Emergency Directive 19-01 versus DNS hijacking. 2019 US National Intelligence Strategy on cyber. France says cyber war is upon us. Courts in UK have email trouble. Hacks and lulz.

Dave Bittner: [00:00:00] Hey, everybody. Just a quick reminder to check out our Patreon page at patreon.com/thecyberwire. At the $10-per-month level, you get an ad-free version of our show. It's the same show but just no ads. So check it out - patreon.com/thecyberwire. And thanks.

Dave Bittner: [00:00:20] Emergency directive 19-01 tells U.S. federal civilian agencies to take steps to stop an ongoing DNS-hijacking campaign. The U.S. National Intelligence Strategy is out. And it prominently features cyber as a topical mission objective. France says that war has begun in cyberspace and that the enemy should be en garde. British barristers scramble to restore secure email. A metals firm sustains an attack on business systems. And some clowns cut Australian telecoms cables.

Dave Bittner: [00:00:58] And now a word from our sponsor KnowBe4. You know, email is still the No. 1 attack vector the bad guys use, with a whopping 91 percent of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick.

Dave Bittner: [00:01:30] So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways to watch the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:02:08] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 23, 2019. The U.S. Department of Homeland Security yesterday issued an emergency directive to non-national security agencies, enjoining them to secure their networks against a DNS-hijacking campaign widely, if unofficially, attributed to Iran.

Dave Bittner: [00:02:32] The warning, Emergency Directive 19-01, was issued by the department's Cybersecurity and Infrastructure Security Agency, CISA. It tells the civilian agencies, whose security CISA oversees, to mitigate DNS infrastructure tampering. The unnamed threat actor operates, the emergency directive says, in discrete stages to redirect and intercept web and mail traffic. Other network services are also presumed to be vulnerable.

Dave Bittner: [00:03:00] The attack begins by compromising user credentials to an account that can change DNS records. Then it proceeds to use those credentials to alter DNS records, replacing the legitimate address of a service with an address the attacker controls. Thus traffic can be directed for manipulation or inspection, depending upon the attacker's purpose, before the traffic is passed to the legitimate destination. The ability to set DNS record values also enables the attackers to get valid encryption certificates for the affected domain names. This exposes user-submitted data to decryption and does so in a fashion that doesn't generate error warnings for the users.

Dave Bittner: [00:03:42] Agencies are directed to respond to the threat with four actions they are to take within 10 business days. First, audit their DNS records and report any that don't resolve to their intended location. Second, change all their DNS account passwords. Third, add multi-factor authentication to all DNS accounts. If the agencies have some systems where they can't accomplish this, they are told to alibi them to CISA.

Dave Bittner: [00:04:06] Finally, after they receive new certificates via CISA's cyber hygiene service, begin monitoring certificate transparency logs and report any unauthorized certificates to both the issuing certificate authority and CISA. The Washington Post reports that defense and intelligence systems were unaffected. They are, in any case, outside the responsibilities of CISA.

Dave Bittner: [00:04:31] Security organizations continue to struggle with the so-called skills gap - the shortage of qualified workers - to fill open positions. Crucial Academy in the U.K. is one of many organizations looking to help close that gap. Tom Huckle is head of the Crucial Academy.

Tom Huckle: [00:04:47] Over here in the U.K., in Parliament and the U.K. joint committee, they concluded that the shortage of special skills and deep technical expertise was one of the greatest challenges faced by the U.K.'s critical national infrastructure operators and regulators in recent times. And so it's being discussed at the very highest levels, despite - for example, over here in Europe, we have GDPR, where the potential penalties now are so much more than what they used to be under the old Data Protection Act '98.

Tom Huckle: [00:05:17] The question is really - that goes to companies, really, and industry and governments is, can we really rely on taking this risk of not filling the skills gap, which is so apparent with kind of every kind of report that comes in saying that there's a requirement for it? We have, for over here in the U.K., something called the National Security Strategy, which I mentioned. And it just - it says that two of the main reasons that we're up against here in the U.K. is that there's a lack of young people entering the profession in the first place.

Tom Huckle: [00:05:48] And there's also an absence of established career and training pathways into the profession. But, really, then the solutions you've got as a business is you've got to kind of recruit talent yourself, which is really difficult in this area because there's not many people out there. You've either got to train or upskill your current workforce who are already kind of in the cybersecurity arena or you've got to try and uncover hidden talent within the business with transferable skills.

Tom Huckle: [00:06:14] So my real question when I came to you was like, how can we solve this? What's one of the reasons? - especially with Brexit looming ahead, which is only going to impound the issue for the U.K.

