Watch out for abuse of pentesting tools. Cyber attack on Guadeloupe. Ducktail’s evolution. Cybersecurity for ports. ICS security advisories. And stay safe shopping during the holidays.

Tre Hester: Another pen testing tool soon may be abused by threat actors. Cyberattack disrupts Guadeloupe. Ducktail evolves and expands. Warning of the potential disruption cyberattacks might work against European ports. CISA releases eight industrial control system advisories. Patrick Tiquet, VP of security and architecture at Keeper Security, talks about the FedRAMP authorization process. Bryan Vorndran of the FBI's Cyber Division with reflections on ransomware. And stay safe on Black Friday and Cyber Monday and Panic Saturday. You get the picture.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Wednesday, November 23, 2022. 

Threat actors may turn to a new pentesting tool.

Tre Hester: We heard yesterday about steps Google was taking to render Cobalt Strike less susceptible to abuse by cybercriminals. As you know, Cobalt Strike is a legitimate penetration testing toolkit that's been frequently abused by criminals who've used it to move through victims' networks and help stage attack payloads. Google reduced open-source YARA rules that should make it easier for defenders to detect such abuse. The step should also have the welcome result of returning the tool to its proper users. 

Tre Hester: Should Cobalt Strike really prove less abusable by the hoods, of course, that leaves a vacuum, and Proofpoint thinks it has a good idea of what might take its place in the underworld. The security firm blogged yesterday that another framework, Nighthawk, might fill the void. So far, it hasn't, but the possibility seems worth keeping an eye on. 

Tre Hester: Proofpoint explained their interest, saying, quote, "in September 2020, Proofpoint researchers identified delivery of a penetration testing framework called Nighthawk. Launched in late 2021 by MDSec, Nighthawk is similar to other frameworks such as Brute Ratel and Cobalt Strike and, like those, could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal. This possibility, along with limited publicly available technical reporting on Nighthawk, spurred Proofpoint researchers into a technical exploration of the tool and a determination that sharing our findings would be in the best interest of the cybersecurity community" - end quote. Again, Proofpoint says it's observed no signs of Nighthawk being abused. 

Tre Hester: The report concludes, quote, "Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion. And it does this well. While Proofpoint researchers are not aware of adoption of Nighthawk in the wild by attributed threat actors, it would be incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intents and purposes. Historic adoption of tools like Brute Ratel by advanced adversaries, including those aligned with state interests and engaging in espionage, provides a template for possible future threat landscape developments. Detection vendors, in particular, should ensure proper coverage of this tool as cracked versions of effective and flexible post-exploitation frameworks can show up in the dark corners of the internet when either threat actors are looking for a novel tool or the tool has reached a certain prevalence" - end quote. 

Cyberattack disrupts Guadeloupe.

Tre Hester: The French overseas department of Guadeloupe, a Caribbean island, has been hit by a cyberattack that's disrupted government services. The AP reports that the authorities are working to restore their systems. But beyond that, little information is available beyond an announcement characterizing the incident as a large-scale attack. Many of the government's sites were accessible this morning, so recovery may well be in hand. 

Ducktail evolves and expands.

Tre Hester: Researchers at WithSecure, a company formerly known as F-Secure Business, have told SecurityWeek that they have observed an expansion and evolution of the cyber gang Ducktail. Probably based in Vietnam, Ducktail targets Facebook business users. Their principal tool is an information stealer that gives them victims' credentials. Activity in Telegram channels suggests that Ducktail is beginning to establish an affiliate program. 

Warning of the potential disruption cyberattacks might work against European ports.

Tre Hester: Reuters has an interview with retired U.S. General Ben Hodges, who argues that cybersecurity is as important to NATO logistics as missile defense. In support of his contention, he cites the disruption worked by NotPetya, the 2017 Russian pseudo ransomware campaign against Ukraine that spilled over into the transportation sector and disrupted port and shipping operations. The major shipping firm Maersk was particularly affected. The German ports of Hamburg and Bremerhaven are especially important to NATO. Interference with port operations would have a significant effect on the Atlantic Alliance's ability to sustain operations in Central and Eastern Europe. NotPetya hasn't been repeated, but it might be regarded as a demonstration of what could be accomplished by a determined attacker. 

CISA releases eight industrial control system advisories.

Tre Hester: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released eight industrial control system advisories. We know there's a bit of season creep in progress for Black Friday and Cyber Monday and all of the days that follow up to the new year, but it's not too soon, so think about taking some prudent precautions. We've assembled some advice from security experts on staying safe online during the holiday season. You'll find it online at thecyberwire.com. 

The holiday shopping season is here.

