US midterms conclude without cyber interference. NATO on cyber defense. New APT41 activity identified. Russia’s FSB and SVR continue cyberespionage. Trends in phishing and API risks.
Rick Howard: We're honoring Veterans Day here at the CyberWire with 15% off annual subscriptions of CyberWire Pro by using code VET2022. All one word. That's VET2022. Veterans and servicemembers can reach out to us directly at firstname.lastname@example.org for an additional discount. We also dropped a special Veterans Day episode of CSO Perspectives - that's my podcast - that you'll get access to with your subscription, along with exclusive briefings, articles and events. Visit thecyberwire.com/pro to redeem this offer by November 18.
Dave Bittner: Election Day has come and gone and there's no sign that cyberattacks affected U.S. vote counts. NATO meets to discuss the Atlantic Alliance's cyberdefense pledge. A new APT41 subgroup has been identified. FSB Phishing impersonates Ukraine's SSCIP. A look at Cozy Bear's use of credential roaming. Caleb Barlow shares tips on removing implicit bias from your hiring process. Our guests are Valerie Abend and Lisa O'Connor from Accenture, with a look at the difference in how women and men pursue the top cyber leadership roles. And an update on phishing trends and API threats.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 10, 2022.
No evidence that cyberattacks affected US vote counts.
Dave Bittner: So the U.S. midterm elections are all over. There's still some counting to be done, but it appears that no effective cyberattacks on election infrastructure materialized. Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said yesterday, we have seen no evidence that any voting system deleted or lost votes, changed votes or was any way compromised in any race in the country. Minor DDoS incidents were reported in a few jurisdictions, the PBS NewsHour reports. But these seem in no case to have affected the voting infrastructure itself.
Dave Bittner: In particular, the Russian interference Yevgeny Prigozhin promised at the 11th hour didn't show up. Seems the Yankees do indeed have the goods on him to the extent that he's been sanctioned and that he's made an appearance on American Wanted posters. We trust Mr. Prigozhin is taking his vacations in a nice place where there's no extradition treaty with the U.S.
NATO meets to discuss the Atlantic Alliance’s Cyber Defense Pledge.
Dave Bittner: Representatives of NATO's member countries have been meeting in Rome yesterday and today to review and renew the Atlantic Alliance's Cyber Defense Pledge. Most of the proceedings have been closed to the public, but the U.S. State Department announced yesterday that cybersecurity for the energy sector is figuring prominently on the agenda. And some of this morning's keynotes are publicly available. We sat in virtually on one of them by U.S. Deputy National Security Adviser Anne Neuberger. She began by noting that NATO has remained relevant as the world and the technology in it have evolved.
(SOUNDBITE OF ARCHIVED RECORDING)
Anne Neuberger: NATO has consistently evolved to face these forces of modern technology. Indeed, in 2016, our leaders came together and committed to ensure, and I quote, "the alliance keeps pace with the fast-evolving cyberthreat landscape, and that our nations will be capable of defending themselves in cyberspace, as they do in air, on land and on sea."
Dave Bittner: She stressed that recent experience has highlighted the importance of cybersecurity preparedness and partnership.
(SOUNDBITE OF ARCHIVED RECORDING)
Anne Neuberger: Through his brutal war in Ukraine, Putin sought to split NATO. But thanks to our close work around this table, he will get exactly the opposite - a more unified NATO, stronger defenses and a more resolute trans-Atlantic community. We have seen in Ukraine the importance of preparedness and strengthening our cyberdefenses before attack. Ukraine has, in many cases, been able to successfully defend against sophisticated cyberattacks due to the work that was done before the Russian invasion this past February. Ukraine took to heart the lessons it learned in 2014 about the power of cyberattacks in modern conflict. Through partnerships with many of the countries in the room, as well as with the private sector, Ukraine has been able to continue to improve its cyber capability, and the world has been reminded of the importance of standing in support of partners when they are victims of cyberattacks.
Dave Bittner: This is not only a wartime lesson. As Neuberger went on to say, effective international partnerships are necessary to defend against transnational threats, and such threats are endemic in cyberspace.
(SOUNDBITE OF ARCHIVED RECORDING)
Anne Neuberger: We committed to developing a NATO capability to more effectively enable allies to help other allies in their times of need.
