International norms of cyber conflict. Fancy Bear's tradecraft (with a side of дезинформа́ция). RDPPatcher, Cerber, Ticketbleed, and Hermes. And the vibe around RSA 2017.
Dave Bittner: [00:00:03:16] Hybrid warfare with disinformation, cyber espionage, and spyware infestations: BugDrop in Ukraine, and some cut-and-paste oddness slips from Fancy Bear's paws. A new X-Agent variant is out. This one infects Macs. Ransomware thumbs its nose at security products. A look at RSA trends as the conference closes. A conversation with San Diego's CISO. And a t-shirt that we really want to get.
Dave Bittner: [00:00:35:23] Time for a message from our sponsor E8 Security. They're putting your data together with E8s analytics, for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system. Listening or running programs on a rare or never seen before open port is one of them. It's easy to say that, but could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed your logs...if you had time to review your logs. And by the time the logs reached you, chances are that news would be old. But E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. You got to check out their white paper at e8security.com/dhr, and get started. E8 Security: your trusted partner. That's e8security.com/dhr. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:36:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner back in Baltimore with your CyberWire summary for Friday, February 17th, 2017.
Dave Bittner: [00:01:47:03] Hybrid conflict, with all of its ambiguities and attendant fog, continues in Eastern Europe. Deutsche Welle reports a Russian disinformation campaign in the Baltic, with phony news stories planted alleging that German soldiers on NATO deployments have been responsible for a wave of assaults in Lithuania. Both German and Lithuanian officials say none of the claimed assaults happened, but the disinformation - while surely crude - will no doubt leave its residue behind in segments of public opinion, which of course is the point.
Dave Bittner: [00:02:18:12] Researchers at security firm CyberX have taken a look at a cyber campaign in Ukraine - possibly criminal, possibly state-directed, possibly a mix of the two - that's been responsible for a widespread spyware infestation in Ukrainian businesses. More than 70 enterprises are said to have been affected by what CyberX is calling BugDrop. Synack researchers have been taking a look at tools that appear to have recently slipped from Fancy Bear's paws, and they conclude that those tools look a great deal like lawful intercept products from Hacking Team. Fancy Bear is generally believed to be Russia's military intelligence establishment - GRU - if you're keeping score at home. Synack sees a "weirdness" in the code that suggests a copy-and-paste job.
Dave Bittner: [00:03:04:00] Bitdefender believes it's found evidence that there's now a variant of Fancy Bear's X-Agent malware that targets MacOS. X-Agent is modular malware used in targeted cyberespionage. It's modular in that once installed, it reports back to its commanders and controllers for instructions. Those instructions could involve directions to search for various files; they could direct X-Agent to download and execute other malware packages.
Dave Bittner: [00:03:29:18] Senior US officials including the Vice President and the Secretaries of State and Defense, are making the diplomatic rounds in Europe, and cyber matters have inevitably arisen during their discussions. Secretary of Defense Mattis said, "There's very little doubt," that Russia has interfered with elections. One might add in fairness that historically, it's not been just Russia.
Dave Bittner: [00:03:51:12] PandaLabs reports a new criminal hack, RDPPatcher, which simply sells third-party access to a victim computer. What they do with that access is presumably up to them.
Dave Bittner: [00:04:03:09] G-Data, the German security firm, has identified a new strain of ransomware they're calling Hermes, after the god of medicine, messaging, and theft. And there's good news already: the Austrian security company Emsisoft has already decrypted it. So bravo G-Data, and bravissimo Emsisoft.
Dave Bittner: [00:04:23:04] RSA 2017 wrapped up today in that city by the other bay, and our stringers and editors have some thoughts on the conference's recurring themes. First, AI - artificial intelligence - has been to this year's conference as "big data" and "threat intelligence" have been to the last couple of RSA seances. These have all been dismissed as buzz-words, which isn't exactly fair since there's a serious reality behind all of them; but caveat auditor: an awful lot of people will say AI in your presence. It's worth listening to them with respectful, open-minded, skepticism. We're working on a special edition of our podcast covering artificial intelligence, so stay tuned for that in the coming days.
