The CyberWire Daily Podcast 11.13.17
Ep 474 | 11.13.17

Vault 8 and false-flag allegations. Mole hunting. Equifax breach costs. ISIS returns to WordPress defacements. RoK domestic political influence scandal.


Dave Bittner: [00:00:01:04] We know a lot of you value The CyberWire, and that it helps you do your jobs better, and we hope you'll check out our Patreon page at, and become a regular supporter. Thanks.

Dave Bittner: [00:00:15:03] Vault 8 succeeds Vault 7 among WikiLeaks dumps, but it's still all CIA all the time from Mr. Assange and company. GCHQ expresses concern about Kaspersky antivirus products. Media reports suggest that NSA is in the middle of a big mole hunt. Equifax begins to tally up the costs of its breach. The US Intelligence Community reiterates its conclusion that dog bites man, or rather, that Russia wants to work mischief with the United States. ISIS defaces school websites. Some notes on South Korea's domestic influence investigations. And a look back at the SINET showcase.

Dave Bittner: [00:00:56:15] Time for a message from our sponsor, the good folks over at Recorded Future. You've heard of Recorded Future; they're the real-time threat intelligence company. Their patented technology continuously analyses the entire web to give Infosec Analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy-lifting in collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:00:12] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, November 13th, 2017.

Dave Bittner: [00:02:11:09] Last week's WikiLeaks dump from Vault 8 are drawing attention. They are the successor to the Vault 7 leaks, on which WikiLeaks has dined out for much of 2017. Vault 8 is, like Vault 7, concerned with alleged CIA cyber operations, but with a difference. The contents of Vault 7 were ancillary materials, like manuals and presentations, that purported to deal with offensive cyber operations, implants, and so on. Vault 8 includes the source code associated with the alleged operations.

Dave Bittner: [00:02:43:21] This represents an escalation, of sorts, because leaked code can of course be repurposed, as the exploits released by the Shadow Brokers were. The "Hive" code, as it's called, isn't thought to pose an immediate threat to most Internet users. It's thought to be most likely useful as a way of staging infrastructure that could be used in further attacks.

Dave Bittner: [00:03:04:23] Of greatest interest is the appearance among the leaks of material that suggests the CIA allegedly used a false-flag operation to disguise its own activities as operations conducted by Kaspersky Lab. This hasn't served to remove the cloud of suspicion under which Kaspersky finds itself, certainly not in the US, where there's no sign at all that the government is retreating from its determination to remove the Moscow-based company's security software from its systems.

Dave Bittner: [00:03:32:03] And in the UK, GCHQ adds its voice to the other Kaspersky-sceptics. The intelligence agency over the weekend deplored Barclay Bank's deployment of Kaspersky antivirus to help secure its customers. Their reasons are essentially the same as those advanced by the US Departments of Defense and Homeland Security: Kaspersky's intrusive inspection of files can reveal too much about the systems it's installed to protect. Barclay says it's decided to remove the Kaspersky offering from its services for "commercial reasons," and that it's neither discussed the matter with, nor been influenced by, GCHQ.

Dave Bittner: [00:04:08:20] NSA and its partners in counterintelligence continue to struggle through its investigation of leaks that wound up in the Shadow Brokers' hands. Three people have been taken up by the investigation, two of whom - Hal Martin and Reality Winner - are awaiting trial. The third individual was the first one fingered, back in 2015 and shortly before the Shadow Brokers began their damaging publication of alleged NSA documents. That person has yet to be publicly identified, but the New York Times at least regards NSA as being in the throes of a full-blown mole hunt.

Dave Bittner: [00:04:42:21] Those interested in the costs a breach can exact from a company may wish to take a look at what Equifax reported to its investors late last week. Third-quarter expenses related to the breach the credit bureau sustained included $55.5 million in product costs, $17.1 million incident response and other professional fees, and $14.9 million in customer support. The company's managers also reported that they expect additional costs to reach somewhere between $56 million and $110 million "in the coming months." These don't include estimates of losses from class-action lawsuits, many of which are pending in several US states.

Dave Bittner: [00:05:25:02] The US Intelligence Community reiterates its conclusion, despite denials by President Putin, that Russian agencies indeed sought to influence US elections. That influence seems largely to have been designed to reduce trust in American institutions.

