Another DDoS attack against NATO governments. The US 2022 National Defense Strategy is out. Notes on ICS security.
Dave Bittner: Cyberattacks against Poland's and Slovakia's parliaments. The U.S. 2022 National Defense Strategy is out. Insights from SecurityWeek's ICS Cyber Security Conference. The importance of zero trust in industrial environments. Malek Ben Salem from Accenture on machine language security and safety. Our guest is Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware. And CISA issues four more ICS advisories.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 28, 2022.
Cyberattacks against Poland’s and Slovakia’s parliaments.
Dave Bittner: In a recent development in Russia's hybrid war, more distributed denial-of-service attacks appear to have hit Eastern European NATO members. According to AFP, the parliaments of both Poland and Slovakia sustained cyberattacks yesterday that knocked out various parliamentary networks, including those supporting both voting and telecommunications. From descriptions of the attacks, the incidents appear to be DDoS attacks. Reuters quotes Bruno Kollar (ph), speaker of the Slovak parliament, as saying, "We have identified a cybersecurity incident. There is a signal coming from some point which jams our systems, computers. We cannot even serve the lawmakers in our cafeteria." Polish sources say that some of the attack traffic originated from Russia, and it's widely suspected that the attacks were a Russian operation retaliating for Polish and Slovak support for Ukraine in the present war. On Wednesday, just a day before the attacks, Poland's parliament had passed a resolution condemning Russia as a terrorist state. Slovakia had recently decided to send Ukraine warplanes in exchange for U.S. fighters to be delivered later.
The US 2022 National Defense Strategy is out.
Dave Bittner: The U.S. has published its National Defense Strateg. The document highlights the threat from four familiar adversaries - China, Russia, North Korea and Iran, all of whom deploy notable offensive cybercapabilities. The strategy emphasizes deterrence and with respect to cyberspace, deterrence through resilience, which it suggests is achievable through a range of measures that include encryption and implementation of zero-trust principles. The document also says that the U.S. will pursue deterrence by direct and collective cost imposition, which could include offensive cyber operations. This represents a more assertive use of national power in cyberspace. The document says, we will conduct cyberspace operations to degrade competitors' malicious cyberactivity and to prepare cybercapabilities to be used in crisis or conflict.
From SecurityWeek’s ICS Cyber Security Conference.
Dave Bittner: This week at SecurityWeek's ICS Cyber Security Conference, OT/ICS security practice manager at IBM, David Lancaster Jr., described a challenge industrial operations face - distinguishing system failures, asset failures and cyber incidents. The question, an important one in organizing resiliency, has gained salience as the air gaps that once protected legacy industrial systems disappear. Lancaster said, fully air-gapped systems where we are today truly don't exist, and explained that the line between IT and OT has blurred as legacy systems are decommissioned and replaced by digitally connected IoT systems. This convergence has occurred as manufacturing, and critical infrastructure have grown increasingly attractive to threat actors. It used to be conventional wisdom that many industrial systems were protected by default. They used legacy equipment that preceded widespread networking, and so they came with built-in air gaps. As older systems age out and are replaced by newer, more highly networked technologies, that former advantage has been vanishing, and it seems now to have largely disappeared. There are few of those legacy air-gapped-by-default systems remaining in the field, and there are fewer of them all the time.
And the importance of zero-trust in industrial environments.
Dave Bittner: And during another panel discussion at SecurityWeek’s ICS Cyber Security Conference yesterday, Del Rodillas, ISTARI’s client partner for industrials in the Americas, and Jack Oden, program director ICS Cybersecurity SME at Parsons, outlined the importance of applying zero-trust strategy in ICS environments. The principles they discussed are well-established best practices. One of them is essential to any risk management process - identifying what needs to be protected. Put another way, this can be seen as assessing the consequence part of the risk calculation. Rodillas said, when I think about the things you need to do to get started in operation technology environments, the steps that you would apply in IT are also applicable but just in a different context. And, he added, visibility comes first, knowing what you have. He stated, the first step is trying to understand, what are your assets that are in your environment? What are your crown jewels? So getting that visibility, getting that understanding of risk is the first step. And then the next step is really using the capabilities that you have to profile the traffic between the different assets to and from the different crown jewels. And that'll really help you in terms of understanding how you might need to segment your network. And once you kind of have that segmentation, that's when you start applying the granular policy.