Dave Bittner: [00:05:05:19] Second, in the West at least, the crypto wars appear to have been won by the pro-encryption side. And this is seen by many as essentially a technology-driven trend even the most obsessively repressive governments will find difficult to resist.
Dave Bittner: [00:05:19:23] Third, industry is worried about the growing tempo of international conflict in cyberspace and is urging governments to take seriously their operations in this new domain. If there are restraints on kinetic warfare, albeit imperfect restraints, that are designed to contain it, limit its effects on noncombatants, and seek to induce combatants to fight in ways that don't make the restoration of peace impossible, shouldn't there be similar restraints placed on cyber conflict? The time for this would appear to have come. Cyber warfare is no longer in its infancy, but it hasn't yet left its adolescence, and this may be the last, best, opportunity to influence its development.
Dave Bittner: [00:05:59:10] Fourth, and last, there's a general sense in the air that consolidation in some form lies in the security industry's near future. Our own experience of the conference differs a bit from that reported by Software Development Times, which notes that the conference has gone smaller and focused on enduring issues. Both may well be true, objectively, but subjectively we felt a nervous urgency and heard much more barking, in the carnie roustabout's sense of the word, than we remember from past conferences. We'll give the last word on the atmosphere to the words on a t-shirt worn by an executive we interviewed. The shirt said, "Does not have purchase authority." Many of those walking through the exhibits this year might have wished they'd worn similarly legible apparel.
Dave Bittner: [00:06:44:08] And finally, we'll leave RSA and return to ransomware. Late last month Trend Micro began tracking a new variant of the familiar Cerber ransomware. It's an odd duck; it encrypts the files on a victim's machine, except for one interesting class of software: security products. These it has whitelisted, and it leaves them studiously alone for reasons that are quite unclear. Bleeping Computer has some speculation about the criminal coders' motives that seem as good as any: they're going out of their way to thumb their nose at the security vendors.
Dave Bittner: [00:07:21:10] Time for a message from our sustaining sponsor, Cylance. Are you looking for something beyond Legacy Security Approaches? If you are - and of course who isn't - you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with Artificial Intelligence and machine learning. It may be Artificial Intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance: Artificial Intelligence, real threat prevention. That's cylanc.com. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:08:20:17] And I'm pleased to be joined once again by Rick Howard. He's the CSO at Palo Alto Networks, and he also heads up their Unit 42 Threat Intel team. Rick, we've spoken before about the Cyber Cannon - your list of must-read books when it comes to cybersecurity - but you've got some updates for us. Bring us up to date.
Rick Howard: [00:08:38:22] So think of the Cannon as a project, as a rock and roll hall of fame for cybersecurity books. We have ten outside practitioners - you know, CISOs, journalists, lawyers, those kind of folks - who review the most important cybersecurity books on the shelves, and make the case why we all should have read them by now. I say all of this because I want to talk about one of the books that made it onto the candidate list this year. It's called The Phoenix Project. It was written by Gene Kim, Kevin Behr, and George Spafford. It is a novel now about the emerging idea called DevOps. Have you heard of DevOps before?
Dave Bittner: [00:09:13:20] I have.
Rick Howard: [00:09:14:22] Right, so DevOps is perhaps, I think, the most important innovation that has happened to the IT sector since the invention of the personal computer back in the early 1980s, but it is a relatively new and complex idea. And it emerged out of three converging thoughts, sometime into late 2009. Alright? So first one was the agile development method that all your developers are looking at. A talk given by Alan Allspaw and Paul Hammond at the 2009 Velocity conference, and the talk was called Ten Plus Deploys Per Day. And this third thing, a book called Eric Rice called the, the Lean Startup. So DevOps is this idea that there needs to be a much tighter integration between software developers and information technology operations. So let me give you an example. Most organizations today pass IT and security work through internal black boxes; you know, product managers, marketing people, developers, quality assurance folk, system engineers, all the way down the line. DevOps is the recognition that instead of managing each of these black boxes separately, the organization needs to think of IT and security work as one big system of systems, and manage it that way - sort of a production line of IT work - with the goal of reducing, or eliminating completely any kind of technical debt that grows through that process. That is a very subtle, but disruptive idea.
