Cyber conflict between Iran and the US widely expected. ALLENITE threat group is after US, UK power grids. Jack-in-the-Box vulnerability. Signal's memory. Is ZTE going down?

Dave Bittner: [00:00:00:22] Hi everybody, Dave here. We have updated our Patreon goals over at Patreon.com/thecyberwire. We are closing in on our goal of $1,000 per month and when we hit that goal, we will be able to publish Research Saturday transcripts so if you're a fan of Research Saturday but you'd like to see transcripts of those shows, head on over to Patreon.com/thecyberwire become a contributor and help us on our way to that goal. Thanks so much, every little bit does help, we do appreciate it.

Dave Bittner: [00:00:32:03] The US withdrawal from the Iranian nuclear deal is widely taken as heralding a new round of cyber conflict. Cyberattacks on critical infrastructure are seen as an asymmetric way of war. The ALLANITE threat group is observed successfully reconnoitering US and UK electrical power grids. Jack-in-the-Box does nasty things with images. Signal's self-deleting messages don't, or at least they don't always. And US sanctions may be putting ZTE out of business.

Dave Bittner: [00:01:07:07] And now a word from our sponsor LookingGlass Cyber Solutions, an open letter from the malicious botnet on your network.

Sponsor: [00:01:18:01] So, here we are. It's just you and me at this godforsaken hour, you're looking right at me too. I'm on the second monitor to the left. Had you seen me, you would have realized I compromised computers in your organization and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rule sets once a week; I'll be in Cabo by then working on my tan.

Sponsor: [00:01:44:01] I love getting to know your company by the way, your financial data, personal records. I've got a piece of unsolicited advice for you. Check out what LookingGlass Cyber Solutions is doing. They've got some kick-butt technology that fends off cyber threats like me. Data breaches, ransomware, and stolen credentials. In real time. Be a hero with the LookingGlass Scout Shield Threat Intelligence Gateway. See the video at lookingglasscyber.com.

Dave Bittner: [00:02:25:19] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner, with your CyberWire summary for Thursday, May 10th, 2018.

Dave Bittner: [00:02:38:03] As the US announced its intention to withdraw from the Iranian nuclear deal agreement, concerns have risen over the prospects of renewed Iranian cyber offensives. Iran had been active against a number of targets in cyberspace, but its state-directed cyberattacks went into partial eclipse in 2015.

Dave Bittner: [00:02:57:08] That lull is generally attributed to Iran's response to relaxation of sanctions that followed conclusion of the Joint Comprehensive Plan of Action, popularly known as the Iran nuclear deal, in July of 2015. Under the Joint Comprehensive Plan of Action, Iran undertook to limit or delay certain aspects of its nuclear weapons program. On April 30th of this year US and Israeli authorities stated that Iran had failed to disclose a past covert nuclear program to International Atomic Energy Agency inspectors, and this Tuesday President Trump announced that the US would withdraw from the Joint Comprehensive Plan of Action.

Dave Bittner: [00:03:38:01] The US decision to withdraw from the agreement is expected to reverberate in cyberspace, with concerns about critical infrastructure becoming sharper. We heard from Dragos CEO Robert M. Lee, who reminded us that when tension rise between states, so does the targeting of industrial control systems. Lee said, "In this case, activity moves beyond conducting early reconnaissance to gaining access to infrastructure companies and stealing information that could be used at a later date. However, simply having access to the information does not mean an attack is easy or imminent. Avoiding such tension while also defending against such aggressive efforts is the goal."

Dave Bittner: [00:04:19:15] Thus cyber risk can be reliably forecast to follow geopolitical tension. Phil Neray, Vice President of Industrial Cybersecurity at CyberX, a company specializing in ICS, SCADA, and industrial IoT security, reminded us that, "Iran has a long history of going after US targets, including the massive DDoS attacks they conducted on twenty-four US financial institutions during 2012 and 2013."

Dave Bittner: [00:04:48:12] Phil Neray sees cyber operations as an asymmetric way of warfare. "Cyber is an ideal mechanism for weaker adversaries like Iran because it allows them to demonstrate strength on the global stage without resorting to armed conflict. I expect that Iran will continue to escalate its cyberattacks on US targets but will keep them below the threshold that would require a kinetic response from the US."

Dave Bittner: [00:05:14:08] So far Iran's damaging attacks have come against targets located in its regional rivals, like Saudi Arabia, but in principle they could be extended to the US or elsewhere.

Dave Bittner: [00:05:25:01] Observers think it likely that a cyberattack attributable to Iran would draw a strong US reprisal. Recorded Future offers a lengthy assessment of Iran's cyber establishment. One interesting note: Tehran depends upon competing contractors for most of its offensive capabilities. There are at least fifty organizations that vie for the work. Studies of wiper malware issued this week by Cisco's Talos group are also worth reviewing as US-Iranian tensions rise. Shamoon, a wiper used against Saudi Aramco in 2012, has generally been attributed to Iran.

