The CyberWire Daily Podcast 5.3.19
Ep 836 | 5.3.19

Utility hack update. Surveillance tool proliferation. Exploit black market. Novel ransomware, old distro channel. Notes from the Global Cyber Innovation Summit.

Transcript

Dave Bittner: [00:00:04] That cyberincident that affected electrical utilities in the western United States seems to have been a denial-of-service attack. Concerns arise over potential proliferation of Chinese security service tools. Exploit black marketeer Volodya and some customers. The Retefe banking Trojan is back. Some new ransomware thinks it's the moving finger that writes and, having written, moves on. And some cause for measured optimism at the Global Cyber Innovation Summit.

Dave Bittner: [00:00:38] Time for a message from our sponsor, Bandura Cyber. Are you using threat intelligence, or is threat intelligence using you? Threat intelligence gateways, or TIGs, are an exciting, emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational and useful. TIGs aggregate IP and domain indicators of compromise from an unlimited number of sources, such as DHS, information-sharing groups like FS-, MS- or ONG-ISAC, commercial sources like Webroot or Anomali or even your own internal IoCs from your SIEM or TIP. With the need for multiple sources and views of threat intelligence now more important than ever and with existing solutions' limited ability to ingest and block third-party IoCs at scale, TIGs make taking action with massive volumes of threat intelligence easy. Get the definitive guide to this next-generation technology, "Operationalizing Threat Intelligence: An In-Depth Guide to Threat Intelligence Gateways," at banduracyber.com/cyberwire. A bonus - it's written by our friends at Bandura Cyber. They're the company that started the TIG category. And it's free. Again, that's banduracyber.com/cyberwire. And we thank Bandura Cyber for sponsoring our show.

Dave Bittner: [00:02:01] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 3, 2019. U.S. federal authorities have been tight-lipped - as E&E News, which broke the story, puts it - about a cyber incident affecting electrical utilities in three Western states. But they have said, according to TechCrunch, that the distributed denial-of-service attack affected neither power generation nor distribution. More is sure to emerge on the incident. We'll be following it closely.

Dave Bittner: [00:02:32] Chinese security services are making effective use of online surveillance domestically, particularly against its largely Muslim Uighur population. A New York Times op-ed fears the tools perfected in country will proliferate internationally.

Dave Bittner: [00:02:49] The exploit black marketeer known as Volodya or BuggiCorp continues to hawk malware and to a rogues' gallery of bad guys. ZDNet has a roundup of some of their activities and customers. He seems in part a government contractor, as his clients include - according to Kaspersky - SandCat, FruityArmor and Fancy Bear.

Dave Bittner: [00:03:13] Researchers at security firm Proofpoint say the Retefe banking Trojan is back with some enhancements. The malware had faded last year, but it has reappeared on warning screens in 2019. In April, it returned to hit bank accounts in mostly Switzerland and Germany. Proofpoint calls out three major changes they're seeing in the current infestations of Retefe. First, it's now using SecureTunnel instead of Tor for a secure proxy redirection and command and control traffic. Second, it's ditched its old intermediate loader for Smoke Loader. And finally, third, it's abusing a shareware application, Convert PDF to Word Plus, which it executes as a decoy. Its actual loader is the similar-looking convert-pdf-to-word-plus_driver.exe. And that's a malicious executable.

Dave Bittner: [00:04:02] Sophos tweeted that they may have discovered a novel ransomware strain, possibly being delivered via Emotet. The ransom note alludes to Belshazzar's feast. Your defenses, quote, "have been weighed, measured and have been found wanting," end quote. That's what the moving finger wrote. It's what the moving finger always writes, the moving finger being a one-note kind of guy. Anywho, the hoods behind this caper are effectively calling you Belshazzar, boss of the Neo-Babylonian empire, which seems like a compliment. But no, you don't want that kind of compliment. Sophos promises to tweet more info as it becomes available.

Dave Bittner: [00:04:43] The Global Cyber Innovation Summit concluded yesterday in Baltimore. We'll have more detailed reports in upcoming issues of the CyberWire Daily News Brief. Yesterday's highlights included some perspective on what creates crisis instability from cybersecurity and policy expert Richard Clarke. You get dangerous crisis instability when an aggressor concludes that they have a decisive advantage over the defenders. You're at risk, Clarke explained, when your opposition concludes that your defenses aren't credible.

