Facebook agonistes. Election meddling. Livestreamed hack gets cancelled.

Dave Bittner: [00:00:04] Facebook - they're facing EU inquiries, congressional attention, FTC scrutiny and user unhappiness. The threat of Chinese election meddling seems to be a matter of concern in the U.S. intelligence committee. And despite promises, there was no livestreamed obliteration of pretty much anything yesterday.

Dave Bittner: [00:00:30] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel, and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 1, 2018. WIRED has published a useful summary of what's known about Facebook's large data breach disclosed last Friday. On September 16, the company noticed an unusual spike of users accessing Facebook and began an internal inquiry. On September 25, they determined that someone had exploited a set of vulnerabilities in Facebook's View As feature, the one that lets you see your profile as others see it.

Dave Bittner: [00:02:09] The bugs interacted in what the company calls a complex way. And they think whoever the so-far-unidentified hackers were exhibited an unusual degree of sophistication. On September 28, Facebook disclosed that some 50 million accounts have seen some compromise of personal information. No criminal abuse of that information is so far known to have occurred. The bugs the hackers exploited came into existence during a 2017 upgrade.

Dave Bittner: [00:02:39] It's worth noting that the investigation is in its early phases. And it's possible the breach may either be worse than believed or that other issues will turn up as people continue poking around. One hopes that things aren't so bad. And it is possible that there will turn out to be no criminal abuse. But that hope seems, relatively speaking, weaker than the fears. After all, the criminals got something. And presumably, they're not mere hobbyists collecting PII the way others collect stamps.

Dave Bittner: [00:03:10] The incident has drawn more regulatory scrutiny from the European Union. Ireland's Data Protection Commission, which serves as Facebook's lead privacy regulator for the EU, announced Saturday that it has required the company provide more information about the incident, including which European residents appear to be affected. Fines under GDPR could reach $1.63 billion. The U.K. has also told Facebook's CEO Mark Zuckerberg that they want him to testify before Parliament about what some MPs call the terrible disrespect shown British citizens' data.

Dave Bittner: [00:03:47] Industry reaction to the Facebook breach has been to approve generally of the company's incident response while deploring the missteps that permitted the exploitation in the first place. The company was able, for example, to meet the EU's 72-hour deadline for breach disclosure, which some think will be a point in Facebook's favor when and if the EU decides to levy a fine, perhaps turning a whack on the head into a tap on the wrist. But it's early in the investigation to make any forecasts.

Dave Bittner: [00:04:18] In a separate action, the European Parliament is considering initiating an audit of Facebook over its entanglement with the Cambridge Analytica data scandal. Last week's disclosure seems to have largely undone whatever good was worked by COO Sandberg's testimony before the U.S. Senate. The U.S. Federal Trade Commission wants some answers, which is rarely a good thing for the company being asked to provide them. And comprehensive U.S. privacy legislation seems, at least today, likelier.

Dave Bittner: [00:04:48] The current FTC inquiry into Facebook predates Friday's disclosure and addresses the question of whether involvement with Cambridge Analytica violated a settlement Facebook reached with the FTC back in 2011. As FTC Commissioner Rohit Chopra told Gizmodo, quote, "these companies have a staggering amount of information about Americans. Breaches don't just violate our privacy; they create enormous risks for our economy and national security. The cost of inaction is growing, and we need answers," end quote.

Dave Bittner: [00:05:20] And Facebook's handling of phone numbers users presented with to use as a second authentication factor has also provoked controversy. The numbers are used to enable SMS authentication. Researchers at Northeastern University and Princeton University say they've determined that Facebook uses those phone numbers to improve ad targeting. Gizmodo calls the practice, shadow contact information. Facebook doesn't really say they do this, but they did answer a question from TechCrunch as follows. Quote, "we use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you've uploaded at any time," end quote.

Dave Bittner: [00:06:10] The company also suggested that if you are unhappy with the uses it puts the phone number you give it for SMS authentication purposes, then you're always free to turn off two-factor authentication. Reaction to this suggestion has been generally chilly since two-factor authentication is widely regarded as a sound security practice. And besides, what are they going to do with that phone number you gave them in the first place?

Dave Bittner: [00:06:35] We would probably do well to remember that Facebook's business model involves using its free service to target advertisers toward its users. If you are a Facebook user, you're aware of this, surely. There's nothing wrong with advertising, but it's good to be clear with people about what you're doing with respect to targeting.

