Dave Bittner: [00:00:03] The U.S. intelligence community remains convinced the bears are up to no good. Finland experienced elevated rates of cyberattack during the Helsinki summit, mostly Chinese espionage. The hacker Anarchy assembled an 18,000-member botnet in less than a day using known vulnerabilities. Crooks monetized stolen credit cards through online games. Amazon works to induce better AWS configurations. The U.K.'s annual report on Huawei is out. And we've got some phishing campaign notes.
Dave Bittner: [00:00:40] And now a word from our sponsor, ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #ThrowbackThursday technology should stay in the past. It's time to go back to the future with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, Tron or Egon from "Ghostbusters," you're a pretty righteous dude. Visit observeit.com/cyberwire and take that quiz today. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 20, 2018. The U.S. intelligence community remains convinced that the threat of Russian cyberattacks is real and imminent. Director of National Intelligence Coats reiterated this conclusion at the Aspen Security Forum this week. Speaking of influence operations, he said, quote, "it's undeniable that the Russians are taking the lead on this. Basically, they are the ones that are trying to undermine our basic values, divide us with our allies. They are the ones that are trying to wreak havoc over our election process. We need to call them out on that. It's critical that we do so and then take steps to make sure that they're not able to do this with an election coming up," quote. The U.S. Department of Justice has also announced its intention of alerting the public when foreign attempts to influence or interfere with elections are detected.
Dave Bittner: [00:03:02] As often happens during high-profile events, Finland experienced heightened cyberattack rates during the Russo-American summit. This is the conclusion security firm F5 reached this week. As with earlier U.S.-North Korean meetings in Singapore, IoT devices were particularly targeted. There's an apparent shift in which parties were interested, however. This time, the espionage attempts seem to have come largely from China. The Kim-Trump meetings attracted more Russian attention, with the bears snuffling around Singapore.
Dave Bittner: [00:03:35] A large, 18,000-strong botnet was swiftly assembled by a malware author who goes by the nom de hack Anarchy, probably the same individual also known as Wicked. He or she exploited routers using the well-known vulnerability CVE-2017-17215. What's disturbing is not the negligible damage, but the ease and speed with which Anarchy pulled the botnet together. What botmaster Anarchy, or, if you prefer Wicked, was up to with the escapade isn't entirely clear. He was certainly counting coup and doing some chest-thumping, according to a report in Bleeping Computer. But again, the swift growth of his bot herd is disconcerting.
Dave Bittner: [00:04:19] You ever play Clash of Clans? Well, sure you do. You might as well admit it. There's no shame, and we're not here to judge. Have you ever bought gems or spell books? Sure you have. You've got a credit card, haven't you? Or maybe you've got your parents' credit card, still staying at home. Alas, real bad guys are infesting Clash of Clans, and not only the village and the builder base, but other games, as well, with Clash Royale and Marvel: Contest of Champions also being mentioned in dispatches. Security firm Kromtech, well-known for their exposure of misconfigured AWS S3 buckets, rains on our gaming parade with this bit of news. Criminals are using popular online games to launder money. They purchase in-game stuff with dirty money and then resell their stuff, often in the form of player profiles for legitimate money in various third-party gamer markets. So here's some gamer social responsibility for you. If you're wheeling and dealing in game currency, potions and even dark elixir, you may be serving as an unwitting money mule for the cybermob. By the way, our Clash of Clans desk tells us that you'll get the most bang for your buck if you level up giants, stealth archers and barbarians first, but we suspect their analysis will be controversial only because of the bias it displays in favor of ground units against dragons. Talk amongst yourselves.
Dave Bittner: [00:05:48] To return to Kromtech's investigations, they continue to note that people still don't configure their Amazon Web Service S3 data buckets in a way that would render them inaccessible from the bigger internet. We mentioned earlier this week their disclosure. They'd found exposed U.S. voter information in a bucket left out by the robocalling firm RoboCent. They also found an unsecured MongoDB database left open by the criminals who compiled it, presumably inadvertently. The criminal exposure of personal information is regrettable, but their self-exposure is not, so good hunting, police.