Rick Howard: [00:10:45:17] So the authors behind The Phoenix Project, instead of writing a technical IT book on the benefits of this emerging idea, they chose to write a novel to make the material more acceptable to the general populous. But it centers on an online retail store that used to be the number one player, but they've fallen behind because they can't keep with his competitors. The IT department has projected to fix all that. They have a project for it called Project Phoenix, but it's two years behind schedule. So at the beginning of the book, the CEO has fired the CIO and promoted a mid-tier IT manager as the acting CIO, and has given him six months to fix the problem. So with the aid of an Obi-Wan Kenobi like figure from the board of directors, this interim CIO learns the way of DevOps and saves the company. So what I'm telling you is, if you're just hearing about DevOps now, or want to learn more about it, this book - The Phoenix Project - is a great way to get introduced to the material.
Dave Bittner: [00:11:40:01] So it's kind of that notion of a spoonful of sugar makes the medicine go down, right?
Rick Howard: [00:11:44:01] It is, it really is. And it makes it so much easier to learn too, let me tell you.
Dave Bittner: [00:11:48:15] Alright. Well I'll have to check that one out. The Phoenix Project, part of the Cyber Cannon. Rick Howard, as always, thanks for joining us.
Dave Bittner: [00:11:59:16] Time to thank our sponsor, Palo Alto Networks. You can visit them at go.paloaltonetworks.com/secureclouds. When using public clouds like Amazon Web Services and Microsoft Azure, security becomes a shared responsibility. Are you doing your share? And how are you making sure you're protecting your apps and data in any environment? Palo Alto Networks provides next gen cloud security that gives you complete visibility, so you can control your apps and reduce your threat surface area from the network to the cloud. Make sure your apps and data are secure and protected wherever they may be. Palo Alto Networks has the broadest, most comprehensive cybersecurity for all clouds and software as a service environments, because secure clouds are happy clouds. Find out how to secure yours. Get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:13:03:19] My guest today is Gary Hayslip. He's the Chief Information Security Officer for the City of San Diego, California. He's also co-author of the book The CISO Desk Reference Guide: A Practical Guide for CISOs.
Gary Hayslip: [00:13:17:06] Most people when they hear that, you know, you're the CISO for a city, they just assume, you know, cities are, you know, "Hey, you've got a network you've got to manage." And, and I'm like, "No, I don't have one network, I have 24 networks." You know, I've got, you know, 11,000 employees; I've got somewhere in the neighborhood of about close to 45 to 50,000, you know, endpoints. To kind of give you an idea, my network is not static. My network's on the move. I mean, my network is trash trucks with GPS sensors and police cars, you know, connected to our wireless systems, and HVAC systems and, you know, golf courses, and libraries, and desktops and, you know, public works employees out in the field with tablets. It's a very dynamic, very malleable collection of enterprise networks.
Dave Bittner: [00:14:07:15] And so how do you approach a system that large with that, with that much variety?
Gary Hayslip: [00:14:11:22] Well, I mean one of the things I've, you know, kind of realized right away is the, the fact that we'll never really totally know, you know, everything that is on my network. And what I mean by that is that, you know, I mean I used to believe, you know, years ago when I was in DoD - and maybe it was because I was in a more controlled environment - that, you know, you'd be able to control your perimeters, and you would know everything that was connected to your networks and, you know, everyone's got to follow the rules; you know, which you kind of learn, once I got out of that environment and actually got out here in the real world is that, you know, networks tend to be chaotic. You know, controlling your perimeter is only as good as, you know, your users actually following the rules - which, you know, a lot of them will follow it until it, you know, interferes with them being able to do business, you know, to be able to do work, and then they've got to figure out workarounds. You know, you've got to deal with the fact that, you know, your perimeters aren't solid. That your perimeters are on people's cellphones and tablets and, you know, laptops. And I mean, I've come to the conclusion that, you know, for me cybersecurity's a lifestyle. It's a continuous process of monitoring and scanning and remediation - and breaches. I mean, you're going to take--Having a completely secure network that never gets breached is fantasy, you know, it's not going to happen.