Dave Bittner: [00:05:12] A number of speakers addressed concerns about data integrity, or data provenance. NSA's Rob Joyce warned that as governments increase their efforts to impose national will in cyberspace, data will come under correspondingly greater attack. Data integrity is a problem that crosses a number of disparate kinds of activity. There are obvious industrial control systems security implications. Can you trust the sensors to deliver ground truth about system conditions? Health care data presents similar concerns. The global financial system depends upon assets and transactions held and conducted in cyberspace. It's not Goldfinger's world anymore. If Goldfinger were to come out of retirement, heaven forbid, he wouldn't bother trying to break into Fort Knox. Big scores are to be sought elsewhere.

Dave Bittner: [00:06:01] There's also an influence and information operation dimension to data integrity. If data come to be perceived as untrustworthy, that loss of faith would erode public trust and confidence in the institutions of both government and civil society. This is a slow-motion problem with the potential to creep up on us unobserved. It may be upon us before we realize we're being gradually boiled alive.

Dave Bittner: [00:06:26] Amid the usual warnings one expects at a cybersecurity conference, however, we heard some surprising and distinctly encouraging notes at the Global Cyber Innovation Summit. Tenable's Amit Yoran says that they've seen a tremendous difference between cyber haves and the cyber have-nots. It's possible to protect yourself today. Richard Clarke had a similar observation about the possibility of successful defense, taking NotPetya as a grounds for optimism. NotPetya was a Russian military action against Ukraine. But many companies around the world were collateral damage, and that damage was severe. But a lot of other companies deflected the attack, and these are the dogs that didn't bark. Existing technology properly applied can defend the corporate network, Clarke concluded. We'll have more on the summit in subsequent issues of the CyberWire.

Dave Bittner: [00:07:17] And the larger news also has some positive notes at week's end. Ad fraud may cost businesses as much as $5.8 billion this year, as an Association of National Advertisers study predicts. But that's actually the good news. It's down from $6.5 billion over the previous year.

Dave Bittner: [00:07:35] Mixed news - but on balance, more good than bad - comes from CrowdStrike, which sees a drop in hacktivism's effectiveness, even as hacktivism becomes more frequent. Common hacktivist actions include website defacement and distributed denial-of-service, which, when you think about it, are pretty small potatoes.

Dave Bittner: [00:07:53] Russia's new autarkic internet, complete with isolation switch, is now officially law. And many fear censorship. What? Great Caesar's ghost, stop the presses. Censorship in Russia? Who could've seen that coming? If only President Putin knew, he'd put a stop to it. Wicked boyars lurking around the Kremlin again. What? What's that you say? President Putin signed the law? Oh, Vladimir Vladimirovich. You're killing us, Smalls.

Dave Bittner: [00:08:26] Now it's time for a few words from our sponsor BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:09:35] And joining me once again is Emily Wilson. She's the VP of research at Terbium Labs. Emily, always great to have you back. You recently attended a conference you wanted to share some details about. What was going on there?

Emily Wilson: [00:09:48] I recently got back from a conference called Dynamic Connections. It was in Colorado this year. And it was hosted by General Dynamics Mission Systems. It was interesting, you know, as someone who typically is spending time at security conferences, tech conferences, fraud conferences, what I would call more standard industry conferences - going and talking to people who are working in and around General Dynamics and in and around government and military operations, it was interesting to see what topics carried over and what stood out as a little bit different.

Dave Bittner: [00:10:22] So what did you see there? What's different in that government world?

Emily Wilson: [00:10:26] I think the main thing that's different is the stakes are significantly higher. You know, we think about the bad things that would happen if someone accessed your corporate network. But what if your corporate network is responsible for making sure that military operatives are in the right place at the right time? What if the - you know, if you're working on hardware, you want to make sure that your hardware is good and is going to last for a long time. But what if your hardware needs to be in extreme temperatures or extreme situations and has to be able to work correctly every single time - and there's no room for failure - the stakes are too high? So certainly a different level of intensity, I think, in the conversations, which is a little bit different from what you would hear, I think, traditionally in the security industry.

Dave Bittner: [00:11:15] And so what did you bring home from that? How does some of that information you gathered transfer to the work you're doing day to day?

Emily Wilson: [00:11:23] There were two things that stood out to me that I came home and was telling my colleagues about. One was a panel from one of the afternoon sessions looking at data regulation and privacy legislation because these organizations face the same issues that we all do in the industry - needing to be compliant, plus whatever other government or military standards you might be working off of. And there was one speaker in particular who said the trend is not compliance. The trend is data privacy. And the law that we see, the compliance law that we see coming into place is a trailing indicator for a big gap in data privacy practices - and that we should be looking at data privacy and a little bit less a compliance because, you know, as the speaker pointed out, you can be compliant and still be negligent with data.