Dave Bittner: [00:06:26] But one does hope that legitimate users of cloud services get some help working more securely. To that end, Amazon is experimenting with two tools, which they're calling Tiros and Zelkova, that may help developers avoid AWS misconfiguration. Tiros maps network connections and thus can display unexpected and unintended access from the internet. Zelkova benchmarks S3 buckets against other elements of an enterprise's infrastructure and helps reveal how permissive an AWS configuration is in comparison to the rest of the infrastructure. Both tools are intended to show you misconfigurations before they bite you.
Dave Bittner: [00:07:07] The U.K. government's Huawei Cyber Security Evaluation Center reports that Huawei products had underlying engineering issues that affected national security, but that these seem to have been mitigated. Huawei is spinning the report as good news that the British government has an organization whose job it is to keep an eye on whether Huawei might prove a security problem is instructive, indicating both awareness of risk and the degree to which British infrastructure is entangled with the Chinese company.
Dave Bittner: [00:07:39] Finally, you may have received scam emails with dubious attachments that appear to come from British universities. An ongoing criminal campaign spoofs emails from their domains. We've been noticing them. Our gunnery desk keeps getting emails from the University of Wales Saint David Trinity (ph) inviting them to open the attached invoice. They thought, at first, it was a really aggressive fundraising campaign. But no. It's a scam. Tell every member of your clan.
Dave Bittner: [00:08:13] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. WMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:09:14] And joining me once again is Zulfikar Ramzan. He is the chief technology officer at RSA, a Dell Technologies business. Zuli, welcome back. We wanted to talk today about cyber risk and quantifying that risk. What do you have to share with us today?
Zulfikar Ramzan: [00:09:28] Yes. You know, that's a huge problem. And I talk to a lot of our customers. They're interested in the idea of trying to mitigate or manage their risks fundamentally, but at the same time, very few of them have a consistent and rigorous view of what that means. And so I'll give you one example. I was talking to the CSO of a major hospital, and they were telling me that their biggest risk was ransomware. And, you know, to a certain degree, you know, ransomware is an issue they have to deal with, but ransomware itself is not actually a risk. Ransomware is a class of threat. If that threat were applied to a particular asset and took advantage of a vulnerability on that asset and resulted in a loss for the organization, it's the amalgamation of all those elements - the likelihood that the event happens and the overall likelihood (ph) of the loss that occurs as a result of that then happening - it together really constitutes risk. And until you think about risk more holistically, it's hard to actually do anything that's going to be meaningful in terms of mitigating it.
Dave Bittner: [00:10:22] So in that situation, ransomware is the problem that could cause the - for example, the hospital to not be able to treat patients. That's the true risk.
Zulfikar Ramzan: [00:10:32] Exactly. Yeah, exactly. You have to look at both together because what happens is, if you don't ask yourself - you have to ask yourself kind of two fundamental questions. No. 1, how likely is an event to happen? The second question is, what is the actual loss that could occur if that event would have happened? And that loss might be the initial loss.
Zulfikar Ramzan: [00:10:48] So for example, there may be, you know, patient loss. There could be the loss in terms of the actual ransom you have to pay out. But there're also secondary losses as well, like, for example, the cost of reimaging systems or doing forensics works or hiring incident response teams or, in some cases, bringing in outside legal counsel. And we actually had one customer a while ago who spent about $30,000 in ransom payments. But if you looked at the overall loss of ransomware for that organization, it was almost $4 million when you counted all the things I just mentioned earlier.
Dave Bittner: [00:11:16] So what are your recommendations? I mean, how do we do a better job communicating that this is the way it needs to be approached?
Zulfikar Ramzan: [00:11:24] Well, that's a great question. I think, fundamentally, the first recommendation is, ultimately, when you think about businesses and what they're trying to achieve, it's very different to what a security practitioner tends to talk about. Security practitioners tend to talk about threats a lot. The reality is that businesses care about risks, fundamentally. And so the first thing you have to do is, No. 1, draw a distinction between what's possible versus what's probable. Many threats are possible in the environment. A small number are actually going to be probable threats you have to worry about, and then consider the loss associated with those threats.