Dave Bittner: [00:06:00:15] There are, of course, other threats to infrastructure out there. Industrial cybersecurity experts at Dragos this morning released a report on ALLANITE, a threat actor the company says has been actively prospecting US and UK electrical utilities. They've observed "watering-hole and phishing leading to ICS recon and screenshot collection." ALLANITE resembles the Russian Palmetto Fusion group the US Department of Homeland Security described last year. Its target set is similar to Dragonfly's, but Dragos assesses ALLANITE's technical capabilities as being significantly different from those exhibited by Dragonfly.

Dave Bittner: [00:06:39:10] When ALLANITE first made its appearance last year, its successes had been confined to penetration of business and administration systems. But Dragos now confirms that ALLANITE has succeeded in extracting information directly from industrial control systems.

Dave Bittner: [00:06:56:12] Coming up in the next few days, ICANN, the non profit responsible for coordinating the maintenance of internet domain names and numbers, are expected to implement an interim plan in response to GDPR in an attempt to align privacy laws with the WHOIS system. Jonathan Matkowsky is a VP at RiskIQ, and he sees ICANN's plan as a potential serious threat to the open and public internet.

Jonathan Matkowsky: [00:07:21:20] Because WHOIS database has evolved, it's difficult to presume that every person would have expected WHOIS to be used for consumer trust and protection purposes or DNS security. At the same time, it's very difficult to go so far as to say that given the public nature of WHOIS and over time how increasingly available privacy and proxy registration services have been over the years, that people would not expect that these kind of processing activities take place with their data. So while consumer protection and consumer trust are not, when I look at it, the technical mission of ICANN as defined within its by-laws, they're more than just compatible with ICANN's mission.

Jonathan Matkowsky: [00:08:09:00] Therefore ICANN's temporary policy that I expect that they would be putting forth in the next several days, in my opinion should require new gTLD WHOIS database operators, to inform new registrants in a GDPR compliant manner, about the legitimate interests that are relied upon to share WHOIS personal data with ICANN, intellectual property rights holders, law enforcement, threat intelligence analysts, and incident responders for consumer protection and consumer trust.

Jonathan Matkowsky: [00:08:42:09] So if ICANN itself doesn't hold its gTLD WHOIS database operators accountable for abusing their discretion, or intentionally failing to assess these legitimate interests in thick WHOIS data requests, I think there'd be significant foreseeable damages that would inevitably result. So as far as the public WHOIS, I think ICANN needs to make sure that newly registered organizational domains, if not actually ICANN that needs to make sure, it's those collecting the data. It's gTLD WHOIS database operators. They need to make sure that when they collect for newly registered organizational domains, WHOIS information registering details that they don't collect personal data in email addresses without having unambiguous consent to do so and because otherwise this is used as an excuse basically not to include organizational emails in the public WHOIS because it creates concerns under GDPR for some.

Jonathan Matkowsky: [00:09:50:20] I think that ICANN and its board members have a fiduciary duty to ensure that they don't issue a temporary policy for WHOIS output that causes unnecessary DNS abuse. They should expect damage reports to be collected - without accountability it's meaningless. ICANN's job is not to enforce GDPR its job is to fulfill its mission consistent with applicable laws including GDPR. What's required is that there be a way to hold gTLD WHOIS database operators accountable for either intentionally or recklessly either failing to conduct a GDPR required legitimate interest analysis for WHOIS data requests, or abusing their discretion.

Jonathan Matkowsky: [00:10:42:17] Now ultimately, I don't want to see the internet fragmented like this for gTLDs. That is an SSR concern as many people have expressed. The community has been working on a tiered access model. Lack of accreditation is not supposed to be used to infer lack of GDPR compliance, and a legitimate interest analysis is required by GDPR. We need to streamline this process or it's going to cause damage to the internet because there'll be fragmentation and in practice it will just be a very difficult situation.

Dave Bittner: [00:11:23:22] That's John Matkowsky from RiskIQ. If you're looking for more of the details on this topic, RiskIQ has a blog post on it, it's on their website.

Dave Bittner: [00:11:33:15] Security company Aqua describes an image-pull vulnerability in Windows. They're calling it "Jack-in-the-Box." Aqua has a proof-of-concept that shows the possibility of extracting malware from a maliciously crafted image into any directory on the target system. Exploitation occurs during the process of unpacking the image.

Dave Bittner: [00:11:54:13] If you're a user of the self-deleting messaging app Signal, take note. Signal's disappearing messages apparently don't disappear, at least not by default. Self-deleted messages persist for some indefinite period in macOS' Notification history. You may want to turn off notifications.