Emily Wilson: [00:12:13] And so if you are only thinking as far as compliance, if you're only thinking as far as what do I do to not get in trouble? What do I do to not have to pay fines? And you're not thinking, too, am I doing the right thing, the broader picture right thing for my customers or my employees? - then you're still going to, in a lot of cases, end up with issues of negligence. You're still going to fall short.

Dave Bittner: [00:12:37] Interesting. What else?

Emily Wilson: [00:12:39] The other thing that I thought was interesting - I was in a cybersecurity session with a representative from McKinsey who had some data on security patent filings over the past few years and looking at patent filings as one way to measure how the trends in the industry are shifting and have been shifting. And what was interesting to me was the highest volume of patent filings in recent years are actually around data security, which is an encouraging trend, certainly given the kind of work that I do and, you know, the kind of work that underlies the work that we all do. But it's an interesting measure. We're seeing more people find new and interesting ways and really pursue better paths forward for data security based on technology evolution and based on an understanding - a different understanding of risk. And I'm glad to hear it. I think we should be talking more about security and more about privacy.

Dave Bittner: [00:13:36] I think that's an interesting insight because I think it's a common mistake that they intermingle security and privacy as if they're almost the same thing. And they're not.

Emily Wilson: [00:13:45] They're not. There are different motivations behind them. There are different incentives depending on what kind of industry you're in and what kind of data you have. And I would say there are also different beneficiaries. You know, there are different beneficiaries of the results of this. There's a difference between trying to keep the data secure and trying to keep your users' privacy protected. But there is a difference between a goal in keeping data secure and building secure systems and a goal in keeping data private and building private systems. We want to have both. But if you only design with security in mind, then we may end up with, I think - we've seen that we continue to end up with data proliferation and data mining.

Emily Wilson: [00:14:25] You know, you can say, I don't really care about privacy. But don't worry - I'll keep it secure. We need to be thinking about both things. We need to be thinking about, what data do you actually need on your users to do the work that you do? What data is actually relevant? How can you protect your users? Because protection isn't just security. Protection is, and has to be, privacy.

Dave Bittner: [00:14:46] All right. Emily Wilson, thanks for joining us.

Dave Bittner: [00:14:53] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:15:52] My guest today is Joseph Carson, chief security scientist and advisory CISO at Thycotic. He joins us to share his story of a boardroom presentation gone wrong and how it served as a wakeup call for how security teams need to communicate and consider their role within the overall organization.

Joseph Carson: [00:16:11] So myself and the CISO - I was doing the penetration test myself. And it was with actually - with a power station. And some of the vulnerabilities we were finding were quite significant, at least to our viewpoint. So myself and the CISO - we get down. We discussed about, you know, how we wanted to communicate what things we thought were going to be important for the board to hear. And it was really - one of the major things was - it was the budget review. So the CISO had some plans and goals in order to get certain budget available for upcoming strategic plans and projects and priorities. That was for the following year.

Joseph Carson: [00:16:46] So we got together, and we looked through, basically, the vulnerability results. We wanted to align with technologies and solutions that we thought would reduce and mitigate those problems. And we sat down. We basically got together our plan. We went through some of the major items that we had identified. And we put together a presentation. And we communicated quite, you know, strong and how we wanted to approach it. You know, we came to a - an agreed conclusion, and that was pretty much it. And, you know, we'd set out how we wanted to position those items to the board.

Dave Bittner: [00:17:20] And how did the board react?

Joseph Carson: [00:17:22] Not exactly to our expectation. And we were actually quite shocked. So one of the things was when we did the penetration test itself, we'd find major vulnerabilities, such as things like default passwords. We'd find unpatched systems. We looked at, you know, human errors, supply chain integrity failures. And background checks were not being processed. And when we went to the board and we presented it, we went in, and we were talking about, you know, cybersecurity. We're talking about the human failures and threats and, you know, the increased landscape and looking at other major breaches that had occurred that same year. And we talked about, you know, fear of not doing something. We talked about the importance of the solutions. And we really went in, basically going and talking about how it was important to invest in the security solutions, how it was important get this budget in order to really make sure we had the right technologies in place.

Joseph Carson: [00:18:17] And one became - we presented. And right afterwards, the board, you know, said thank you. You know, we appreciate your time. And, of course, later, you know, after we finish that time, they go off. And they convene to have their discussions privately, and then they come back, and they present back to whether, you know, you got your accepted budget. So the time passed. And we came back. The board came in and sat down. We were actually quite shocked because the board came back, and they said your budget request has been declined. We deemed the threats and the vulnerabilities that you had raised as low-risk. But we'd like to speak with you privately afterwards.

