The CyberWire Daily Podcast 3.6.17
Ep 299 | 3.6.17

Warnings of DNSMessenger. Cyber deterrence, and cyber offensive operations. Notes on DDoS. Election surveillance allegations.


Dave Bittner: [00:00:03:13] Talos and others warn of DNSMessenger, a dangerous and evasive RAT. DDoS hits Luxembourg government sites and remains a threat to businesses. The US is said to be running a cyber campaign against North Korea's ballistic missile program. The US Defense Science Board releases its report on cyber-deterrence. Mutual recriminations over allegations of election-season campaign surveillance are swirling in the US.

Dave Bittner: [00:00:34:17] Time to take a moment to tell you about our sponsor, the good folks over at CyberSecJobs. If you're an information security professional seeking your next career, or your first career, you need to check out and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages, designed to meet your needs. You'll find this and other great opportunities at That's And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:30:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, March 6th, 2017.

Dave Bittner: [00:01:40:03] Cisco's Talos research unit describes DNSMessenger, an evasive remote-access Trojan that avoids detection by pulling malicious PowerShell commands stored in DNS TXT records. As so often happens, victims were infected by enabling macros in a bad Word document. Such in-memory malware can be difficult to detect and counter once it establishes itself. Enterprises are being urged to look to their DNS defenses. The Asia-Pacific Network Information Center's (APNIC) chief scientist calls failure to secure DNS "pathetic" and "savage ignorance."

Dave Bittner: [00:02:17:00] Government services in Luxembourg sustained a protracted distributed denial-of-service attack last week. The actors and any motives remain unknown. Before this incident, DDoS attacks against the country has largely affected financial trading platforms. Luxembourg is a more significant economic player than its 999 square miles might lead one to imagine, if one tended to over-value physical size, an error that can be too easy to fall for in other cases as well. Consider Singapore, for example, which comes in at just shy of 278 square miles, but also disposes of considerable technical sophistication. The city-state is upgrading its already capable cyber defenses as it becomes a target in regional cyber espionage campaigns.

Dave Bittner: [00:03:05:18] DDoS has become effectively a commodity form of attack, as resistant to suppression as any other endemic form of crime, the stressor services, for example, taken down with HackForum late last year are back and being actively traded on the black market. Many businesses are convinced that their rivals are behind denial-of-service attacks on their networks, according to a survey published by Kaspersky Labs. Business rivalry, indeed, in the surprisingly cut-throat world of Minecraft services, may have been the motive behind the earlier forms of the Mirai IoT botnet.

Dave Bittner: [00:03:41:03] In the US, an ongoing cyber offensive, designed to impede North Korean missile development is revealed. Ordered by President Obama, it seems likely to continue under President Trump. The campaign aimed at what the New York Times described as "cyber and electronic strikes against North Korea’s missile program, in hopes of sabotaging test launches in their opening seconds." There have certainly been test failures as well as successes in North Korea's recent program. How many of the failures can be attributed to American interference is unclear.

Dave Bittner: [00:04:14:12] The Defense Science Board's Task Force on Cyber Deterrence has publicly released its final report. The report offers a standard definition of deterrence and notes the hesitant and incremental way in which US deterrence has so far evolved. Part of the difficulty of developing an effective deterrent lies in different adversaries very different sensibilities and susceptibilities, major powers, minor powers, and non-state actors make distinctive risk calculations, so no single form of retaliation is likely to dissuade all possible threat actors. The principles the Task Force argues should inform cyber policy are familiar from other, earlier forms of deterrence, a mix of denial that is, defenses that would reduce vulnerabilities and dissuade attacks by convincing adversaries of their futility and cost-imposition, the credible, assured prospect of retaliation that would impose unacceptable costs on an attacker.

Dave Bittner: [00:05:10:11] The task force discounts cyber arms control as "not viable" in the real world, although it does see some utility in what it characterizes as "rules of the road" in cyberspace. In this respect, cyber weapons are more difficult to contain than nuclear weapons, they're relatively easy to acquire, they don't take a large industrial plant to develop or produce, and they are also easy to deliver. Among the more interesting recommendations in the report are its fairly hawkish calls for more work on credible cyber offensive capabilities, with the clear understanding that such capabilities should be pushed into US Combatant Commands, and not necessarily held at a National level. The Task Force recommends that priority be given to hardening strategic strike capabilities. The report envisions an extensive technology scouting program to find new, more capable ways of achieving cyber resilience, and it also advocates establishing technology accelerators to prompt development along such lines.

Dave Bittner: [00:06:10:00] Another key recommendation is easy to state but hard to implement: develop effective, reliable means of attribution. The task force sees three areas in which work could improve attribution. First, improving identification and authentication of the users of our systems. Next, sharing situational awareness between adjacent systems. And finally, conducting behavioral analysis, tying actions to actors, rather than just depending upon transaction analysis (looking principally at tripwire events]. These at least suggest the lines along which future development might proceed. A great deal of that work remains to be done.

Dave Bittner: [00:06:49:12] Over the weekend, US President Trump said that his predecessor engaged in surveillance of the Trump presidential campaign. The former president's spokespeople retort that any surveillance would have been pursuant to FISA warrants. So there was a great deal of mutual hollering about a second Watergate, with the two sides disagreeing over who, exactly, was the Nixon figure this time around. The President's partisans argue that the surveillance was either entirely illegal or, at best, an illegitimate exploitation of the FISA process for a political end. The former President's partisans retort, essentially, that no one could actually abuse FISA, and that, if there was surveillance, then there was lots of smoke that convinced the judges there was probable cause of some espionage fire. Despite the predictable degree to which minds appear to be made up, the story is, as they say, "developing."