Dave Bittner: [00:05:41:14] ISIS shows itself capable of defacing poorly defended school websites with slogans, but little more. About 800 schools in the US, all of whose sites were operated by the SchoolDesk service, were affected. The defacement included audio in the Arabic language, the displayed text "I love Islamic State" and, oddly, pictures of the late Iraqi dictator Saddam Hussein. The skids behind the hack are thought to be a bunch of ISIS-sympathizing hacktivists known as Team System DZ. They've been on security researchers' radar since they cut their teeth on defacing poorly protected websites with pro-Palestinian messages in 2013. This activity, it's worth noting, predates the formation of ISIS. The Cryptosphere notes that Team System DZ is basically a one-trick pony: they hit vulnerable WordPress sites. Such puerile vandalism has had little evident effect in the past, but it has come to define the style of jihadist hacking. Atlanta-based SchoolDesk has turned its servers over the to the FBI for inspection, and has retained the assistance of security firms in responding to the incident.

Dave Bittner: [00:06:51:23] A more serious campaign of inspiration appears to be in progress from ISIS rival al Qaeda, where Hamza bin Laden takes up his late father Osama's cause, posting audio files that urge the Umma's faithful to rebel against tyrants. Hamza's rhetoric tends toward unlikely insistence - he credits his father, for example, with bringing down the Soviet Union - but implausible inspiration has found its audience before.

Dave Bittner: [00:07:18:14] Last week's SINET Showcase in Washington, D.C. brought together its customary array of experts from government and industry. It also placed the SINET 16 on display: 16 companies selected for their success not only at innovation, but at successfully bringing that innovation to market. Those attending the conference heard a great deal about resilience (by consensus a possible goal in a way that complete security is not); the central role artificial intelligence plays in cyber R&D; identity management, policy enforcement, and browser isolation; and the dangers of regulatory overreach.

Dave Bittner: [00:07:53:19] They also received some realistic perspective on threat intelligence, and a warning against taking too seriously the would-be cyber privateers out there - those eager to hack back and board the enemy in their own digital smoke. We have extended coverage of the SINET Showcase on our website,

Dave Bittner: [00:08:12:20] South Korean investigation of alleged political meddling by intelligence services takes a sharper turn, as a former Defense Minister is arrested on charges related to domestic cyber operations alleged to have been undertaken by that country's intelligence services.

Dave Bittner: [00:08:28:15] And finally, thanks to Top10VPN's Privacy Central, which has named the CyberWire one of the top fifty best Infosec blogs. Right back at you.

Dave Bittner: [00:08:43:08] Time to share some information from our sponsor, Cylance. We've been following WannaCry, Petya, NotPetya, and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat?

Dave Bittner: [00:09:03:02] Their success against NotPetya demonstrates the benefits of their temporal predictive advantage. CylancePROTECT stops both file and fileless malware. It runs silently in the background, and best of all, it doesn't suffer from the blind spots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have CylancePROTECT, and if you'd like to learn more about how it can defend your enterprise, contact them at and find out how their AI-driven solution can predict and prevent the unknown unknowns from troubling you. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:44:22] And joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks, and he also heads up Unit 42, which is their Threat Intel team. Rick, welcome back. Today, you wanted to take aim at a couple of network defender best practices: vendor-in-depth and best-of-breed. Why don't we start off by talking about what are these things?

Rick Howard: [00:10:06:09] Yeah. These things have been around since I started doing this back in the early nineties, right. And they kind of emerged as best practice for all network defenders, and let me just explain what they are. Vendor-in-depth is the best practice of, we would never choose a single vendor to do all of our security technology, because we don't trust those guys, you know. So if one failed, I would still have my other vendors that were doing other things. So, we would always--Our philosophy was to buy as many vendors as we possibly could.

Dave Bittner: [00:10:34:19] Don't put all your eggs in one basket.

Rick Howard: [00:10:36:11] Exactly. And it made sense back in the nineties, right. Back then, we didn't have many tools, all right, we only had three or four tools. But today, okay, we have, you know, even small organizations have 20 security tools deployed.; medium-size have around 60; Big organizations, like big banks, they have over 150. I was talking to a big bank CISO a couple months ago; he claimed to have 300 security tools deployed in his network. I know, and his big--

Dave Bittner: [00:11:05:13] [LAUGHS] It's not, it's not a contest, right?