Zulfikar Ramzan: [00:11:52] The second piece of advice I have - is to avoid trying to aim for perfection. Look; there's nobody who can quantify cyber risk perfectly. That's just not going to happen. But what we can actually hope to do is have a consistent and rigorous framework that accounts for many of the elements that talks about risk in the same way across different parts of the organization. It's as if somebody were to tell you, would you get on a plane if you found out that the engineers who designed that plane didn't have a common definition of terms like mass or acceleration or velocity? The answer is probably no. The same thing should apply to cyber risk. We have to have a constant and consistent definition of what it means.
Zulfikar Ramzan: [00:12:26] And then, finally, the third element that I talk about is the idea of focusing on V-I-A or VIA, which is visibility inside an action. If you're trying to mitigate risk, you have to be able to measure and assess your risk. And that requires having visibility into your environment because you can't measure or assess what you can't see. But visibility on its own, while necessary, is not sufficient. Visibility can lead to this data landfill problem very quickly.
Zulfikar Ramzan: [00:12:48] What you then need to do is be able to glean insights from that visibility through analytics. Be able to identify what it is that matters most. And then, finally, you have to be able to take a set of actions against those insights. And it's those actions that ultimately will end up mitigating your risk, and you come back full circle through that loop. The goal for organizations should be to go through that loop as frequently as they can and try to tackle a little bit along the way each time as part of their overall journey in being able to manage their data risk.
Dave Bittner: [00:13:13] All right. Zulfikar Ramzan, thanks for joining us.
Zulfikar Ramzan: [00:13:16] My pleasure.
Dave Bittner: [00:13:21] And now some notes from our sponsor Cylance. You remember the old song. (Singing) Thanks for the memories. Well, sure, but no thanks for the memory-based attacks. This increasingly common class of cyberattack, the experts at Cylance will tell you, goes after memory as opposed to more traditional targets, like file directories or registry keys. They usually start when a script or file gets into an endpoint without exhibiting traditional file features. Once they're loaded, they execute and use the system's own tools and resources against the system itself. If you go to threatvector.cylance.com, you can check out their report on memory attacks. That's threatvector.cylance.com. We're pleased to say they're not just sponsors of the CyberWire. They're the people who protect our endpoints. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:14:22] My guest today is Mark Peters. He's the author of the recently published book "Cashing in on Cyberpower." He currently works in the United States Air Force as a career intelligence officer with over 21 years of experience there. His book, "Cashing in on Cyberpower," analyzes over 10 years of cyberattacks, seeking to understand where state and nonstate actors use those tools to generate economic affects through today's cyber-connected world.
Mark Peters: [00:14:49] When I started out doing my research, I was actually looking for how people would do an identity-based attack in cyber, how they'd look at, you know, kind of a character assassination through cyber. And that really wasn't working. It really wasn't supported very well. So I started looking at the traditional military analysis strategy for the DIME aspect, or the diplomatic, information, military and economic look, and to see where the different characteristics were. And I thought, you know what? It might be easier to do an economic-based attack than it would be to do a military or information or some other type of attack in cyberspace. So I looked to see if I could find enough data to actually compare those numbers in a useful fashion.
Dave Bittner: [00:15:29] So take us through. What did your research uncover?
Mark Peters: [00:15:32] So actually, most of the attacks - and this was looking at - I used the Center for Strategic and International Studies, the CSIS guys - they did a look at cyberattacks - or significant cyberattacks since 2006. So I started out using their characterization to identify attacks. And it really uncovered that most of the attacks for this period, from about 2006 to 2015 - or at least ones I was able to uncover and get useful data on - secondary sources of data - were mostly still in the information sector. And then after the information sector came economic as a secondary source. Information, economic and then diplomatic was the third.
Dave Bittner: [00:16:12] Now, when you compare what's going on today in the cyber domain to what has happened historically throughout time, how have things changed? And how much are they just new versions of old tactics?