Dave Bittner: [00:07:45:06] Time for a message from our sponsor, Netsparker. You know web applications can have a lot of vulnerabilities, I'm sure you've heard that, as a regular listener of this podcast and, of course, every enterprise wants to protect its websites. But if you have a security team you know how easy it is for them to waste time calling out false positives. You need to check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too and even presents a proof of exploit. Netsparker cloud scales easily, you can use it to automatically scan thousands of websites in just a few hours. You can learn more at But don't take their word for it, go to, for a free 30 day fully functional trial of Netsparker desktop or cloud. Scan your websites with Netsparker for a month, no strings attached. That's and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:08:48:03] And joining me once again is Rick Howard, he's the chief security officer at Palo Alto Networks, where he also heads up Unit 42, that's their threat intelligence team. Rick, you and I have talked about orchestration before, security orchestration, do you want to take a little time today to give us a little background, a little idea of how we got to where we are today?

Rick Howard: [00:09:07:05] Sure, I'd love to do that. As you know, automatic orchestration is this idea with all the security tools that we have deployed in our environment, how can we automate the process of converting newly discovered indicators or comprise into new prevention and detection controls across all the tools, especially since most of us use a different vendor for each of those tools and you know what? Security vendors don't like to talk to each other. So, in order to understand how we got to this problem, it's useful to go back in history a little bit and when I started doing this back in the 1990s, the prevailing security philosophy was something called defense-in-depth, you've heard of this. Deploying multiple defensive controls in front of the adversary, in an effort to stop the adversary's advance. Now, the military has been using this idea forever and some say, since the time of the Romans. The nuclear facility [INAUDIBLE] have been using that same idea to build their structures, since the 1960s. I was curious about who came up with the term for using it in cyber security space. So I looked around, looked around, couldn't find the source. So, I put the question out on social media and said, anybody know who came up with the idea of defense-in-depth for network defenders? All the military people came out of the woodwork and said they had capture that phrase in their doctrine, in the early 2000s. But I know that was too late, so I kept looking and finally found a paper written in 1991, by a malware researcher, named Fred Cohen. Now, in this paper, he didn't say that he invented the idea, he just said that network defenders should be using the concept. So it didn't really prove that he was the originator, but I couldn't find anything else, so I got fed up and I called him, I said, "hey, Fred, are you the guy that invented-- I know-- network defense-in-depth for us?" And he, said, "no, no, no."

Dave Bittner: [00:10:56:23] He said, who is this and how did you get my number? [LAUGHS].

Rick Howard: [00:11:00:11] I have a stalker. [LAUGHS]. He said, no, he wasn't the guy that invented it, but he was probably the guy that first wrote it down in a paper. So, there you go, I'm giving him credit, Fred Cohen is the guy that invented defense-in-depth. Alright, so, I'm sure he'll be amazed that I've done that for him. So defense-in-depth worked great in the 1990s, but, you know, as the adversary matured, it started to not work so well. The bad guys regularly found ways to sneak through the seams. And so, but it was the only philosophy we all had, so we all still used it. That changed back in 2010, you know, Lockheed Martin published their now famous Kill Chain Paper and that really disrupted the entire industry. And I always assumed that “kill chain” came from the Lockheed Martin guys, but I found out that that is not true, okay, they're not the ones that originated the phrase. It comes from a guy, an Air Force general by the name of John Jumper and the reason he came up with the phrase was, do you remember back in the Gulf War, what we were all worried about? The First Gulf War now? It was the Iraqi Scud missiles. Right, Saddam Hussein was launching these things in the civilian populations and the US Air Force and the US Navy had a really difficult time, finding them and destroying them, before Saddam Hussein could launch them. So, after the war, General Jumper was given the task to fix this problem. So he told his staff on the Air Force, that we need to be much more quicker at finding targets on the battlefield and destroying them. He told his staff, that he needed to, get this, reduce the kill chain from weeks down to minutes. All right, so he's the guy, right. increased, the are the same size.

Rick Howard: [00:12:39:17] So when Lockheed Martin wrote their paper, they took the idea from the Air Force and had tried to apply it to cyberspace. So, like I said, the paper revolutionized the industry. In the old defense-in-depth days, people like me, network defenders, you know, we managed, you know, three to four tools, but in the post Kill Chain Paper days, small organizations, I mean small business, they typically have ten to fifteen tools deployed, medium sized organizations have 50 to 60 tools and larger organizations, you know, like the Goldman Sachs of the world, they have over 150. And by the way, nobody's infosec staffs increased, the staffs were the same size. So the result is, that most organizations do not have time to correctly manage all the tools that they have and the network defenders have started to demand from their vendors, that we manage the orchestration for them. So, the whole point of this is, the reason we need orchestration is because we're trying to fix the problem we caused ourselves, when we all said that the kill chain was the right philosophy to adopt.

Dave Bittner: [00:13:41:21] All right, all that and a little history professor throw in there, huh, Rick?

Rick Howard: [00:13:45:03] [LAUGHS]. Thank you, sir.

Dave Bittner: [00:13:47:08] All right, thanks for joining us, as always.

Dave Bittner: [00:13:51:22] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors who made the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyberattacks, head on over to We hope you'll check us out on Facebook, Twitter, and LinkedIn and if you'll head on over to iTunes and leave a review for our podcast, well, that's really helpful as well. It's one of the best ways that you can help new people find our show. So thanks in advance. The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, our social media editor is Jennifer Eiben, our technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.