Gary Hayslip: [00:15:32:04] When you use networks, when you use technology, it gets dirty, you know, because the Internet is not a, a clean place. And the way I work with it is that, I use a framework - like NIST - to be able to take what I have, break it down, and help me understand where my risk is, you know, and help me prioritize, you know, what needs to be fixed now and what we can fix when I have the personnel or the resources or the funding. And I spend a lot of my time in my departments, you know, talking with--You know, it's one of the biggest things I have learned after I left DoD, is that I cannot dictate and tell people, "Cybersecurity, you have to this," you know, "You're going to put us at risk." You know, I've got to make people want to work with me. I've got to advocate and be a cheerleader, and get people to want to go ahead and follow cybersecurity, and get them to understand that it's, you know, actually in the best interest of the business, you know. And that if you--if we're secure, we can even be more innovative, and be more successful, and more effective. But to get them to that stage, I've got to make the case. I've got to make the case as to why, from a business perspective, why we should be doing cybersecurity.
Dave Bittner: [00:16:49:18] What are some of the unique challenges you face, you know, being in, in a government situation versus someone in the private sector?
Gary Hayslip: [00:16:56:00] You know, some of the things that, you know, we deal with here - some of the decisions we're making on technology and stuff - have some, you know, life and death consequences when you think about, you know, water, when you think about the 911 system. I think, you know, some of the things that make it really hard for us is the fact that we're a 24-7 business. You know, the city of San Diego is a four billion dollar business. You know, we're running 24 hours a day, seven days a week. So how do you do change? If I've got to rip out a network and put in, you know, some new fibers or put in a new routers and switches and stuff, you know, backbone wires to handle, you know, HD video. Well, I can't shut the network down. And so a lot of times, this will make our projects actually go twice as long because, you know, the complexity involved. Sometimes we have to do things in parallel. And then once we have it built up, then plan to switch over, you know, with the, with the least amount of interruption to services as possible. You know, because a lot of the services that we provide are to my neighbors, and they have no problem coming over and yelling at me about stuff.
Gary Hayslip: [00:18:02:11] You know, so, you know, whether it's buying permits because you want to open up a new business, or whether it's, you know, you want to pay your water bill or pay a parking ticket. That's some of the things that I've noticed right away is that in this, in this position, is that some of the decisions we make have an immediate impact. You know, and not only that, they have an immediate impact on a wide range or people, on organizations, and then like I said, we have a lot of our challenges in the fact that you're dealing with, you know, technology that is 20 some years old, to new technologies like cloud and virtualized networks. You know, you're connecting these disparate technologies together, and so there is a known risk. You're constantly trying to, you know, update a lot of your older technologies and replace them, and--but at the same time you have to maintain them until you can get them replaced.
Dave Bittner: [00:18:38:22] Yeah.
Gary Hayslip: [00:18:53:17] You know, and so it's a very interesting environment from a risk perspective.
Dave Bittner: [00:19:00:00] That's Gary Hayslip, the Chief Information Security Officer for the city of San Diego, California. He's co-author of the book, The CISO Desk Reference Guide: A Practical Guide for CISOs.
Dave Bittner: [00:19:15:20] And that's the CyberWire. Remember, Monday is Presidents' Day here in these United States of America; and we, like all patriots, are sort of taking the day off. But not to worry, we'll be back as usual on Tuesday. In the meantime, check out some of our special editions: they're evergreen. Thanks to all of our sponsors, who make the CyberWire possible, especially our sustaining sponsor Cylance. To find out how they can protect you from cyberattacks, visit cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, our technical editor is Chris Russell, our executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend everybody, and thanks for listening.