Korean cyber alert amid a presidential impeachment. Germany calls out Fancy Bear for influence ops. Georgia—the Dixie one, not the one in the Caucasus—demands a cyber explanation. Holiday phishing, the enduring DDoS threat, and BOLO Gennady Kapkanov.

Dave Bittner: [00:00:03:01] South Korea braces for the North to take cyber advantage of a constitutional crisis, but so far it's mostly quiet. Germany takes official notice that Fancy Bear is working to disrupt next year's elections. The US state of Georgia thinks DHS may have tried to penetrate its election system post election and it wants to know what's up. A phishing campaign trolls customer service reps with fileless malware. Experts expect more Mirai-driven DDoS and the Avalanche criminal kingpin is on the lam, after being sprung from a Ukrainian jail.

Dave Bittner: [00:00:41:00] Time for a message from our sponsor Netsparker. Do you know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out false positives, save you money and improve security. Their approach is proof based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it defines in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if it's exploitable, then it's definitely not a false positive. Learn more at netsparker.com. But wait, there's more. And we really do mean more. Go to netsparker.com/cyberwire for a free 30 day trial of Netsparker Desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:48:15] I'm Dave Bittner in Baltimore with your CyberWire summary and weekend review for Friday, December 9th, 2016.

Dave Bittner: [00:01:56:10] Seoul is on alert for cyberattacks from the North as the Republic of Korea goes through the impeachment of its president. President Park Geun-hye must step down today, at least temporarily, until her position is finally decided by the Constitutional Court, as required by South Korean law. Recently disclosed intrusions into South Korean defense networks continue to look like Pyongyang's work, and the Republic of Korea is preparing for more, but so far cyberspace has remained relatively quiet across the 38th parallel.

Dave Bittner: [00:02:28:24] As the US Congress continues to rumble about investigating Russian attempts to influence last month's elections, and the smart bipartisan money is betting that there will be investigations, Germany's BfV has confirmed that the Russians are up to much the same in Germany. The BfV said yesterday in an official statement that the Russian organs, specifically Fancy Bear, also known as APT28, have begun their attempts to disrupt the coming year's German elections. The BfV's statement leads with charges of propaganda, disinformation and false flag operations. The two Russian objectives, as the BfV explains them, have a familiar ring to them. Fancy Bear aims to foster uncertainty in German society and weaken or even destabilize the Federal Republic. The other goal is to strengthen the hand and amplify the voice of extremist groups and parties in Germany.

Dave Bittner: [00:03:22:03] Back in the US, the State of Georgia has asked that the Department of Homeland Security explain what Georgia thinks looks like attempts by DHS to penetrate the state's election systems on November 15th, a week after the elections were held. Georgia was one of a few states that declined DHS security help for the election and the state said it did so on Constitutional grounds, not wishing to let the Federal camel push its nose into the tent of powers reserved to the states. A letter Georgia's Secretary of State sent yesterday to the US Secretary of Homeland Security put the issue this way:

Dave Bittner: [00:03:56:10] "The private-sector security provider that monitors the agency's firewall detected a large unblocked scan event on November 15th at 8:43 AM. The event was an IP address attempting to scan certain aspects of the Georgia Secretary of State's infrastructure. The attempt to breach our system was unsuccessful. At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network. Moreover, your Department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network. This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created."

Dave Bittner: [00:04:39:17] The letter asks, in effect, if the attempt was by DHS, and if so, whether it was authorized, inadvertent, or deliberate but unauthorized. WSB-TV 2 Atlanta received this statement from DHS: "The Department of Homeland Security has received Secretary Kemp's letter. We are looking into the matter. DHS takes the trust of our public and private sector partners seriously and we will respond to Secretary Kemp directly." The private-sector security provider who detected and blocked the penetration has not been identified.

Dave Bittner: [00:05:12:08] ISIS is back online, calling on its adherents to kill Shiites and Americans in Bahrain. US Secretary of Defense Carter's regional visit apparently inspired the attempt at murderous inspiration.

Dave Bittner: [00:05:25:09] Security firm Proofpoint warns of a new criminal phishing campaign that loads an information stealer in its victims' systems. Called "August," the campaign resembles in some of its techniques recent capers TrustWave researchers have observed the Carbanak gang executing. Proofpoint is tracking the threat actors behind August under the designation "TA530," and they're calling their infostealer "mundane," but they note that it's being deployed in a way that makes it difficult to detect. It uses well-crafted emails to customer service representatives that carry plausible subject lines like duplicate charges, erroneous charges, shopping cart emptied, things like that. Should the customer service rep open the attachment, typically a malicious Word document, August uses PowerShell script to filelessly install the info-stealer. It's worth noting that PowerShell exploitation is consistent with what Symantec has observed in a recent study. 94.5 percent of PowerShell scripts, Symantec says, is malicious.