Other nations cooperate closely with NATO.
Dave Bittner: NATO, as Miss Neuberger said this morning, is getting ready to welcome two new members, Sweden and Finland. But the Atlantic Alliance is also working closely with friendly nations who are well outside NATO's original geographical scope. Prominent among those friendly nations is Japan, which last Friday announced that it would be joining NATO's Cooperative Cyber Defence Centre of Excellence.
Dave Bittner: Beijing has taken note and isn't particularly happy with the development, seeing it as a fundamentally unfriendly gesture aimed at China. The South China Morning Post quotes a spokesman for the People's Republic's foreign ministry who complained, the Asia-Pacific region is not the geographic domain of the North Atlantic, and there is no need to establish an Asia-Pacific version of NATO. The spokesman, Zhao Lijian, added, what we have seen is that in recent years, NATO has continuously strengthened its ties with Asia-Pacific countries. What is NATO's intention? The international community, especially countries in the Asia-Pacific region, should maintain a high degree of vigilance.
New APT41 subgroup identified.
Dave Bittner: Researchers at Trend Micro have identified a new subgroup of APT41, the threat actor associated with the Chinese government. They're calling the group Earth Longzhi and attribute two long-running campaigns to it, stating, since it first started being active in 2020, Earth Longzhi's long-running campaign can be divided into two based on the range of time and tool set. During its first campaign, deployed from 2020 to 2021, Earth Longzhi targeted the government infrastructure and health industries in Taiwan and the banking sector in China. In its second campaign, from 2021 to 2022, the group targeted high-profile victims in the defense, aviation, insurance and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan and Ukraine. Spear-phishing has been the primary attack vector.
FSB phishing impersonates Ukraine's SSCIP.
Dave Bittner: Ukraine's State Service of Special Communications and Information Protection warned yesterday of a phishing campaign that's sending malicious emails impersonating the SSCIP. They stated, specialists from the government's computer emergency response team of Ukraine have recorded a mass distribution of emails with malicious links allegedly under the name of the State Service of Special Communications and Information Protection of Ukraine. This activity is associated with the hacker group UAC-0010, Armageddon. As the warning goes on to note, Armageddon is associated with Russia's FSB. They are among the most active groups that have been attacking Ukraine since the beginning of Russia's full-scale military invasion. Criminals are usually exploiting topics that are sensitive and important for Ukrainians. The most common payload the campaign delivers is an information stealer.
A look at Cozy Bear's use of credential roaming.
Dave Bittner: Mandiant describes a cyberespionage campaign carried out earlier this year by APT29, Cozy Bear, a unit of Russia's SVR Foreign Intelligence Service. Cozy Bear phished its way into a European diplomatic organization's networks and subsequently abused Windows' credential roaming feature. Mandiant says the use of credential roaming in an organization allows attackers and red teams to abuse the saved credentials for the purposes of privilege escalation.
Dave Bittner: Two noteworthy trend studies appeared this morning. In the first, a study of phishing, security firm Tessian has found that 94% of organizations in the U.S. reported being targeted by spear-phishing attacks in 2022. The majority of phishing attacks involved attempts to impersonate legitimate email addresses. And ransomware remains high on the list of what the spear-phishing delivers. Ninety-two percent of organizations reported that they'd been targeted by phishing emails that attempted to launch ransomware attacks, and 10% of respondents said their organizations had received over 450 email based ransomware attacks since January 2022.
API threats and risks.
Dave Bittner: In the second study, security researchers at Wallarm released their Q3 2022 API ThreatStats Report this morning, giving a look into this quarter's API vulnerabilities and exploits. Among the more interesting findings was how compressed the timeline has become between CVE disclosure and proof-of-concept exploit publication. They now tend to occur, the report says, on the same day, which should affect organizations' mitigation planning. That is, don't sleep on applying patches.
Dave Bittner: And a final note for our listeners, tomorrow is Veteran's Day in the U.S. and a day marked for special remembrance in many other countries around the world. We won't be publishing on the holiday, but we invite you wherever you are to spare a thought for all the veterans of all nations who've served with honor and bravery and in good faith.
Dave Bittner: Coming up after the break, Caleb Barlow shares tips on removing implicit bias from your hiring process. And our guests, Valerie Abend and Lisa O'Connor from Accenture, have a look at the difference in how women and men pursue the top cyber leadership roles. Stay with us.
