David Bittner: [00:00:02:15] A big thank you to all of our supporters on Patreon. You can find out how to support the CyberWire by visiting patreon.com/thecyberwire.
David Bittner: [00:00:13:00] Kaspersky Lab appears to have burned a US operation. Facebook has some other governments to answer to now and Facebook CEO Zuckerberg, finally discusses the Cambridge Analytica affair in public. Lawsuits and calls for regulation are shouted up. Best Buy shows Huawei the highway. And we have a brief wrap-up of the Billington International Cybersecurity Summit.
David Bittner: [00:00:40:06] And now some notes from our sponsor Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spear phishing, those can never be discounted, but here's a twist. Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a fishnet could catch, don't you think? Go to threatmatrix.cylance.com and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. That's threatmatrix.cylance.com. And we thank Cylance for sponsoring our show.
David Bittner: [00:01:44:17] Major funding of the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, March 22nd, 2018.
David Bittner: [00:01:54:16] Kaspersky Lab's description of Slingshot malware is said by anonymous US officials, to have burned a long-running Joint Special Operations Command operation, that's JSOC, against the Islamic State and Al Qaeda. JSOC is thought to have abandoned the intelligence collection effort. Kaspersky did not identify the US as the operators of Slingshot. That's consistent with the company's typical practice, they usually stay away from attribution to particular governments. But they did call Slingshot an advanced persistent threat, which has come to be practically synonymous with intelligence service nowadays, and suggested that it was the work of a nation-state. Slingshot is thought to have been active for about six years. It was designed to pull large volumes of data from infected systems. It's an interesting case for several organizational reasons. CyberScoop, the publication with whom US officials spoke, notes that it's the first known case of a cyber operation being conducted by Joint Special Operations Command.
David Bittner: [00:02:56:09] JSOC is not to be confused with US Cyber Command or any of the Service Cyber Commands. It is a component of US Special Operations Command. The disclosure is unlikely to win friends and influence people in the US Government, which has kicked Kaspersky products out of its networks because the Intelligence Community assesses them as representing a security risk, too close to Moscow. Kaspersky is indeed headquartered in Moscow, but that's not the closeness the US Government objects to, it's upset about the prospect of the company's security products being used to collect on behalf of the Russian intelligence services. Kaspersky is challenging the Government's ban in US Federal court, alleging that it's been subjected to an unconstitutional bill of attainder. Maybe, but the Slingshot report is unlikely to tamp down the zeal of Government lawyers defending the ban.
David Bittner: [00:03:50:17] Facebook's legal and reputational trouble continues. German authorities have joined other governments in requesting explanations from Facebook over the Cambridge Analytica data use scandal in which the company is embroiled. The whistleblower who drew attention to what Cambridge Analytica was up to, says that Facebook knew about but chose to disregard that company's use of Facebook data. Yesterday, Facebook founder and CEO, Mark Zuckerberg, broke his public silence on the affair. Heavy snowfalls aside, the sighting does not mean four more weeks of winter, but most observers think his statement was too little and too late and a good lesson in how not to respond to the public about a very public incident. Reports to the contrary, Zuckerberg did indeed, on CNN say he was sorry the whole thing had happened and promised to do better with customer data. He framed the incident as being fundamentally about third-party apps and it appears that Facebook's response will initially at least concentrate on reining those in.
David Bittner: [00:04:49:05] Zuckerberg indicated his intent to testify before US Congressional panels investigating the company's data protection practices. So far, however, testimony has come from elsewhere in Facebook's leadership. And predictably, shareholders are filing lawsuits against Facebook. The data handling incident has severely hit the company's value in the markets.
David Bittner: [00:05:12:16] The whole Cambridge Analytica affair continues to prompt calls for more regulation of social media, to include efforts to stifle fake news, which some see as posing a war risk as well as the now familiar prospect of opinion manipulation. How this might be done in a way that respects, for example, freedom of speech, is unclear. Some think they see a model in 19th century newspaper reforms, but that's not clear either. William Randolph Hearst is unavailable for comment.
David Bittner: [00:05:43:19] We recently reported a new high water mark for DDoS attacks thanks to the memcached vulnerability. The attack reported by Akamai, topped out at 1.3 gigabytes per second. Over twice the size of the September 2016 attacks associated with the Mirai botnet. Chad Seaman is Senior Engineer on Akamai security intelligence response team and Lisa Beegle is a Senior Manager for security intelligence at Akamai. They join us to describe the record setting Distributed Denial of Service attack they recently experienced and helped mitigate.
Chad Seaman: [00:06:15:15] DDoS attacks are not uncommon. We see a lot of them every day, thousands of them a quarter. And they're being leveraged by all kinds of different actors for different reasons constantly. The previous high water mark for us was I believe 628 gigs?
Lisa Beegle: [00:06:31:03] 623.