Dave Bittner: [00:06:55] Turning to election security, it appears there will be no further congressional action before the U.S. midterms, which some lament given widespread concerns about vulnerabilities in electronic voting systems. There may simply not have been enough time to do anything for 2018. And in any case, there are important jurisdictional and even constitutional issues at play. Voting is, for the most part, a state and not a federal matter.

Dave Bittner: [00:07:22] President Trump last week took a shot at China for the threat he said it posed to U.S. elections. Congressional woofing from across the aisle aside, the concerns he expressed are not apparently out of step with those within the U.S. intelligence community. There seems to be, the voice of America says, a tendency by the Chinese government to follow the Russian influence operations playbook. Security firm FireEye has noticed, for example, an uptick of Chinese spear phishing directed at think tanks and other targets that would be of political, as opposed to economic, interest.

Dave Bittner: [00:07:55] It's also worth noting that like the Russian operations, these are influence operations as opposed to, for example, manipulation of vote counts or databases. The Russian influence operations in the 2016 election cycle seem to have as their goal the sowing of mistrust. Whether Chinese operations will have a tighter focus remains to be seen.

Dave Bittner: [00:08:18] And finally, to return to Facebook, that guy in Taiwan who was going to livestream his obliteration of Mark Zuckerberg's official Facebook page over the weekend decided against doing so. Instead, Mr. Chang Chi-yuan applied for a bug bounty. On Sunday, according to Bloomberg, which is watching the goings on, Chang said, quote, "I'm canceling my live feed. I have reported the bug to Facebook. And I will show proof when I get a bounty from Facebook," end quote.

Dave Bittner: [00:08:47] In the meantime, he posted to his own Facebook account this little bit of self-examination. Quote, "I shouldn't try to prove myself by toying with Zuck's account," end quote. It's not known whether Chang and Zuck are on a nickname basis, but signs point to no. I mean, we're not on a nickname basis ourselves. And besides, Zuck has other fish to fry this week.

Dave Bittner: [00:09:17] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats. And it's extremely difficult, even for the most technical users, to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:10:26] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. And he also heads up Unit 42, which is their threat intel team. Rick, welcome back. We wanted to talk today about the kill chain, specifically this notion of rebooting the kill chain. Let's start with some basic stuff here. What is the kill chain, first of all?

Rick Howard: [00:10:47] Sure. Hey, Dave, thanks for having me back. The intrusion kill chain was based on a paper written by the Lockheed Martin researchers back in 2010. It was this grand realization that there are humans behind every attack and that it isn't just one single thing they have to succeed in to accomplish their mission. They really have to accomplish several things down this thing they called the kill chain. And it's basically - they recon their victims for potential weaknesses. And they craft some weapon that will leverage those weaknesses. And they deliver it to some endpoint in the victim's network. And that can be a laptop, a server, printer, a fax machine - anything that they can get a foothold.

Rick Howard: [00:11:30] Then they trick the victim, some user in there, to running that weapon and establish a beachhead on one of the endpoints. Now, they have not succeeded yet. They haven't accomplished their mission. But now they're inside the network. And what they normally do then is establish some command and control channel back out to the internet to download additional tools. Once they get that done, they usually move laterally in the victim's network, looking for the data they've come to steal or destroy. And once they find it, then they exfiltrate it out the command and control channel. So that's essentially what the intrusion kill chain is. Does that recollect with what you know about it?

Dave Bittner: [00:12:08] Sounds good to me, but how do we go about rebooting that?

Rick Howard: [00:12:12] Well, we all thought when that paper came out that that was going to change the industry for the good. And it did, for the most part. The model is fantastic. But what happened is we failed to remember the human part of those adversaries, OK? What manifested in the industry is that we started sharing indicators of compromise in bags, you know, big, giant bags, right? - and with no context about what the adversary was doing and where it was even on the intrusion kill chain. Just hey, this is bad, and, you know, we should do something about it, right? And that made us get into this treadmill of activity where we have so many of these things coming in that we can never keep up.

Rick Howard: [00:12:52] And we always feel like we're never catching up. And that is true. So rebooting it is to try to get back to the idea. And this is what the Cyber Threat Alliance - it's kind of a sharing intelligence group for security vendors - and Unit 42, the Palo Alto Networks' threat intelligence team, has been advocating for the past five years. Try to flip the equation again, get back to embracing the adversary idea.

Dave Bittner: [00:13:17] So from a practical point of view, what does this look like?

Rick Howard: [00:13:21] All right, so the idea is that network defenders should be deploying prevention and detection controls at all locations on the intrusion kill chain, designed specifically for all known adversary campaigns.