Dave Bittner: [00:12:14:01] Chinese device maker ZTE may be down for the count. US sanctions that prevent it from buying from US suppliers have induced it to cease major operations. Deprivation of Android software and Qualcomm chips appears to have been the final blow. One hesitates to sound Taps on such short notice for any company, especially one as large as ZTE, but things certainly don't look good. A representative reaction may be seen in Australian telco Telstra, which has announced it will no longer sell ZTE phones. It isn't dropping them for security reasons, but rather because it seems unlikely to them that ZTE will be able to continue to deliver and maintain its products. It's a globalized supply chain, and no industrial nation is exempt from the consequences of that globalization.

Dave Bittner: [00:13:08:21] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it any more. They're too difficult to deploy, too time consuming to maintain, and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization.

Dave Bittner: [00:13:42:17] That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at Observeit.com/cyberwire. That's Observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:18:05] And I'm pleased to be joined once again by Robert M. Lee; he's the CEO at Dragos. Robert, welcome back. I wanted to discuss today something that you have published that is called The Sliding Scale of Cybersecurity. Can you take us through what's going on here?

Robert M. Lee: [00:14:33:07] Yes absolutely. So it's a paper I published a couple of years ago at SANS and it's been in an extremely useful model. I've been humbled by how many folks in the community have found it valuable. So when I talk to folks and they say "Oh what do you do?" "I do cybersecurity." "Well that's not a thing. Like what do you actually do?" And it's good to know where we can make investments and what the return on that investment would be. So in the scale I put forth, there's really five categories of things you can do.

Robert M. Lee: [00:14:57:06] On the left hand side of the scale there's architecture, sort of planning and building the systems with security in mind and logging and things that you need, getting it right from the start. Patching, maintaining it, et cetera. The next over would be passive defense which is the technologies and tools that you can add into the environment to give you visibility or protection from some of the threats.

Robert M. Lee: [00:15:17:10] The next is active defense, which is the analyst, the human component. This is where the human gets involved to investigate, correlate and respond and hunt and be in the environment, which to me is really the most powerful piece when you build towards that because you're putting human defenders against human adversaries. Next is intelligence, which is where we look through intrusions and collect data and try to extrapolate it into useful intelligence on the threats.

Robert M. Lee: [00:15:44:22] Finally is offense, and I even put it in the scale, absolutely. Offense is technically one of those things that you can do even if it's for self defense actions, not retribution, but for, like, legal countermeasures. Really the whole point of the scale was originally to push back against offense, saying look, if you pattern out all that you could do, the highest return on investment is on the left hand side of the sale, moving to the right. So if you build it right to begin with, you have a good defensive architecture with good passive defenses, the amount that you have to spend into active defense to get a good return on investment is minimal. If you don't know what your architecture is, you don't have tuned firewalls, I don't care how many SOC analysts you hire, it's going to be a hard time for you.

Robert M. Lee: [00:16:28:01] If you've got a well-understood architecture and well-tuned environment, then you eliminate a lot of the noise that you need less human analysts to actually facilitate that. To be quite blunt, I've always told folks, look, if the folks that think that they can go back and hack back, like, "I've been had and I'm going to go hack back," if you think that's going to be effective for you, you're wrong. It's a very poor return on investment in terms of the resources required to do that and we need to actually invest where appropriate, build a road map for where we want to be and make sure the architecture and passive defense investments you're making align with where you want to be with your active defense and intelligence components, or make sure that the investments towards the right hand side of the scale, active events and intel actually align with what you already have in architecture and passive defense.

Dave Bittner: [00:17:17:04] Do you find that people sometimes get these out of order in terms of how they take on these various items?

Robert M. Lee: [00:17:26:04] All the time. It's not really that you have to move one category to the other, but if I looked at your security program and where you've invested overall as an organization, I'd expect almost kind of a waterfall kind of approach where there might be 40 percent in the architecture, 30 percent in the passive defense, 20 percent in active defense and ten percent in intel or something like that.

Robert M. Lee: [00:17:48:15] It won't always align with that, and that's fine, but you need to make sure you're not completely off balance. If 80 percent of your budget is going towards active defense and intel, well there's no way that you're actually getting a good return on investment because you definitely need to invest a lot more in your architecture and passive defense. I do a lot of the active defense and intel stuff. My classes at SANS, my company, everything's around "Let's go do hunting and intelligence, and this is really cool stuff!" But it's worth noting, it's not the starting place.

Robert M. Lee: [00:18:21:01] I see companies all the time that really love the idea where you can be with like a SOC, and they really like the cool new tools for investigations and response and orchestration and, "If we get this new intelligence, we're really going to understand the adversaries." But then they don't have an asset inventory, and they don't have tuned firewalls, and they don't have an incident response plan, and you have to push back and say, "You want to get to this place, but there are steps along the road to take to make it an actual good investment."

Dave Bittner: [00:18:52:22] All right. Robert M. Lee, thanks for joining us.

Dave Bittner: [00:18:59:20] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence, visit Cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:19:07] And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at VMware.com.

Dave Bittner: [00:19:27:24] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.