Chad Seaman: [00:06:32:02] 623 gigs in September of 2016, that was beat just the other day with 1.3 terabyte.
David Bittner: [00:06:39:19] Lisa, can you sort of take us through what happens when something like this starts to come in, what, when do the alarms go off and, and what-- how do you kick into action?
Lisa Beegle: [00:06:49:09] So that obviously depends on the posture of the customer themselves. So, you have some customers that are always on the network, you have some customers that have onsite mitigation, you have some customers that make a business decision to be alerted internally and then route. In this last particular instance, this was an entity that had a protocol to actually monitor their environment independently and then make that decision, so that's what happened. There was an alerting mechanism that occurred, by the time they had actually identified what that anomaly was, there was a level of degradation and then it takes a few minutes to process that BGP change and for it to obviously propagate upstream. By that point, we had already deployed the ASLs that were required. So we had already identified what the attack was. It was obviously an exchange with the end user, based on what they were seeing and what we had been seeing prior to, so that we could harness the traffic and then immediately mitigate the attack.
David Bittner: [00:07:47:16] And so, so what are your recommendations for folks to, to-- in terms of mitigation against this memcached attack?
Chad Seaman: [00:07:52:13] Hold on.
David Bittner: [00:07:54:03] Sure.
Chad Seaman: [00:07:54:13] [LAUGHS] No, no and that is the advice.
David Bittner: [00:07:56:06] Oh, hold on. [LAUGHS] I see. Hold on. Please hold onto the bar.
Chad Seaman: [00:08:02:21] [LAUGHS] Yeah.
Lisa Beegle: [00:08:03:24] Well I think, I think when you think about attacks in general, right. So, it-- so Memcached included, I think one of the most important things that any organization can continue to do, is understand what their internal environment looks like. And some of that requires internal dialogue with regards to security and network teams. So, that folks understand not only what the vulnerabilities potentially could be, but they understand what assets they have and what process and protocols are in place as it relates to those potential events. And that they practice them. So I think what happens is, is we all get caught up in the, you know, the newest, latest, greatest type of attack and when things seem to be dying down, which technically they're not, but at the same time there's not this huge insurgence of press and attack activity, they become complacent. And it's at that point that they become vulnerable to potential impact.
David Bittner: [00:08:58:09] And in, in terms of this arms race, this sort of, this sort of cat and mouse game that’s being played here. Are the defenses against DDoS growing in, in parallel? Have we reached the point where defending against the DDoS is fairly routine?
Chad Seaman: [00:09:12:13] It depends on the DDoS but yeah, I mean it, it is fairly routine at this point. I would even say that at times it's somewhat boring. The attackers have their, their handful of tools and they continue to just eat everything to death with them. You know, it's just, it's just another day in DDoS, it feels like a lot.
Lisa Beegle: [00:09:30:14] Yeah, I think, I think from our perspective, I think from an end user standpoint, they may have a different perspective because again, it's based on what they have in place, what their appetite for risk is, what that posture is and it also does depend on the actor, right. So if you have an actor that understands an environment, the attack itself could become a little more complex. Now can we handle it? Absolutely. That being said, could there potentially be impact to that end user based on the knowledge from an attacker perspective and what their posture is? Sure. So again, that's where it becomes very important that they understand what is potentially vulnerable or at risk or what they can have, as it relates to an appetite for risk within the environment and then making decisions based on that.
David Bittner: [00:10:18:11] That's Lisa Beagle along with Chad Seaman, they are both from Akamai.
David Bittner: [00:10:24:18] Major US electronics retailer Best Buy, has stopped selling Huawei phones. Evidently responding to security concerns about the Chinese company. This is seen as a significant blow to Huawei in the consumer market.
David Bittner: [00:10:39:19] The Billington International Cybersecurity Summit met yesterday despite the early spring blizzard that hit the Eastern Seaboard. The policy leaders who spoke showed striking agreement that cyberspace had become normalized in policy and planning. It's no longer an exotic technical area accessible only to specialists, but a domain where nations, businesses and individuals lead much of their daily life. Discussions noted on the way in which like-minded nations, emphatically not including Russia by the way, were increasingly working collaboratively, both within alliance structures and bilaterally, to accept and manage common risk. In this context information-sharing has clearly become far less aspirational than it has been.
David Bittner: [00:11:22:16] US DHS Assistant Secretary Jeanette Manfra called for nations to begin thinking of cybersecurity as a matter of international digital public health. She also didn't neglect deterrence and the imposition of consequences. The Assistant Secretary explicitly cited last week's round of sanctions against Russian individuals and organizations as a response to ongoing Russian operations preparing a campaign against the US power grid.