Joseph Carson: [00:18:57] And we were quite shocked. We thought we'd done an amazing job. We thought we'd presented very clearly the threats and very clearly, you know, the issues that you hear in the media and the news. And we thought without a doubt that our plan was going to get the right budget. You know, we were getting attention of the board. The board was listening. And we thought this was the time where we'd really get the reaction and the budget in order to really make the needed improvements for the forthcoming year.

Joseph Carson: [00:19:23] Afterwards, the CEO and the CFO came down. And we sat down, having a side meeting to talk about what happened. And I think this was the most important realization, and it was when the CEO had said, your presentation was great. You really conveyed the threat landscape. But there was one major thing missing. You never talked about how you're going to help the business. And they said that, we know how important cybersecurity is. We know how important it is for the business to, you know, improve and invest in the right areas. However, we really need it to work. And that's why we're having this conversation.

Joseph Carson: [00:19:59] And for me, it was the best timing because when you get that scenario, and you get a CEO and a CFO coming and being so absolutely direct and honest to you rather than just letting that meeting go and not getting what you needed - we really sat down because they knew the importance, and they really wanted to be successful. And they said to us, you know, when you come in, you presented just like everyone else has presented, you know, on the news and when you hear at these events and all these executive briefings that they've had for - on the cyber threat landscape.

Joseph Carson: [00:20:31] But they sat and said, the most important thing that was missing - was, how are you helping the business be successful? Every other presentation from the other businesses, whether it being engineering, innovation support and sales, they came in, and they presented their business plan. And we came in and presented, you know, fear. What we really needed to understand was the return on investment. How are you helping your peers be successful? How are you helping them do their job? How are you helping us reduce the risk of the business? What is the cost of doing something? And what's the cost of doing nothing? What's the gap that we're having? Are we covered with insurance? Do we have the ability to survive if we actually have such an attack that you talked about? We need to be successful. We know how important it is, but we need you to approach this in a different way. It needs to be a business-first approach. And it needs to be based on risk.

Joseph Carson: [00:21:22] And there was a big realization. We've set - and actually, you know, when you realize that this is what you needed to hear. This was the CISO getting the wake-up call that how we've been communicating cybersecurity and threats to the executive team and to our peers for years has been the wrong approach. And we really needed - and it was this wake-up call - it was this alarm bell ringing - that we realized that we needed to change our approach.

Dave Bittner: [00:21:47] When you look back on that, thinking back knowing what you know now, why do you suppose there was that gap from your side? Were the - the information you were presenting was the business case. Did you consider it to be self-evident? What were you thinking?

Joseph Carson: [00:22:02] It was more self-focused. We were focusing on what our needs were, not of what the business needs were. We were focusing on the tools and, you know, the technologies that would help us do our job. But we weren't aligning that with how it was helping our colleagues be successful, the ultimate people who we're actually protecting and making safer. We had not considered their feedback and their input into our needs. And this was the biggest gap. The gap was that we were basically focusing on ourselves as a silo. And what we needed to do to be compliant with regulatory needs and as well as what we needed to be able to do to reduce the threats as we've seen it.

Joseph Carson: [00:22:41] And what we realized was that for too many years, we've been going down this technology-driven path. And we've been seen as, you know - in the cybersecurity area and IT security, we've been seen as the enforcers. We've been going to employees and saying, this is how you need to be doing things. And no, you can't install that software because it has this risk. And you need to patch this system. You need to change your passwords. We've been enforcers. And it's the time where we realize when we had that meeting that we actually - we're doing it the wrong way. We, as the CISOs and security officers and security operations admins, we need to be doing more listening. And one thing that we haven't been doing is listening enough to our colleagues, to the other peers in other departments, to the employees and the customers within the business that we're actually providing services to. We weren't listening to the board. We were actually communicating and enforcing a message.

Joseph Carson: [00:23:38] And what we realized was that it was more important for us to sit and listen to an employee and asking them, what is it exactly you're being measured on? How, you know, can I help you be successful in your job? How can I help you be more efficient? How can I help you win and actually get your bonus and be able to meet your metrics that you're measured on? And that's what we need to be doing. And then looking at how we can actually add security into the existing job rather than saying, you know, to employees, don't click on these things. You know, stop clicking on links. Stop opening attachments. Because in many businesses, that's actually their job. And we have to understand about well, how can we make sure that since that is what they are doing - how can we make sure they're doing it safely with reduced risk but at the same time, making sure that they're able to stay productive? And that's what we need to be changing in our going forward. So the CISO in 2019 needs to start doing more listening and a time of aligning how we can help the business be successful.

Dave Bittner: [00:24:44] That's Joseph Carson from Thycotic.

Dave Bittner: [00:24:51] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT - the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:25:03] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.