Dave Bittner: Oden explained that zero trust can help prevent attackers from moving around within both IT and OT networks. He said, the bottom line to me is to literally trust no one or nothing and always verify. If you keep that in mind, I think that's the most fundamental thing you can apply here. Oden continued, we have been talking for decades about perimeter security. And once you've verified the identity of the person, hopefully with good password security and maybe multifactor authentication, once they're in, for the most part, my customers were just letting those people have their way. But if you think more about it, inside your network, you've got a lot going on - again, in the crown jewels concept. And where are people coming from into your network? They're usually coming through the corporate network and then coming down to OT. And so up there, there's a lot of stuff going on. But no matter what the operation is, that OT operation is critical to you, whether it's the HVAC operation that keeps your computer center running or, if you're a power plant, providing power to the local community.
A look at OT/ICS cybersecurity.
Dave Bittner: The SANS 2022 OT/ICS Cybersecurity Report, sponsored by Nozomi Networks, was released this morning. It covers the current state of industrial control systems security. The survey indicates that OT - that is, operational technology - cybersecurity has improved in certain respects compared to last year's survey. Ransomware comprised the leading threat, closely followed by nation-state attacks, nonransomware cybercrime and threats to hardware and software supply chains. One disturbing trend is a rise in attacks where engineering workstations were the initial attack vector. But in general, most attacks - 41% - arrived through IT networks and often spread through removable media. Nozomi Networks co-founder and CPO Andrea Carcano summarized the results, stating, while the threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available. The survey found that more organizations are proactively using them. Still, there's work to be done. We encourage others to take steps now to minimize risk and maximize resilience.
CISA issues four more ICS Advisories
Dave Bittner: And finally, the U.S. Cybersecurity and Infrastructure Security Agency yesterday released four industrial control system advisories. Operators should check their systems and take appropriate action.
Dave Bittner: Coming up after the break, Malek Ben Salem from Accenture on machine language security and safety. Our guest is Nick Schneider from Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware. Stick around.
Dave Bittner: There are indications that ransomware attacks have slowed down. And many speculate that Russia's war on Ukraine is a likely cause of that slowdown. Some say this lull provides organizations an opportunity to catch up and shore up their defenses. Nick Schneider is president and CEO of Arctic Wolf. And he believes businesses and organizations should be using this time to prepare for the next wave of attacks.
Nick Schneider: I think that they've gotten a lot more sophisticated, both in the manner in which they attack but also in their operations themselves. You know, so by doing so, they've been able to get deeper and wider within organizations over an extended period of time. And by doing that, they're able to do a lot more damage or get their hands on a lot more, you know, company information. And as a result, you know, they're able to or decide to act in a way that allows them, you know, to ask for - you know, for more ransom or more, you know, funds to, you know, get the company out of a position that they don't want to be in. And they've done that both through, you know, kind of the capturing and locking of certain data or devices but also through, you know, I think more recently, some extortion tactics. You know, so, you know, they're real businesses now. You know, so whereas it might have been a little bit more grassroots in, you know, years past, you know, some of these organizations have, you know, HR teams and, you know, picnics and, you know, things that you'd expect from, you know, a traditional organization. And as a result, they're a lot more sophisticated in the way in which they approach, you know, kind of their business and their tactics.
Dave Bittner: Given where we stand today, what is your advice for organizations who are looking to dial in, you know, the amount of resources they apply to helping prevent ransomware?