Dave Bittner: [00:06:27:11] So why has August become so prominent in November and December, and why are the Carbanak hoods so active? Michael Patterson, CEO of Plixer International, told the CyberWire that the question practically answers itself. “Tis the ideal season for phishing attacks," he said. When you're scrambling to process orders and deliver good customer service during the busiest of online shopping seasons, it's fatally easy to click "open" when you should have clicked "delete." Patterson recommends more training, monitoring, and awareness during the holiday season. We would add that, while prudence, diligence, and vigilance are of course always vital, don't be too hard on yourselves or your service reps. After all, opening email from customers is probably a big part of the job. So take a look at ways of organizing your systems for security and, in particular, look for ways of doing without attachments. Here's one recommendation from Patterson that even a relatively small business could follow. Set up somewhere for employees to forward suspicious emails for inspection.

Dave Bittner: [00:07:26:00] Distributed denial-of-service attacks remain an unsolved problem, especially since the general availability of Mirai-herded Internet-of-things botnets has commodified DDoS attack capability and put it within the range of even modestly talented skids. The skids can even buy tech support services to help them along. DDoS is also seeing a round of gamification in the Sledgehammer campaign being run in the apparent interests of Ottoman revival. Travis Smith, Senior Security Research Engineer at Tripwire, told us, "Since Sledgehammer is a tool created by a group of Turkish descent, it’s expected that the targets of their wares would be those they oppose. Even though the gamification of the DDoS tool allows individuals from around the world to participate in the attack, the targets are controlled by a centralized command and control server.”

Dave Bittner: [00:08:15:11] And finally, in the cops-and-robbers department, the Avalanche criminal cloud and fraud-as-a-service gang may have been raided and taken down, but it's alleged kingpin is back on the lam. Ukrainian authorities have called a be-on-the-lookout for Gennady Kapkanov, who was captured in a shoot-out, cuffed, booked, jailed and then released on a judge's order because of some local prosecutorial oversight. You can easily find the galoot's mug shot on the Internet. Mr. Kapkanov is now in parts unknown. We doubt he'll show up in Bugtussle or Rabbit Hash, or even Timonium, Cliffside Park, or Simi Valley any time soon, but if you see him, assume he's armed and dangerous.

Dave Bittner: [00:08:59:24] Time for a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future. The real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to Recorded Future dot com slash intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's Recorded Future dot com slash intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:00:15] Joining me once again is Rick Howard. He's the CSO at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team. Rick, at Unit 42 you have something that you all call the Cybersecurity Canon. That's your required reading list. Tell us a little bit about the Cybersecurity Canon?

Rick Howard: [00:10:17:16] Yes, we did this, it started about three years ago. I went to the RSA Conference in San Francisco and presented a talk on here are some books that you should have read by now. It was about 25 books that I thought were kind of necessary to all of us and Palo Alto Networks decided to sponsor it. So, what we did is we created a Rock and Roll Hall of Fame for cybersecurity books. We have an outside committee of ten cybersecurity experts, there are CSOs and journalists and consultants and lawyers and they evaluate all of the books on our candidate list. And if you go to the website and look up Canon at Palo Alto Networks, you'll see all the books that are in the candidate list and you can't get on the list. This is not just a book list, right? This is someone has made the case in a book review saying why all of us should have read this book by now. And so, there's some sweat and tears put into this to make those cases.

Rick Howard: [00:11:13:06] So we had about 50/60 books on the candidate list so far and every year the committee selects two or three to be inducted into the Hall of Fame. Last year we put a bunch of them through because there were so many that were so good. 'Future Crimes' by Marc Goodman, 'Kingpin' by Kevin Poulsen, 'Cyber War' by Richard Clarke and a bunch of others that you would have heard of right? So, it's very exciting that we get to do this here at Palo Alto Networks.

Dave Bittner: [00:11:37:21] And so, what are some of the additions to this year's list?

Rick Howard: [00:11:41:14] So, there's three I'd like to highlight. The first one I want to mention is a book that I really thought was exciting. It's called 'The Phoenix Project.' It's been out for a little bit and it is a novel that describes what DevOps is. Now, I know everybody around our community has heard of DevOps and you even think you know what it is, but 'The Phoenix Project' is a story that will make you fully understand why DevOps is important, why it is probably one of the best innovations in IT management since the personal computer was invented and how you might go about using those kind of techniques in your own organization.

Rick Howard: [00:12:21:23] I guess the second one that we're really putting on everybody's radar is the 'Hacking Exposed' series. These books have been around for a long time. They cover lots of ground about all the aspects of cybersecurity that we should know about. So I highly recommend all the network defenders in the world take a look at that series of books.

Dave Bittner: [00:12:40:02] Alright Rick, thanks again for joining us.

Rick Howard: [00:12:41:24] You bet. Any time.

Dave Bittner: [00:12:52:05] My guest today is Caleb Barlow. He's a Vice President with IBM Security and led the development of IBM's new X-Force Command, which they call "The world's most sophisticated cyber simulation environment." IBM Security recently published a reported titled 'The Global Cyber Resiliency Gap.'

