work in migration of government services and operations to the virtual landscape. Their work during COVID-19, in particular, should be counted a success. It gave state agencies the ability to maintain a high level of service amidst the pandemic. So a well done seems to be in order. 

Dave Bittner: Coming up after the break, Ben Yelin on the FCC's crackdown on robocalls. Ann Johnson from "Afternoon Cyber Tea" talks with Sounil Yu from JupiterOne about the importance and evolution of cyber resilience. Stay with us. 

Dave Bittner: Ann Johnson is the host of "Afternoon Cyber Tea," a podcast you can find right here on the CyberWire network. On a recent episode, she spoke with Sounil Yu from JupiterOne about the importance and evolution of cyber resilience. 

Ann Johnson: Cyber resilience is something that the security industry has been talking about for a long while, but over the last few years, the concept has evolved quite a bit. You have played a really big role in shaping the conversation on cyber resilience, and you've developed multiple frameworks that leaders use today. So from your words, how has the conversation evolved? What are some of the paradigm shifts we are seeing in the industry? And how will that necessitate a new approach to cyber resilience? 

Sounil Yu: Sure, Ann. So one of the challenges that I saw, one of the reasons why I tried to shake up the ecosystem is because I didn't see the conversation evolving as quickly as it needed to. What I saw in the market was the propensity for vendors to sell solutions that really solve all the problems. And one of the frameworks that I created was this thing called the Cyber Defense Matrix. And it's a simple mental model that helps us understand all the different things that the vendors are selling us. And it became pretty clear as I was mapping out all these different vendors, that there was a massive gap in the market for solutions that help us recover against cyberattacks. 

Sounil Yu: And as I studied this matrix and as I tried to understand why this was the case, there was a revelation that came about in terms of why we might be missing something in that space from a timing standpoint and just our thinking standpoint. So this paradigm shift is really as we move into this stage of recover, as we try to tackle the space around recover, just a massive gap that's in the market made it very clear that we needed to think differently about how we tackle that problem. 

Ann Johnson: So when you think about that then and you think about protect, detect, respond and the fact that organizations continue - right? - down that path, how do you shake them up? How do you get them to change their thinking and move in to a point where they realize? Because I, as you know, I've written a blog a lot and spoken about cyber resilience for the past four years. And you need to understand where your critical business systems are and get them back online as quickly as possible is the core of it, right? But how do you get organizations moving when they're really tied into the past technologies and the past methodologies and the past architectures? 

Sounil Yu: Yeah. So I took a different approach which attempted to take a complete break from our old way of thinking. And if I were to distill it into a common framework that we in security are familiar with, it used a whole different paradigm or a whole different perspective. And the old way of thinking is what we call the CIA triad in security. And CIA stands for confidentiality, integrity and availability. The new paradigm or the new way of thinking, one that I tried to take a complete break from is what I call the DIE Triad. And DIE stands for distributed, immutable, ephemeral. And the acronym, by the way, is intentional as well. So the DIE triad takes a complete break from the CIA triad. 

Ann Johnson: How long do you think it's going to take the industry to start moving in that direction, and in doing so, what's going to get in their way? 

Sounil Yu: Actually, so a funny thing is I think that what's going to get in the way is security people. Because effectively, we in security are well vested and well employed, and we're rewarded for doing CIA. And what I'm actually arguing is that on the other end of the spectrum, we have a situation where we are not going to be where we lower our burden for security. 

Sounil Yu: And one general way that we can think about the type of resources that we oftentimes build in these environments that aren't prem (ph) is to think about those as long-lived resources that we have to care about. And one of the analogies I use is that we oftentimes build pets, and these pets are things that we have to care about. We give them a name and so on, so forth. And so because organizations build a lot of pets, we are veterinarians within our IT organizations. 

Dave Bittner: You can hear more of this interview, and indeed, the entire library of "Afternoon Cyber Tea" podcasts right here on the CyberWire podcast network. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story over from Gizmodo. This is an article by Lauren Leffer, and it's about the FCC blocking calls from telecoms that ignore the robocall plague, as they put it. What is going on here? 

Ben Yelin: So we have all been there. I probably receive about 10 of these calls in a given week, maybe more. 

Dave Bittner: Yeah. 

Ben Yelin: It's your warranty is about to expire. It's an automated message. 

Dave Bittner: Right. 

Ben Yelin: Luckily, the most recent version of cellphones are pretty good at sniffing these out. I got a lot of calls from, quote-unquote, "scam likely." 

Dave Bittner: (Laughter) Right. 

Ben Yelin: Now I kind of want to meet someone in real life named Scam Likely. 