Mark Peters: [00:16:25] The numbers have gone up significantly. Because I was trying to look more at the functions and the actual - delve into which techniques they were using, as - I didn't really get into a lot of those numbers. What I found in going through was I picked up a couple of interesting items to also do case studies on. And the ones I wound up doing case studies on was the Codan company in Australia lost some IP to China doing gold detectors. I looked at some TTP data losses for Japan that actually slowed their engagement with that process. And then I did get a look at the initial Ukrainian cyberattack in 2015.
Dave Bittner: [00:16:58] When it comes to this notion of disproportionality, I think many people would agree that the cyber realm is an area where, certainly compared to having a military, you can get a strong outcome through less investment than - you know, in terms of influence on a global nature, you can get a lot done without spending a lot of money.
Mark Peters: [00:17:21] I think that all depends on how much influence you want to have and what impact you want to have. The criminal actors actually did have more economic attacks than the state-based actors overall. And I think, you know, if a state wanted to go out and steal all the money from the ATMs, they could do it with significantly lower investment than the criminals are. But I don't think that's in their best interest or shows the best reactions to them in the long run, right? You don't want to be known as the state that stole everybody's ATMs.
Dave Bittner: [00:17:49] Now, where do you suppose we're headed when it comes to international norms, in terms of both diplomacy and economics and how that would bleed over into the military?
Mark Peters: [00:17:58] I think like a lot of things, it'll probably stay fuzzy for a while. A lot of the work I did was with the interdependence by Joseph Nye, who's been a big - and Keohane - had been the big proponents of that or the big initial movers in that area. And that means that the more channels and the more dependent we get on somebody else, the more these little movements, even in that cyberspace, have effects on everyone else in that space. So as more people depend on it, and we talk about just basic internet connections, we talk about an internet of things and, you know, possibly even a concept of, like, a global cyber commons, the more difficult it will get to establish those red lines because everybody will be depending on it, or the easier that - you take everything down, your entire economy is going to collapse or your entire - everybody's going to be upset. You know, you look at getting snow in Maryland and how easy a couple inches of snow shuts down the whole city. If you kind of expand that analogy to a cyber, a couple little things done by a state in a cyber - if they shut down major portions of that economy, people are going to complain fairly quickly.
Dave Bittner: [00:18:59] And what would your advice be to policymakers, having done the research you did and writing the book? Now what would you share with them?
Mark Peters: [00:19:06] I would share they just need to continue looking at the area, and they need to continue looking at a bunch of different aspects of the area. We tend to overfocus on, like, the CVE and the OWASP to look at what the actual technique is and how to stop an initial malware attack without taking that expanded view to broaden out, look at kind of the strategy and the trends for where things are going. If you look at more of a strategy-based aspect, we get a better look at maybe how we need to prepare and how we need to plan, where we can set those red lines based on the fact that we know what our strategy, we know what our desired goals are, the objectives, and then we can move out from there.
Dave Bittner: [00:19:38] It seems to me like it's been a real interesting shift over the past couple decades about how much of the world economy depends on the cyber domain. And of course, with that, part of that evolution has been the cropping up of these bad actors - you know, criminals working there - but also the ability of nation-states to leverage that space as well.
Mark Peters: [00:20:02] I think that's a true factor. And I think we don't actually look at all the aspects of cyber we can get. I had written an article on the development of this book talking about how we could use cybertools to generate better sanction effects when we talk about doing economic and financial sanctions, that we're still doing a lot of those through the paper aspect in identifying things when we look at that if we had the ability or we had the cybertool, we could go out and maybe block a bank and then use that money to support the people we said we were going to support along the way. You know, there are other aspects to it, other things that we can do with those cybertools. But we're focused on using them in the military and not that whole government kind of approach.
Dave Bittner: [00:20:41] That's Mark Peters. The title of the book is "Cashing in on Cyberpower." And that's the CyberWire.
Dave Bittner: [00:20:51] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:21:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.