Caleb Barlow: [00:13:10:12] You know, we went out and found that more than 67 percetn of organizations reported that they weren't prepared to recover from cyberattacks. Now, that's a sobering stat in of itself, until you get to the next one, which is that 75 percent have no formal response plan applied across their organization. So I think part of what we found in this survey, which covered 2,000 security and IT professionals from around the world, is that as security professionals, a lot of folks have been focused on protecting and defending their environment, which is certainly important, but now it's just as important to focus on what happens when you inevitably are breached. How do you respond and how do you maintain that resiliency?

Dave Bittner: [00:13:56:21] I think we hear that phrase, "It's not a matter of if, it's a matter of when," so much these days that it's almost a catchphrase. Do you agree with that?

Caleb Barlow: [00:14:04:20] We certainly have to plan for it to be in the case of when. You know, it's no different than planning for what happens if there's a fire in a corporate headquarters or an earthquake or some major economic downturn. Just like anything else that we have a business resiliency plan for, we need to have a business resiliency plan for cyber risk.

Dave Bittner: [00:14:28:19] And to that point, the survey said that over half of the organizations had at least one data breach in the past two years?

Caleb Barlow: [00:14:36:17] Yes. 53 percent came back and said that they had one in the past two years, right? And what was interesting about that was it was everything from advanced attackers to 74 percent said that they faced threats due to human error in the last year, right? So, you know, that could be malicious activity or in many, if not most cases, that's accidental activity or it's the quintessential case of someone clicking on a link in a phishing email that they probably shouldn't have.

Dave Bittner: [00:15:05:18] Take me through some of the reasons why people aren't doing a better job with this?

Caleb Barlow: [00:15:10:16] I think when we look at cyber resiliency in general, first of all, you know, I think a lot of folks don't realize that when you're breached you have to make a lot of decisions in near real time and these are decisions that could have long lasting implications. This requires a leadership in crisis type of skill and that's not necessarily a muscle that a lot of C-level executives exercise on a regular basis. So, we want to be able to make sure we've practiced and rehearsed that well before something actually happens. It's everything from, "Who's in charge, how am I gonna communicate, how am I gonna deal with regulators, with law enforcement, with my customers? What am I gonna say and how am I gonna say it?" Because, as much as your data might be on the line from the attackers, so too is your business reputation with your customers, your business partners and the public in general.

Dave Bittner: [00:16:06:01] Yes, it reminds me of the family level. You gather your family together and say, "Here's what we do in case there's a fire,"ahead of time, because by the time you smell smoke it's too late, right?

Caleb Barlow: [00:16:19:16] Well, it is. And just like you would have that conversation with your family on, "Here's how we exit the house, here's where we're all going to gather up." I think, unfortunately, the analogy to a fire drill is very important and one of the things we're doing at IBM is we've invested $200 million this year in incident response. And one of those key things here in Cambridge, Massachusetts is the first ever cyber range built out at full scale for the corporate enterprise.These types of environments have existed in the past in kind of military contractors, but this is a new environment where people can actually practice these types of breaches and the response at scale.

Dave Bittner: [00:17:05:14] So, take me through how that works? If I'm an organization that wants to take advantage of something like that, what would happen?

Caleb Barlow: [00:17:11:20] Well, what they do is they come with their team. Not two or three people but, you know, ten to 20 people, and not just the security folks: the marketing team, the legal team, the CEO, maybe a board member or two. And what we do is we put them through a fictitious breach on a fictitious company. But this is done with a level of realism, in such a way that everything around them, from the videos, the audio, the keyboards that are in front of them, is so highly realistic that we want to get their pulse raised up. We want to force them to make some decisions under pressure, so that they are experiencing it much like if it was their own company. The only difference in this case is that the company isn't real, but all the data is real and we do this by having a large data center behind us and we've effectively built out the IT environment of a Fortune 500 company. The only difference in this case is we hack it and break it every day. It's frankly a lot like a flight simulator.

Dave Bittner: [00:18:13:00] When it comes to having plans, when it comes to being resilient against these sorts of attacks, what kind of general advice do you have for people?

Caleb Barlow: [00:18:21:05] Well, obviously have a plan, right? Have rehearsed that plan. But also, you want to go have relationships with all of the people that you're going to need to bring in. Whether it's the incident response team that you want to have on retainer, your crisis communications team, your legal counsel. But also, you want to understand what are the regulatory environments in which you operate. In the United States, for example, there's 47 different breach disclosure laws in the 50 US states. You want to have those play books already built to understand, what do you need to disclose, to whom and how. It's just like the proverbial binder you'd see on the shelf in any office around what to do in case of a medical emergency or a fire. You need that virtual binder built for what to do in the event of a cyberattack.

Dave Bittner: [00:19:14:00] That's Caleb Barlow from IBM. You can find the global cyber resilience gap survey and learn more about IBM's cyber range on the IBM Security website.

Dave Bittner: [00:19:28:08] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody and thanks for listening.