Rick Howard: [00:11:08:22] [LAUGHS] Yeah, exactly. And his big task of the year was to reduce that by half, just to get it down to 150, okay? So, yeah. And we call these things "point products" for a reason, because they don't talk to each other. Every new tool that you bring on the network, you have to manage yourself, okay. And it is my experience that you pay for a point product four times; you know, you're going to buy the box; you're going to buy someone who can maintain it - you know, keep the blinky lights going; you're going to have someone who can understand the data coming off the box; and then you need a team of people back in the SoC who can put all the data from all the tools that you have into some coherent threat picture, and that gets really expensive really fast with the more tools you have.

Dave Bittner: [00:11:48:19] Okay.

Rick Howard: [00:11:49:09] So, that's vendor-in-depth. Best-of-breed is this idea that popped up in the early days that said, you know, when we buy a single vendor, we're going to find the very best one. And the way that most people do this is, they bring all the vendor tools in for whatever capability you are trying to, you know, buy this year. Let's say you're buying a new intrusion detection system; so you're going to bring all the vendors' intrusion detection systems into your lab, hit them over the head with a hammer for six months to find the best thing - it's usually based on performance - and whatever the latest shiny object is in the security community, all right.

Dave Bittner: [00:12:23:07] Right.

Rick Howard: [00:12:24:07] And then, if you pick a tool that--and replace the vendor that you currently have, you're going to spend the next six months to a year forklifting the old technology out of your network, and forklifting the new technology in, all to get to almost exactly the same spot you were when you started the project two years ago, right? This, this does not improve the situation, and it doesn't help you manage that vendor-in-depth problem we were just talking about. Okay? It's just churn--okay. It makes us look like we're busy, but we're really not getting any better.

Rick Howard: [00:12:54:02] All right. Well I'm making the case right now that we should jettison those two best practices, okay - vendor-in-depth and best-of-breed - and seek a new best practice; and here's the one I think we should pursue. Seek vendors who integrate. You need to find, find a partner, a security vendor that you like, that is already integrated with the tools you already have deployed, okay? Therefore, you don't have to do the work when you actually put them in place. You're going to have to decide to trust a vendor, okay? That they're going to keep up with the latest technology. And so, choose wisely, but choose ones that already integrate with what you have in place. I think that's the secret to success as we go forward.

Dave Bittner: [00:13:32:13] So you're saying, find yourself a platform that can kind of reach out across the various products and, and have them talk to each other?

Rick Howard: [00:13:41:20] Yeah, that, and that's the key. And this is really hard for people like me, all right? Because we've been trained for 25 years that that's a bad idea, all right? But I'm telling you, I can make the case that a platform that does most of the work for you and integrates with the tools that it doesn't do, and it does all that automatically, okay, that's going to be way more secure than you trying to manage, you know, 300 tools in your network.

Dave Bittner: [00:14:03:23] But what about the notion of redundancy? I mean, everybody wants to have a backup plan; how does that fit into this notion?

Rick Howard: [00:14:09:17] I think--I, I don't think we can afford backup plans. If you have 60 tools in your network, all right, that are all doing specific things, are you going to buy another 60 tools to have backups for all those? I just don't think it's possible to do that anymore. I think the key for securing our enterprise, in order for us to prevent material impact to our organization, is to make sure that whatever we deploy is almost automatically running. all right, that--and in order to do that, it has to integrate seamlessly with all the tools that are in your environment.

Dave Bittner: [00:14:41:20] All right. That's an interesting point of view, Rick. I'll have to wrap my head around that one. But as always--

Rick Howard: [00:14:46:13] Oh, you're not the only one [LAUGHS].

Dave Bittner: [00:14:48:14] Well thank, thanks for sharing it. We'll talk again soon.

Dave Bittner: [00:14:53:14] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, check out

Dave Bittner: [00:15:06:12] If you find this podcast valuable, we hope you'll consider becoming a contributor. You can go to to find out how.

Dave Bittner: [00:15:14:18] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.