Tre Hester: And do enjoy Thanksgiving tomorrow. We'll be taking the long weekend off and hope that everyone who's able can do so as well. The CyberWire will return to our regular publication schedule on Monday. 

Tre Hester: After the break, Patrick Tiquet of Keeper Security talks with us about the FedRAMP authorization process, and Bryan Vorndran of the FBI with his reflections on ransomware. Stick around. 

Dave Bittner: FedRAMP is the Federal Risk and Authorization Management Program. And according to the GSA, it provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. Achieving FedRAMP authorization is not easy, and in fact, the process can be quite daunting. Is it worth it? To help answer that question, I checked in with Patrick Tiquet, VP of security and architecture at Keeper Security, where he and his colleagues recently earned FedRAMP authorization. 

Patrick Tiquet: FedRAMP is an authorization that is managed by the GSA. It covers 17 different control families; everything from, like, access control to personnel security, physical security, auditing. And there's - at the FedRAMP moderate level, there's about 325 controls, I believe - somewhere in that area. But each control - that's kind of deceptive because each control could have up to dozens of control enhancements, which are smaller, individual controls that enhance the existing - the primary control. FedRAMP stands for Federal Risk Assessment and Management Program. So at its core, it's a risk assessment framework. 

Dave Bittner: I see. So take us through what this experience is like. I mean, how did you and your colleagues gear up for going after something like this? 

Patrick Tiquet: It was a bit of a learning curve. You know, initially, you know, we've had our SOC 2 report since 2013. We've been ISO 27001-certified since 2018. And we had experiences obtaining, you know, difficult, rigorous certifications in the past. We knew that FedRAMP was going to be a bit of a different ballgame. Previously, you know, we were able to, with a relatively small team, achieve ISO 27001 certification and SOC 2. FedRAMP is set up so that you really need a team of people to achieve it. I mean there's things, like, built into it like separation of duties. And there's a lot of just busywork on a monthly basis - continuous monitoring, generation of a plan of action and milestones on a 30-day cadence. So there's a lot of things that we actually had to learn along the way that - it wasn't going to be the kind of thing where just a small team can accomplish this. This is something that - it's really overarching and reaches and touches on all aspects of a company. 

Dave Bittner: So it really is a commitment, you know, it sounds like company-wide and also something long term. This isn't just a, you know, get it done and get your check mark and move on. There's ongoing stuff that you all have to do. 

Patrick Tiquet: Correct. So, like, with ISO 27001, for example, once you achieve the certification, you know, there's an annual surveillance audit. And then, you go through the whole certification after a few years. With FedRAMP, once you obtain your authorization, it's really not the end. It's really the beginning. Every 30 days, we have to produce - we have to scan our entire system. Any new vulnerabilities that come up, we rank them by critical, high, medium, low. And then, that determines how quickly we need to mitigate those vulnerabilities and fix them, patch them. So it's something that - it's constant, and you have to stay ahead of it. And it's easy to get behind if you don't patch vulnerabilities within time. So it's something that, really, you have to have a team of probably two to three people just dedicated and focused on maintaining and ensuring that the system remains secure. 

Dave Bittner: And having been through this process, what is your advice for other organizations who may be considering it? 

Patrick Tiquet: Well, when we started it, everyone told us that this would be a multiyear commitment to achieve initial authorization. Initially, I think we thought, oh, well, you know, maybe we could do it in about six months. What it turned out to be was - it took almost exactly two years, to the day, to achieve our final authorization from the day that we started it. So there's - I'd say the first thing you need to do is get some experienced people in to do a gap assessment of your existing infrastructure and figure out, OK, what are the things we need to implement? What are the controls we need to implement? What are the things we need to build or do in order to implement all of the FedRAMP controls? 

Dave Bittner: And then, in terms of this opening up opportunities for you all, has that come to pass? Has it seemed like the effort continues to have value? 

Patrick Tiquet: Yes. Yes, absolutely. And, you know, it really - in addition to opening up new opportunities and generating a lot of interest from federal agencies, it also has generated interest from people who - or companies who are in the federal space that may not necessarily be a federal agency but still have the requirements to meet the federal controls. 

Dave Bittner: And I suppose having been through FedRAMP, these - the next steps probably mean - aren't quite as daunting as they otherwise would have been. You've got this experience under your belt. 

Patrick Tiquet: Yeah, we have our experience under our belt. We know what to expect now. I don't think it makes it any less daunting. In fact, I think if we knew how difficult the authorization process was going to be, I think we might have had second thoughts or hesitated more about pursuing this. But now that we have achieved this and we have a team that's experienced, it seems less daunting. It's just we know what to expect. We know the reality of how difficult it is to achieve and maintain an authorization such as FedRAMP. 