Dave Bittner: [00:06:25] Yeah. I know one of the points that you made is that, perhaps, there's a pipeline to be mined there from the military.

Tom Huckle: [00:06:31] I think there is. I was military myself. I was - I served in the Royal Marines for eight years. So I've been - and I'm very much a product of this pipeline that, when I was going through it, didn't exist. You just got to look currently at the state of the U.K. military at the minute. I mean, just in the last 12 months, nearly 15,000 people have left the armed forces. So there's an incredible amount people coming out who are probably asking the same question in regards of, what do I do? But, actually, a lot of the skills that they have are really good into moving into cybersecurity.

Tom Huckle: [00:07:05] So you've got a really, really good untapped resource because military personnel, as we all know - I mean, they're very used to be able to go up against an adaptive and skilled adversaries who are very much used to changing the way they operate to try and get around the defenses that us, the good guys, put in place. Their skill transference, which they may not realize, is - they're very good at strategic thinking. They're team workers. They can operate very well under pressure. They are very good, and they like problem-solving. They're happy with responsibility, making those kind of decisions. And they're very adaptable, which, in the cybersecurity arena, is fantastic.

Tom Huckle: [00:07:41] A lot of the military personnel that I speak to don't realize that you don't have to be super technical to do well in this industry. Yes, there are other kind of very technical roles that you can eventually start to mold into. But in regards to going in at some of these levels in cyberthreat intelligence, information assurance, cyber project management, cyber risk, cyber defense and penetration testing, they can.

Tom Huckle: [00:08:06] And it has been proven through Crucial - what Crucial Academy does is you can take these individuals. You can train them over a period of two to three weeks. And at the end of it, they can get past the tests and accreditation and come out the other end and go into really successful jobs in cybersecurity and start to fill this gap that we are, obviously, experiencing in the U.K. and worldwide as well.

Tom Huckle: [00:08:28] I mean, everyone is kind of talking about that the solution to cybersecurity starts - is automation, is bringing in artificial intelligence, machine learning. And this would kind of be the holy grail for the solution of cybersecurity, which, to an extent, yeah, it may be. And it may start to shrink this gap of the demand for people to come in.

Tom Huckle: [00:08:47] But at the end of the day, you've got to realize is that the people who are going to implement artificial intelligence and machine learning, who are going to understand the anomalies that are going to be detected as a point of these kind of technologies - and the individuals, at the end of day, who are going to have to work with this program technology and interpret and then act on its outputs are going to be people. And so that's why we still need to address this situation and this demand that that technology is only going to solve some of the solution and that we need to invest in our people.

Dave Bittner: [00:09:18] That's Tom Huckle from Crucial Academy. The 2019 U.S. National Intelligence Strategy is out, warning of diverse and interconnected threats. That's a wars and rumors of wars kind of warning. Threats have been diverse and frequently interconnected for a long time. But it's noteworthy that cyberthreats are particularly called out right after emerging threats dealing with space.

Dave Bittner: [00:09:43] The strategy notes that cyberthreats have already affected confidence in our global institutions, governance and norms, while imposing numerous economic costs domestically and globally. Adversaries are getting better at this, ODNI notes. And rapidly advancing and proliferating technology is finding its way not only into American hands but into hands not necessarily well-disposed toward the U.S.

Dave Bittner: [00:10:10] The document outlines three foundational mission objectives and four topical mission objectives. At the top of the topical objectives is cyberthreat intelligence, whose goal is to, quote, "detect and understand cyberthreats from state and non-state actors engaged in malicious cyberactivity to inform and enable national security decision-making, cybersecurity and the full range of response activities," end quote. Broadly speaking, the intelligence community will do three things to meet that objective.

Dave Bittner: [00:10:40] First, it intends to develop an increased awareness and understanding of how the opposition uses cyber. Second, it proposes to expand its tailored production and distribution of actionable cyberthreat intelligence. And third, the IC intends to work to enable diplomatic information, military, economic, financial intelligence and law enforcement plans and operations to deter and counter malicious cyber actors and activities.

Dave Bittner: [00:11:07] The U.S. is far from alone in calling attention to conflict in cyberspace and in expressing a determination to do something about it. France has been even blunter and more direct. Speaking yesterday in Lille, French Armed Forces Minister Florence Parly re-emphasized that nation's determination to engage across the spectrum of conflict in cyberspace, specifically including offensive cyber operations. She said last week in Paris that cyber war had begun and that France is determined to be ready to fight it. Her remarks in Lille included discussion of a coming bug bounty program and a significant investment in the cyber industrial base, including small businesses. And there was no mitigation of the assertiveness heard so recently in Paris. Clearly, dissuasion is on the Republic's mind.