Rick Howard: [00:13:33] In other words, we need to get off this treadmill of just looking at, you know, nonrelated indicators of compromise and actually do something specific for the adversaries that are attacking us. This is an important idea - all right? - because the network defender community already comprehends much about how adversaries run their attack playbooks. For all the new adversaries out there making headlines, most of the techniques they use are not new.

Rick Howard: [00:13:55] And we estimate, collectively in the Cyber Threat Alliance, that we probably, as a community, understand approximately around 99 percent of what the adversaries are doing on any given day, all right? So that's an amazing stat. The challenge, though, has been how do we organize that information and share it with the world at large? And it turns out this is way more complicated than it sounds. You know, just share it. How hard can it be?

Dave Bittner: [00:14:19] Yeah.

Rick Howard: [00:14:19] Right? But - so after much debate - OK? - within Unit 42 and the Cyber Threat Alliance, we agreed that this is what constitutes an adversary playbook. So you ready?

Dave Bittner: [00:14:30] I'm ready.

Rick Howard: [00:14:31] OK, here, I'm going to hit you with it, OK? First, an adversary playbook is one or more adversaries. And when I say that, I'm not saying I want to attribute the adversary. We don't really care that it's the Russians or the Chinese or even Joe down the street - just an acknowledgement that there are humans behind the attack with motivations and a mission - so one or more adversaries who run one or more campaigns. And campaigns are delineated by time frames.

Rick Howard: [00:14:58] An adversary might run a campaign from June to July and then stop for a bit, change a little something in the next one. It's mostly the same, but they might change a little piece of it and then run a second campaign, you know, from August to September - so one or more cyber adversaries running one or more campaigns. And then in that attack sequence down the intrusion of chain, they use a variety of techniques to attack their victims, all right? So we try to collect all those. And then finally, when they run those attacks on their victims' networks, they leave indicators of compromise in their wake when they do.

Rick Howard: [00:15:31] So we collect all that. We wrap it all - all that up, including the techniques (ph). And we use MITRE's ATT&CK framework - OK? - to standardize on the language so that we're not making it up as we go. And we wrap all that into a STIX 2.0 package and share that with the Cyber Threat Alliance and anybody else who wants to grab it. Now, if you want to see what these things look like, just use Google to search for Unit 42 Playbook Viewer. And you see we've published nine of these things. So you can look at them and grab them if you want.

Rick Howard: [00:16:03] But here's the thing. The current theory by the Cyber Threat Alliance is the number of active playbooks running on the internet on any given day is probably less than a hundred. Some of us think it's less than 50, right? And that is a number we can get our hands around, all right. If we could capture and maintain all the adversary playbooks - if it's less than a hundred, that's a thing or a problem we can solve.

Rick Howard: [00:16:25] So our mission here, then, is to build and maintain all the known adversary playbooks that exist in the world so that the network defenders of the world can automatically deploy prevention and detection controls to their defensive posture in real time. And that's the key. We're all moving to orchestration and automation. We need to be able to collect the intelligence in a way that it can be automatically processed and deployed to our prevention controls, OK? And indeed - OK - that is the reason Palo Alto Networks helped build the Cyber Threat Alliance in the first place. Unit 42 is cranking them out as fast as we can. So far, we've built nine this past year. And we're on track to publish about 36 of them by the end of 2019.

Rick Howard: [00:17:08] So the alliance consists of vendors who can already update their own products with the latest prevention and detection controls down the intrusion kill chain, based on shared adversary playbooks. Now, if alliance members are contributing to and sharing intelligence for all known adversary playbooks running on the internet, their shared customers - the communal base of customers that we all have, OK? - know about 99 percent of what's going to happen in the world, OK. Even if something is new, the alliance can deploy prevention controls to shared customers around the world in minutes to hours. And that would be an amazing capability if we can get all that done.

Rick Howard: [00:17:44] We're not quite there yet. We need more vendors in the alliance. So here's the ask, Dave, OK? If any of your listeners are buying security kits this year, they should be asking their vendors why they are not members of the Cyber Threat Alliance. And if I can be so bold and insist that you not buy them unless they are part of the alliance, OK? It just makes the entire community more safe, and that's the direction we should be going.

Dave Bittner: [00:18:09] All right, well, it's a compelling pitch. Rick Howard, thanks for joining us.

Rick Howard: [00:18:13] Thank you, sir.

Dave Bittner: [00:18:17] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:18:25] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.

Dave Bittner: [00:18:52] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.