Dave Bittner: Right. Right. 

Ben Yelin: I'll get extremely confused when I get an incoming call. 

Dave Bittner: Sounds like a character from "Guys and Dolls," you know? 

Ben Yelin: Yeah, exactly. That is... 

Dave Bittner: We've got to invite Scam Likely to the dice game, to the craps game. Yeah. 

Ben Yelin: Dice game in the sewer, playing with Sky Masterson. No. So the FCC is really going to crack down on some of the companies that propagate these robocalls. They mentioned seven companies here. I'm not going to publicly shame them. They are listed in this article. 

Dave Bittner: They may have earned it. 

Ben Yelin: And they have received final warnings from the FCC. I think many of them have received previous warnings, and their responses have been, well, we weren't aware of the federal standards, which are called the STIR/SHAKEN standards. 

Dave Bittner: Yeah. 

Ben Yelin: Or they've said that these are innocent compliance issues. They're trying to comply with the standards. But for one reason or another, they were not able to comply. And the FCC is sending a final warning shot saying this is no longer going to be acceptable. It doesn't matter if purposely evade the standards. It doesn't matter if you're negligent. If these robocalls continue and if you don't comply with SHAKEN/STIR - which I can tell you is signature-based handling of asserted information using tokens, and STIR, secure technology identity revisited... 

Dave Bittner: Wow. 

Ben Yelin: ...Which are the technologies that verify a phone calls are coming from a legitimate provider. 

Dave Bittner: Right. 

Ben Yelin: If these companies don't comply with those standards, they are going to be cut off of our telephone communication system. Basically, a wall will be placed in front of every call coming from numbers belonging to these companies, and they won't make their way to me and you, the people who receive these calls. 

Ben Yelin: This is a major escalation on the part of the FCC. I mean, they have the authority to stop robocalls. Congress has granted them the authority. There was an effort in the mid-2000s to rid us of these burdensome robocalls, especially as cellular phones became more ubiquitous. 

Dave Bittner: Yeah. 

Ben Yelin: And I think companies were finding a way around those guidelines and those regulations. And so if this is the FCC trying to keep up with the technology and say we've now developed pretty robust standards and ways to verify that phone calls are coming from actual human beings or actual legitimate organizations and if you as a company propagating one of these calls, if you are not complying, then we will fully cut you off. It seems to me that this is something that most people would be supportive of. I don't think any of us like these robocalls. 

Dave Bittner: No (laughter). 

Ben Yelin: The only exception is the seven companies listed here. 

Dave Bittner: Right. The CEOs of the seven companies listed (laughter). Right. Well, I mean, is this - this is pretty much a poison pill for those companies, right? I mean, this could be a death sentence for them. 

Ben Yelin: It absolutely could be. As it is, I still don't really understand how they make money in the first place just because who would hear a automated message from somebody talking about an extended warranty and actually take action beyond hanging up the phone and expressing their disgust? 

Dave Bittner: Yeah. 

Ben Yelin: But supposedly enough people do it that it's profitable for them. So they are going to continue to do it until they're stopped. And I think that's what's going on here. Yeah, it could be a death sentence for these companies, or they're just going to have to move on to a less intrusive, illegal business model... 

Dave Bittner: (Laughter). 

Ben Yelin: ...That is based on preying on innocent Americans and their inability to distinguish legitimate phone calls from BS. 

Dave Bittner: Yeah. 

Ben Yelin: So I don't have too much sympathy for these seven companies. 

Dave Bittner: And I suppose there's probably nowhere else for these folks to go. I mean, if - I'm going to guess that when it comes to accessing the U.S. phone system, these companies are probably the lowest common denominator, you know, like, the lowest access point available. These are the folks who are willing to look the other way. You know, your T-Mobiles, your Verizons, your AT&Ts probably already said to these folks, you can't use us for this sort of thing. So could this make a difference? Might we see these things stop? 

Ben Yelin: I really think it could. I mean, the FCC, if they are willing to use their nuclear option here, which is cutting off phone calls, then yes, I think we could actually finally see this issue resolved. I don't see any reason why they would not follow through on this threat. 

Ben Yelin: Right now, it's just these seven companies. I'm sure more of these companies are going to spur up as these companies get taken offline. So perhaps enforcement mechanism is going to need to be broadened to account for new entrants into this marketplace. But, yes, I do think this potentially could be the death knell for these obnoxious robo phone calls. 

Dave Bittner: Well, here's hoping (laughter). 

Ben Yelin: Yes, I think you speak for all of us in saying that. 

Dave Bittner: (Laughter) Yeah. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.