Dave Bittner: That's Patrick Tiquet from Keeper Security. 

Dave Bittner: And it is always a pleasure to welcome back to the show FBI Cyber Assistant Director Bryan Vorndran. Director Vorndran, welcome back. I want to do a little deep dive today on ransomware and some of the guidance that you share when it comes to that. What can you share with us today? 

Bryan Vorndran: Sure. Dave, it's good to be with you, and I appreciate the question. And we get this question a lot. And so I'll go through a few notes here, and I think they're very, very important. No. 1 is - doing the basics well in a repeatable fashion is probably the most important piece of advice I can give to your listeners. And when we talk about ransomware, the goal really should be prevention. So well-established cybersecurity practices - you know, whether that's MFA, password management, effective logging, log management, vulnerability-and-patch management, phishing tests, maintaining air gapped and encrypted and current backups - these have to be done in a repeatable fashion by the entirety of your organization. And your organization is only as strong as the weakest link. And so when we talk about doing the basics well in a repeatable fashion, that is a very, very important takeaway for your listeners. 

Bryan Vorndran: Next, I think it's important for organizations to understand that they need to plan well. You know, that includes business continuity, crisis management, disaster recovery and computer intrusion incident response. It's very important that those plans are not developed and exercised in isolation. They really do need to be exercised at the operational, the executive and the board levels. And really, the goal of the exercises should be to develop a strategy and to refine decision-making processes, right? 

Bryan Vorndran: And so there's really four key areas to those exercises. So first is communications protocol, and that covers both internal and external communications. And the bottom line is that organizations, as they prepare, should prepare to lose their primary means of communications and move to secondary communication channels, right? And that's an important part of the exercise. 

Bryan Vorndran: The second goal is related to ransomware, and it's the pay, no-pay decision. And, you know, the best-prepared organizations have working this out at an excruciating level of detail. And they understand that this becomes a math problem for them. If downtime in their organization at two hours is worth $10 million of revenue, then a $10 million ransom payment probably is commensurate and a decision that they would make to move forward on. But that pay, no-pay decision and really, really planning that out in detail is the second important goal. 

Bryan Vorndran: The third goal is, who will the organization share with in the U.S. government and when? And there's a host of different answers to that. And from an FBI perspective, we always say the most important thing is to share with the U.S. government. And so we never really advocate for the FBI to be the first call. We advocate for the FBI to be an early call because we have certain authorities and capabilities that may lend support to a victim. But you should think about how you're going to engage the U.S. government and which part of the U.S. government. And is that engagement going to come from a CISO, from a CEO, from retained counsel? The best-prepared organizations have really worked through that. 

Bryan Vorndran: And lastly, what and when will you share with your board of directors? You know, and so those are just some important goals of those exercises, but these are the messages that we share when we're asked about lessons learned and how can organizations best prepare for ransomware. 

Dave Bittner: You know, you mention sharing information with the U.S. government. Beyond the FBI, what are the other government agencies that should be in a CISO's Rolodex? 

Bryan Vorndran: Sure. You know, it depends. So first of all, CISA should definitely be in a company's Rolodex. Obviously, with the passage of the CIRCIA 2022 law, certainly within the next two to three years, every organization within critical infrastructure sectors will be required to report directly to CISA through a standardized process. And the FBI is very, very supportive of that process and has a tremendously close working relationship with CISA. You know, we would certainly recommend that the local field office be a close contact as well. But then, obviously, if an organization is in a regulated industry, they would obviously need to have close ties to their regulatory agency or their sector risk management agency. So that really covers the spectrum of who an organization would need to have in their Rolodex. 

Dave Bittner: You know, as you and your colleagues are helping organizations recover from ransomware, are there common shortcomings or are there areas that you all see repeatedly where folks have come up short? 

Bryan Vorndran: You know, I don't really look at it that way, Dave. I look at it as the basics are tremendously important to execute over and over and over again. So we've seen examples where a phishing email has gotten through. We've seen examples of - where known common vulnerabilities have not been properly patched or properly remediated. But at the end of the day, you know, I would really cycle back to the list I provided earlier, right? These basics of cybersecurity - MFA, password management, vulnerability and patch management, phishing tests - right? - maintaining backups - these are just such important foundational items to secure a company's future. 

Dave Bittner: All right. Well, FBI Cyber Assistant Director Bryan Vorndran, thanks so much for joining us. 

Bryan Vorndran: Thank you, Dave. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefings at thecyberwire.com. 

Tre Hester: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening and happy holidays.