David Bittner: [00:11:49:15] There was also some ambivalence about innovation on display. Several speakers cautioned that novel technologies represented risk as well as opportunity. As we mentioned on yesterday's show, Singapore's Commissioner of Cyber Security, David Koh, was particularly clear on this point saying, we exploit the technology, and run the risk of being exploited ourselves. Mr. Koh holds many other titles, too many to list here, and he explained the reason for the many hats he wears. Should something go spectacularly wrong, he said, "I can publicly resign in ignominy and then quietly move to a new job I already have." Good for you, sir. And congratulations too. Mr. Koh was yesterday the inaugural winner of the Billington Cybersecurity International Leadership Award.
David Bittner: [00:12:43:09] And now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operation and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions.
David Bittner: [00:13:31:21] With ThreatConnect, your team works as a single cohesive unit reinforced by a global community of peers. To register for a free ThreatConnect account or learn more, visit threatconnect.com/free. That's, threatconnect.com/free to learn more. And we thank ThreatConnect for sponsoring our show.
David Bittner: [00:13:58:22] And joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back.
Joe Carrigan: [00:14:05:00] Hi Dave.
David Bittner: [00:14:06:04] So I got a message from one of our listeners on LinkedIn and it's a common request, someone who is getting into cybersecurity, has a career in another line of work, this person happens to have an MBA already and is taking some classes to get into cyber. But they're wondering when they get their new degree, how are they going to head out into the employment world? And it struck me that, well you folks over at Johns Hopkins are in the business of preparing people to enter the business world, so what advice do you have for someone in this situation?
Joe Carrigan: [00:14:38:03] So in that situation, that's kind of different from our students. Our students are generally coming right out of a bachelors program and coming right into our program. It is a full time immersive three-semester, very intense program. So, during the summer, we like to see all of our students take an internship. They have to complete a Capstone research project. It requires pretty much all of their time. So I'm assuming that this person, or and, and there are lots of other people in this position too, where they have full time jobs, who are currently available. My advice is that, you know, assess your situation. Are you in a situation where your company is paying for your masters degree in cybersecurity or your second bachelors in cybersecurity? If so, then look within that company and see if there's other positions in that company where you can kind of move laterally but get into the career field now.
Joe Carrigan: [00:15:27:07] If, if you're paying for it yourself, then you have a lot more freedom, right. You can look outside of the company and try to move into the career field. Even, even just having a couple of classes under, under your belt is good. Being able to say on your resume that I'm, I'm pursuing a masters degree in cybersecurity or a second bachelors or even a first bachelors in cybersecurity, and I'm doing it part time. Getting into the field is going to be the most important part of the career, is actually making that first move.
David Bittner: [00:15:54:03] And then one of the points you made, we were chatting beforehand was that, don't discount your previous experience as a, sort of a connection to your cyber knowledge.
Joe Carrigan: [00:16:04:03] Absolutely not. Your previous experiences is, is invaluable. You're gonna go into this field, you know the cybersecurity field, coming from a, a different background. You're gonna present a different way of thinking to the team you're gonna be working on and that is gonna be-- don't underestimate the value of that. It's gonna be very valuable to the team.
David Bittner: [00:16:24:07] And, and so how do you go out and market that particular, you know, that aspect of your career? I, I suspect, you know, some people feel like, well I don't have a computer science degree, you know, maybe I'm at a disadvantage to some of these folks who are coming through pure cybersecurity all the way.
Joe Carrigan: [00:16:41:21] Right, well one of the biggest hurdles that cybersecurity and any, any kind of IT or programming people face is they just don't have the, what I'll call real world experience. I mean they have real world experience in, in whatever their skill set is, but they've never been on the other side of, of the, of the computer screen, so to, so to speak. So, they may not have the understanding of the business processes that are involved with whatever it is that is done. A great case in point is, you know, I actually did a lot of business process analysis early on in my career to help people automate the process and you go into these, to these business, these folks who do this business and the process is actually very, very complex. You know, there's a lot of, or gates or if or out statements that you have to account for within, within a business process.
Joe Carrigan: [00:17:37:07] A lot of engineering people just don't understand that and that is probably the biggest value that you'll, that you'll bring to the table. The familiarity with the process.
David Bittner: [00:17:47:01] So if I'm a hiring person, I guess these folks should look at that previous career, it isn't something that holds them back, that, that could actually be a benefit. Because if I'm that hiring person, I'm gonna say, well there's a whole bunch of stuff that I'm not gonna have to worry about with this person. They've been out there.
Joe Carrigan: [00:18:03:20] Right. Exactly. I'm not gonna have to explain to them, you can't just tell them not to do that because they need to do that, whatever that may be.
David Bittner: [00:18:12:11] Yeah. Alright, good insights.
Joe Carrigan: [00:18:13:04] That is a variable here, as I said.
David Bittner: [00:18:14:20] [LAUGHS] Okay. Good insights Joe as always. Thanks for joining us.
Joe Carrigan: [00:18:19:12] It's my pleasure.
David Bittner: [00:18:21:23] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
David Bittner: [00:18:44:07] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor, Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.