Nick Schneider: Yeah, I think we have an interesting time right now in that the number of attacks has subsided slightly. So there's been a little bit of a reprieve for organizations. And I think what I've found or what I've heard as I'm talking to, you know, folks in the market is that people take that either as an opportunity to kind of shore up their defenses. Or, in my opinion, the wrong decision would be, you know, to take a slight lull as an opportunity to, you know, move or allocate budget or priority elsewhere. You know, I believe that any lull that we've seen in ransomware, you know, relatively recently will come back. And it will likely come back, you know, and then some, meaning it will come back in a more, you know, meaningful way than we even saw, you know, prior to a slight slowdown. And those organizations that use a little bit of slowdown in attacks to really firm up their security posture will be the organizations that are in a really good position. And those that have, you know, kind of neglected it, you know, over that period of time, you know, I believe will wish they had.
Nick Schneider: And, you know, what to do or the advice would be to make sure that it's a topic of communication with the executive staff. Make sure that it's a topic of discussion with - you know, with the board and make sure that you're investing in, you know, your security posture in a material way so that you can ensure that you're protected, you know, over time. And I think as companies do that, they'll find that the best way for them to be protected is to build a solution or build an ecosystem within their own environment that allows them to, you know, deliver multiple outcomes to the business. So how do you detect and respond? How do, you know, make yourself aware - you know, aware of any potential vulnerabilities? How do you educate, you know, your employee base? How do you set up education around, you know, phishing and, you know, social attacks? And then do you have a plan if something does go wrong? So do you have, you know, an incident response, you know, team or a retainer? And tying that all together is is going to be what's important for organizations. And unfortunately, that's a tall order for a lot of organizations. So, you know, that's kind of how we specialize - is we like to view ourselves as security operations cloud that can provide multiple outcomes to a customer. But whether it's Arctic Wolf or not, having a comprehensive plan and leveraging what is a little bit of a lull in activity, I think, will be really important for businesses.
Dave Bittner: You know, it seems as though the rise of cryptocurrency and the rise of ransomware kind of went hand in hand, that, you know, crypto was an enabler for some of these ransomware actors. We've seen signs that perhaps crypto will be regulated or clamped down on. Do you think that might move the needle?
Nick Schneider: Yeah, I think there's two conversations on this. One is the price of - you know, the price or the value of cryptocurrency. I don't think that that will have an impact. They'll just adjust their requests based on, you know, whatever currency that they're, you know, benchmarking the crypto against. The regulations, I think, could have a short-term impact. I don't believe it would be a medium- or long-term impact. Again, these organizations are now running significant businesses. To believe that they will just fold up shop with some adversity in the crypto markets, I think, is a naive belief. So, you know, yeah, I do think that those things will likely help in the short run, but I believe in the long run or even in the medium run, the bad actors will find a way to to continue to capitalize on, you know, vulnerabilities within an organization's cybersecurity posture.
Dave Bittner: That's Nick Schneider, president and CEO of Arctic Wolf.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro, and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And I'm joined once again by Malek Ben Salem. She is the security innovation principal director at Accenture. Malek, it's always great to welcome you back. You know, recently, you and I were chatting about machine learning, security and safety. And I wanted to continue that conversation with you about some of the ways that the issues that can come up with these sorts of things can be solved. What can you share with us today?
Malek Ben Salem: Yeah. So we talked about machine learning, robustness - right? - in adversarial settings and in unusual event settings. And I think, you know, there are a few techniques or methods that we can use as machine learning engineers and as people who are developing these systems to make them more robust. One of them, obviously, is, you know, the use of robustness frameworks that we need to develop more of, that we need to expand, develop even further, develop benchmarks further to stress test these systems and identify their breaking points. There are techniques related to data augmentation, for instance, that can make these models more robust.