Dave Bittner: The team at Accenture recently published a report called "Rising to the Top," which examines the difference in how women and men pursue the top cyber leadership roles and some hurdles to overcome. Joining me to discuss the report are two women in leadership positions at Accenture, Valerie Abend, global cyber strategy lead and senior managing director at Accenture, and Lisa O'Connor, global lead of cybersecurity R&D at Accenture. Valerie Abend is up first.
Valerie Abend: As the Accenture Cybersecurity Forum Women's Council, our mission - and as we point out - there's a real challenge, particularly with these women in cyber, at getting them to the top of the field and making sure that we have equal representation at that top level.
Dave Bittner: Lisa, what's your perspective?
Lisa O'Connor: Yeah. So it's funny 'cause women are 50% of the workforce, yet in cybersecurity, we're 25% of the workforce. And if you really look at the women in leadership roles, we're going down to 17%. And so we have a talent problem in keeping diverse talent in cybersecurity. And that has a real impact for us in terms of innovation, in terms of creative teams and creative teams that can keep up with the adversary. So this is a real intrinsic problem to cybersecurity talent at large and how we're ready for national defense and for defending our companies.
Dave Bittner: I think it's fair to say there's recognition that this is an issue. And as Valerie mentioned, there have been efforts to address this. I mean, is this a matter of sometimes things just take time, or is that an excuse?
Valerie Abend: Well, I'll say that I think everybody has good intent, but what they need is more information about how to make this intentional and how that becomes part of the fabric of not just their talent recruitment and retention, but intentional on how they programmatically actually help them grow and get into the top spot. And that doesn't just happen by accident. That happens with really strong support, sponsorship at the top of the house across the C-suite. And it happens by actually looking at what makes these programs successful and how you position diverse talent to actually get the visibility, get the mentorship and actually get the opportunity to apply for, be recruited for, promote themselves into, voice their interest in being at that top layer of cybersecurity in a chief information security officer role.
Dave Bittner: Lisa, why do you suppose that we're seeing this filtering happen, that even when women are taking their place in organizations, they're not making it all the way to the top?
Lisa O'Connor: Right. That's exactly what we wanted to answer in this latest piece of research, Rise to the Top. And that is really looking at how people, men and women, rise to the top position of CISO. So we studied that. We asked men and women about their journey to CISO. How did they announce their candidacy? How did they put their hat into the ring? What were the tactics that they used to go after those positions and to make their intentions known? And also, how did they get the CISO position?
Lisa O'Connor: So tapping into the success of our ACF CISOs, men and women, we learned about some differences between how they rise and what tactics they use and what they overestimated and underestimated the importance of in that journey. And some of the insights from that are pretty startling. We found that men were much more likely - 57% more likely to rise within the organization that they were already in, where women were much more likely to gain a CISO role outside of their organization and make their candidacy known outside. And that was kind of surprising. So we double-clicked on that, and we looked at some of the other behaviors.
Dave Bittner: Well, let's dig in to that. I mean, what are some of the other insights that you all discovered?
Lisa O'Connor: Yeah. So one of the things - while men rose quickly, more directly, I should say, in their organizations, they did not rise more quickly. Women actually moved forward quickly, within six months secured a position, where for men it was more likely 12 months, which made us think and kind of said, well, why is that? These women are clearly very qualified. They're getting positions right away. What is it about their behavior or maybe how they're announcing their candidacy, that they're overthinking this potentially and going through and looking to meet all the qualifications in those roles? So we have tremendously ready candidates, but they're making their candidacy known much later.
Dave Bittner: Valerie, speaking about mentorship - I mean, what are - what can some of the folks who have risen to those top levels - how do they make sure that they're not closing the door behind themselves?
Valerie Abend: I think that's incredibly important, that all of us, men and women, take it upon ourselves as an intentional responsibility - and come back to that intentional - actually put it in your performance achievement goals, that you are not only sponsoring somebody, which means giving them voice about how great they are in rooms that that person doesn't have access to, but also putting it into your succession plan. And that should actually be part of how we hold our senior executives accountable. Who is going to be the next you, and how are you helping to sponsor and mentor that person and get support just even beyond you?