Dave Bittner: [00:11:59] Criminal Justice Secure eMail, a system widely used by British barristers, went down last Friday and isn't expected to be fully restored for a week and a half at least. The outage is impeding the work of the country's criminal courts. According to The Register, the reasons for the outage remain unclear. But it's bad news for the courts. It's probably not going to be the case, as The Times of London somewhat breathlessly suggests, that the jails will be open and pandemonium unleashed upon the realm. But it's inconvenient to say the least and another indication of how brittle institutions can prove when they rest on a foundation of ones and zeros.

Dave Bittner: [00:12:39] Belgian metals firm Nyrstar disclosed a cyberattack yesterday that affected email systems but not mining or production. Recovery is said to be proceeding. The company's statement suggests that business systems only were affected, which, if correct, is a good thing and a useful reminder of the importance of network segmentation. Think about it. There's no particular reason why Leopold in HR should be able to share his thoughts with a blast furnace.

Dave Bittner: [00:13:08] Finally, a CRN story reminds us that traditional vandalism remains a threat to connectivity. One such Visigoth cut Telstra cables in New South Wales for no particular reason. We hope, first, that they enjoyed themself and, second, that they will also soon receive a visit from the New South Wales heat. Preserve us from the skids (ph) who roam the earth seeking nothing more than the lolz.

Dave Bittner: [00:13:39] And now a word from our sponsor Coalfire. When organizations stand up new services or move existing applications to the cloud, they need to coordinate IT security efforts with business units and partners. So the question arises, is security the cloud platform provider's responsibility? Or is it the customer's responsibility? To answer that data security question, you must clearly articulate who owns what, identify security gaps and determine who will close those gaps. With the HITRUST Shared Responsibility Program, there's now a clear path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of HITRUST CSF certifications since 2011. And they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the HITRUST cloud assessor at coalfire.com/hitrust. That's coalfire.com/hitrust. And we thank Coalfire for sponsoring our show.

Dave Bittner: [00:15:02] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. You know, when it comes to folks trying to block incoming threats, I think sometimes people wonder, what's my biggest concern? Do I have to be on the lookout for criminals? Do I have to be on the lookout for nation states? What's your take on this?

Justin Harvey: [00:15:23] Well, my take on it is you hear a lot of news, and you see products that center around either cybercriminal or nation state activity. In my opinion, I think you need to build a strong cyber defense program that is able to handle both cybercriminals and nation states. In my humble opinion, you're not going to weigh - based upon what industry or geography you're in, you're not going to - you're not going to make architectural changes. It's not going to drive your product selection. You need to have a very strong base.

Justin Harvey: [00:15:55] Criminals, clearly, in the continuum of time, yes, there are breaches and incidents where commercial companies are hit. They lose information. Their stock goes down. Some people get fired over it. They offer identity protection. But those are really blips. The big, major attacks are nation-state. While cyber criminals can create problems for commercial companies, like having it affect your brand or by having to pay regulatory fines or identity monitoring, nation states really have that capable - capability to effectively turn your lights out.

Justin Harvey: [00:16:33] They do that through things like intellectual property theft, where a nation state can steal a company's secrets. They can build their own product. And then they can introduce those products into the same market from the exact same people that they stole that information from. And that can cost tens of millions, hundreds of millions. Or if you think about some of the high-tech providers of chips out there and computers, it could have multi-billion-dollar consequences.

Justin Harvey: [00:17:02] And let's also not forget that nation states have also been dabbling in the OT, the operational technology front, so things like utilities and critical infrastructure providers. Those nation states have the capability to do destructive attacks, which could result in the loss of human life.

Dave Bittner: [00:17:25] Now, what about for the smaller or mid-sized businesses? I think it's not unusual for them to say, well, I don't really have much here. Why should I worry about nation states? You know, I don't have anything worth taking.

Justin Harvey: [00:17:37] Well, you've got to have something. You may have personal information on your employees. You may have information on your customers or on other organizations. And at the very least, you could be a jumping point for cybercriminals or nation states to launch other attacks to which you could potentially be liable.

Dave Bittner: [00:18:02] Yeah, you think about the Target attack, you know, getting in through an HVAC contractor. Even if you don't think you have anything, like you said, you could be the jumping off point for something beyond your own scale.

Justin Harvey: [00:18:13] Exactly. And in certain countries, you could be liable for not having your security up to snuff.

Dave Bittner: [00:18:22] All right, well, it's good stuff to think about. Justin Harvey, thanks for joining us.

Justin Harvey: [00:18:26] Thank you.

Dave Bittner: [00:18:31] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:19:12] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.