Malek Ben Salem: For instance, if you have a machine learning model or a computer vision system that is supposed to recognize images, you know, any perturbations in the input images may lead that system to completely misrecognize what's in the image. It has been shown that if you combine the original image with certain fractals, you may be able to make those models more robust against noise to these images. There are techniques related to entropy minimization when building these models. There are techniques in cyber physical environments of including multiple sensors and input streams from multiple sensors, again, in the self-driving car setting. You don't want to rely just on one camera to make decisions. You want multiple cameras and feed all of those or use all of those feeds from those cameras to interpret what's going on in the surrounding environment. And there are also techniques around how to train these - the models running within these systems using adversarial data points, so pre-emptively creating adversarial data that a threat actor might create and using those to train the models. There are special adversarial training techniques that have been shown to be more robust than others. The smooth adversarial training technique is one of them.
Malek Ben Salem: And then finally, I think we need to, as a community, we need to have some way of verifying the adversarial robustness of these models. So in some sort, having programs that can certify how robust these models are to adversarial attacks. And, you know, again, that's a community effort that will require some work, some collaboration. You know, it's important if we are to deploy these AI systems and be confident and trust them. I've seen most recently a program launched by researchers in Stanford University to call for attention to these problems. It's sort of like a bug bounty program. They're offering basically tens of thousands of dollars as rewards to people who can identify security bugs in these machine learning models.
Dave Bittner: You know, I recently saw a video that was making the rounds, and it was a Tesla that was in a self-driving mode, you know, looking in. And you could see the how it was interpreting its environment. And it came up behind a horse and carriage, like a "Cinderella" kind of horse and carriage, a big fancy carriage and a whole team of horses. And the system didn't know what to make of it. It could not figure out what it was. And that struck me as an example here of, you know, how do you predict - how do you put a "Cinderella" carriage in your edge cases? And how do you decide what your failsafe mode is if you come across something like that?
Malek Ben Salem: Exactly. That's exactly the challenge. It's very difficult to predict what are these rare events that these systems will encounter when they are deployed in a real-world environment. So, again, it's important then to train them or to expose them to these edge cases. And one way of doing that is by creating sort of, you know, out-of-distribution data sets and using them to train the models. There are some synthetic data generators that can be leveraged for developing these synthetic data sets and, importantly, out-of-distribution datasets. So...
Dave Bittner: I'm reminded of that - I think it's a military axiom that no battle plan survives contact with the enemy. And I wonder if that applies, you know, to putting vehicles and things out in the real world - that, you know, the set of possibilities is just practically infinite.
Malek Ben Salem: Oh, yeah. And actually, that brings me to another point that is important also for making these ML systems secure and safe. So we talked about robustness - right? - and preparing them to deal with cases that they're not used to. But it's also equally important to have capabilities embedded within these systems or outside of these systems to detect anomalies, right? If they're deployed, how can I detect and respond to a situation that is abnormal?
Malek Ben Salem: So, you know, in the case of, again, self-driving systems, you may - you know, one could say, yeah, these are not fully autonomous. Maybe we'll have people eventually oversee a fleet of, you know, self-driving cars. Or, you know, if you have Uber, self-driving cars, you will have operators monitoring them. And that's important. But in that case, you'll need to have the ability of the car or the AI system to recognize that a situation is abnormal. And you need to have that in a manner where the signal-to-noise ratio is high, right? So you don't want to overwhelm these operators with alerts. That will cause alert fatigue, and then that - you know, that will defeat the purpose of them monitoring these systems. So that's another important factor, having or developing the ability for these systems to recognize anomalies, to recognize unusual situations. That comes as a trade-off with building robustness, right? So on the one hand, you want them to recognize these unusual events and respond to them appropriately. On the other hand, you want them to recognize them as anomalies. And drawing the line between the two cases is not always, you know, straightforward.
Dave Bittner: All right. Well, interesting stuff, as always. Malek Ben Salem, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Federico Kirschbaum from Faraday Security. We're discussing "A Vulnerability in Realtek's SDK for eCos OS, Pwning Thousands of Routers." That's "Research Saturday." Do check it out. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella - and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.