Valerie Abend: I spent, as does Lisa, a lot of time, not just with women and helping them get a visibility and understanding of what it takes to next level, but to actually introduce them to an awful lot of people who can also help them. And I think that's incredibly important, that they have a council of people who advise them as they get to the top. And that was actually one of our recommendations to the women, is that you actually don't just depend on one person. You have, essentially, your own council of advisors.
Dave Bittner: Lisa, where does this begin? I mean, is this a matter - do we need to do better with outreach to young women who are growing up, who are coming up through school to make sure they're exposed to role models, that they see this as a possibility?
Lisa O'Connor: Absolutely. The sooner we are inclusive in our language and how we talk about these roles, how we talk about the cybersecurity industry, more people are going to see themselves in cyber. And that's so important for younger girls, women. I remember when I was going through school, I was one of six women in a class of 120 engineers. And that, we love to change, right? And we change that by really making sure our language is inclusive. We have leadership representation. We're showing young girls and women what leadership looks like and showing that we're out there.
Lisa O'Connor: The other part of it, too, is we think about position descriptions. This is a simple one companies can do. When we're writing position descriptions, those should also be gender neutral, without bias - and putting the essential things in there that we need from a CISO. One of the things that we should - we found and what women overestimated was the amount of technical skills, knowledge that were needed for the role, because what got you to this point may have been the technical, but what's valued in the CISO role is that problem solving, the communication skills and the other things that are so relevant to the C-level and to the board. And so how we're writing those position descriptions, it's really important that we are able to align to their criteria and say, we got that, and put our hat in the ring.
Dave Bittner: That's Lisa O'Connor from Accenture, joined by her colleague Valerie Abend. The report is titled "Rising to the Top." And joining me once again is Caleb Barlow. He is the founder and CEO at Cylete. Caleb, it's always great to welcome you back. You know, we have this ongoing conversation about the challenges when it comes to hiring good folks in cybersecurity. And I know this is something that you've had your eye on lately. What do you want to share with us today?
Caleb Barlow: Well, you know, if we look at kind of the numbers here, we had, you know, 1 million open security jobs here in the U.S. It's now down to about 700,000. And that's a stat from cyberseek.org - right? - which, you know, we've mentioned that site before. It's a great site to go check things out. Well, OK, 700,000 open jobs. There's 1 million employed people in the United States in cybersecurity. So, you know, you can go run ratios here. We can't fill the jobs. But here's what's also interesting, Dave. You know, we talk about problems like diversity. We need to bring more women into the workplace. We need to bring more underrepresented minorities in the workplace. And I think we're doing a better job. We're certainly not there yet, but we really have an accessibility problem in cybersecurity.
Caleb Barlow: You know, if - I get calls from recruiters all the time who are like hey, Caleb, I've got a tough role I'm trying to fill. Do you know anyone in your network that meets this criteria? And I'm like, well, what's the company looking for? And they - you know, they'll go down this list that is almost comical - you know, hey, I'm looking for a threat hunter. I want them to have 20 years of experience. OK, first of all, no threat hunter has 20 years of experience. I'd like to have them to have worked for a Silicon Valley company before, you know, like a Facebook or a Twitter or someplace where they really understand growth. And, oh, and it'd be great also if, you know, they're a diverse candidate. And you sit back and kind of laugh. And you're like, you are never going to find that person. And if you do, it's going to cost you a fortune, right? What I don't hear happening is people going out and saying, hey, you know, I need someone that has this type of background, this type of experience, you know, like, a threat hunter. I need someone with really good investigative skills, that's really good at repetitive tasks and, you know, is a self-starter and self-motivator. OK, that's probably looking for somebody you're going to find that's going to be very successful in the role.
Caleb Barlow: And the issue here is often implicit bias, right? We have this idea of what the ideal candidate looks like. And I would argue that we could fill those 700,000 open jobs if we started thinking, as companies, about accessibility. How accessible are we to looking at people that might be one degree of separation from perfect? How accessible are we to say, hey, let's go hire somebody that maybe is going to need three months of training? And, you know, part of the problem here is we arm up recruiters in the words we use. You know, so if you say something like - if you pitch to a recruiter, hey, I want a high energy individual with that Silicon Valley experience, you know, what they hear - they hear high energy, they hear, oh, it's got to be under 30. They hear Silicon Valley experience. They limit it to a few companies, right? And unfortunately, what happens is the person doing that sorting of resumes often doesn't have cybersecurity experience. They're not the partner...
Dave Bittner: Right.
Caleb Barlow: ...You talk to on the phone.
Dave Bittner: Or it's even automated, you know? And so people don't even make it to having a human being look at the candidate.
Caleb Barlow: And what's happening here is the implicit bias that you unwittingly have forced into the system is sorting resumes. So here's a couple of things that I've been trying lately that seem to really work. And these are going to sound a little bold. First of all, take your pool of resumes - however you get it - and remove all photos from the resumes. The minute you remove photos, you remove so much implicit bias because you don't see age. You don't see, you know, ethnicity. You don't see, you know, whether somebody is male or female. Also, remove the names from the resume. Do you really care what somebody's name is when you're hiring them? No. But again, you remove the ethnic or, you know, kind of whether someone's male or female the minute you remove the names. Now add them back later in the process because you need to know who to call.
Dave Bittner: Right.
Caleb Barlow: But in that first sort, get rid of the pictures, get rid of the names and remove all experience over 10 years old. Like - and honestly, do I really care where you worked 10 years ago? But what happens again is, you know, whoever's doing that sort picks up the resume, looks at the experience, it goes, oh, my gosh, this person's in their 60s. Or, you know, maybe this person's even in their 40s. Forget it, right?
Dave Bittner: Right.
Caleb Barlow: Look at the last 10 years. What has the person done in the last 10 years? And, you know, if you really want to get into this, too, remove - you know, remove school and degree. I mean - and this one's a little more controversial 'cause some people will tell you, hey, look, you know, we know that there's certain backgrounds, certain degrees that really empower people. But again, I think if you think about accessibility, I don't really care whether someone has a degree in electrical engineering, computer science, or they figured it out after five years of working at the FBI, and they figured cybersecurity out, and they've only got a GED. I don't know if I really care. So if you remove those things from the resume, what you have is someone's capabilities and experience. And use that for your first sort to get rid of that implicit bias.
Dave Bittner: You know, I remember speaking with someone who had a whole lot of success recruiting folks who had a background as a jazz musician. And he said, because they are used to collaborating in real time with a group of like-minded people with a varied set of skills, right? And they have great improvisational problem-solving skills.
Caleb Barlow: And they have imagination.
Dave Bittner: Right. Yes. They are creative people. And it doesn't take as long to train people up as I think a lot of people think. Would you agree with that?
Caleb Barlow: Well, here's a good example. Let's take a sales - you know, sales manager, right?
Dave Bittner: Yeah.
Caleb Barlow: You know, I get this one all the time. Hey, I'm looking for a sales executive. They need to have - you know, they've got to be a great team builder and mentor. They've got to understand the sales process. They've got to be great at cadencing their people and teaching them. And, you know - and they need to have all this cybersecurity experience. And I'm like, really? Because the problem is you just limited your scope of people to a very narrow pool the minute you told me, you know, that they've got to have - you know, and most people say, well, they've got to have cybersecurity experience on threat intel. I'm like, OK, that probably limits it down to about five people in the universe. Really. Maybe...
Dave Bittner: Right.
Caleb Barlow: ...We should go at this and say, go find me an exceptional sales leader that's maybe worked on some other technology product, and let me onboard them over the course of four or five months, where they're going to learn the cyber piece of this. And if you go hire the right kind of skill that knows how to learn new things, that's probably going to be an exceptional sales leader. But what do people do? They go out and hire that person that has the skill. They pay twice as much money for them. And they leave in a year and a half because your buddy down the street at the other company is after the same thing, and they go recruit him away for you. And everybody just keeps paying him more money.
Dave Bittner: Yeah. We need to move away from that rock star mentality, I think, in a lot of areas.
Caleb Barlow: Well, I, again, it comes back to accessibility, how - you know, and maybe we need to retool the metrics, where - you know, the metric today is we're often looking at underrepresented minorities when we look at hiring. And we should still look at that.
Dave Bittner: Yeah.
Caleb Barlow: But maybe the bigger metric needs to be, let's look at how many people we've moved into the field in our hiring. And my guess is if you focus on that, you're also going to fix your diversity problem.
Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.