Xenotime is now interested in the power grid. Vulnerable Exim servers under attack. Mr. Assange goes to court. Credential-stuffing attacks on gamers. And that Ms Katie Jones? Not a real person.
Dave Bittner: [00:00:04] Xenotime is detected snooping around the North American power grid. Hacking groups exploit the Return of the Wizard vulnerability in Exim servers. Hearings on the extradition of WikiLeaks' Julian Assange have begun. Online gamers are being chased with credential stuffing attacks - they're after your skins, your accounts and your credit cards. I speak with Dr. Matthew Dunlop. He's the chief information security officer at Under Armour. And some LinkedIn catphish seem to be going to AI charm school.
Dave Bittner: [00:00:41] And now a word from our sponsor, ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know exactly who did what, when and why. Security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated insider threat management platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself - no downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:51] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:06] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 14, 2019.
Dave Bittner: [00:02:14] E&E News reports that the North American Electric Reliability Corporation - commonly known by its acronym NERC - issued a nonpublic warning to utilities that Xenotime, a threat hitherto seen mostly in the oil and gas sector, has been conducting reconnaissance against the grid.
Dave Bittner: [00:02:32] The NERC warning is based on research by Dragos, which says that the Xenotime "activity group" has evidently expanded its target list to the electrical power sector without necessarily abandoning its earlier interests. Dragos thinks Xenotime should be taken seriously but cautions against overhyping the problem - quote, "No new capabilities are being deployed and the activity observed amounts to early reconnaissance, not compromises of electric utilities," end quote.
Dave Bittner: [00:03:03] So while, as always, it’s good to avoid the sort of fear, uncertainty and dread that all too often accompanies news reports and sales calls, what are the reasons for taking this discovery seriously? The first one - and this is indeed a sufficient reason - is that Xenotime is, after all, the group responsible for the Trisis, or Triton, malware that was used against oil and gas installations in Saudi Arabia. That malware was designed to affect safety subsystems of the industrial control system, and it was therefore arguably designed to injure or kill. It didn’t do so because the malware induced a plant shutdown, as opposed to a catastrophic accident. That relatively benign outcome is generally thought to have been accidental; most analysts believe the malicious code was designed deliberately with lethal potential.
Dave Bittner: [00:03:53] This is not to say that the power grid is about to turn on you, your family, or your friends and neighbors, but it is to say that whoever’s behind Xenotime is unlikely to be inhibited by humanitarian concerns. So the activity is reconnaissance, and the tools aren’t new, and there’s no evidence that electrical power utilities have been compromised, but Dragos’ discovery is certainly worth the attention NERC appears to be giving it.
Dave Bittner: [00:04:19] At least two hacking groups are exploiting the Return of the Wizard remote code execution vulnerability in Exim mail servers that was publicly disclosed last week, ZDNet notes. Exim servers handle a large fraction of the world's email traffic, and users are urged to patch. BleepingComputer suggests that an encouragingly large fraction of users are doing just that. If you’re running version 4.92, you’re good to go, and if you’re not, then you should probably upgrade as soon as possible.
Dave Bittner: [00:04:50] WikiLeaks proprietor Julian Assange's extradition proceedings advanced today. Sajid Javid, the U.K.'s home secretary, has signed the request that Mr. Assange be extradited to the U.S. He’s currently in a British jail for skipping bail. British authorities arrested him after Mr. Assange wore out seven years of welcome in Ecuador’s London embassy and was shown the door by Ecuador’s government. He had taken to the embassy to avoid extradition to Sweden, where he was wanted to answer allegations of sexual assault. The home secretary’s request now goes to the courts, who will decide whether to send Mr. Assange stateside to face charges of conspiracy to commit computer intrusion. He also faces 17 charges under the Espionage Act of 1917. The extradition request is expected to take several months to work its way through British courts.
Dave Bittner: [00:05:46] Gamers have money and spend money, and criminals are noticing. Akamai’s recent study of the underworld’s interest in the world of online gaming indicates that between November 2017 and March of 2019, gaming websites sustained 12 billion credential stuffing attacks. We know, we know - as the tween gamers would put it, one attack is hella bad if it’s against you, but, you know, 12 billion of them is just the kind of statistic that only your parents would be interested in. And these kinds of attacks are low-level attempts that are easy to automate, so the stat’s less overwhelming than its sheer size would lead one to think, at least before reflection. Still, it’s a lot. Over that same period and across all sectors, Akamai counted 55 billion credential stuffing attacks. So gaming alone received a bit more than 20% of this particular kind of criminal attention.
Dave Bittner: [00:06:39] The Associated Press reports that a fictitious persona, Katie Jones, is seeking connections on LinkedIn. The story speculates that the fictional Ms. Jones is a catphish deployed by a foreign intelligence service, trolling for recruits. The affair is reminiscent of 2010's Robin Sage experiment, in which a completely imaginary persona with an implausible personal history of experience beyond the persona’s 20-something years succeeded in attracting not only connections but even a couple of job offers. Katie Jones represents an advance over Robin Sage in that the persona seems to have been built in part with the aid of artificial intelligence. The picture seems to have been created using generative adversarial networks, an artificially intelligent approach to creating a face from scratch. By contrast, the picture of Robin Sage was a stock image.
Dave Bittner: [00:07:30] Katie Jones’ LinkedIn profile identified her as a Russia and Eurasia fellow at the Center for Strategic and International Studies, the well-known Washington think tank. It also said she was a University of Michigan alumna. None of this, of course, can be true since Ms. Jones doesn’t exist. The AP story points out the telltale signs that the profile picture is bogus, but in fairness to those who’ve been taken in, those signs are easy to overlook unless one is either given to a very suspicious mind or is teetering on the edge of some sort of unhealthy obsession.
Dave Bittner: [00:08:04] No one is being credited so far with the creation of Katie Jones, but a number of observers have pointed out that LinkedIn has become a kind of happy hunting ground for Chinese intelligence services in particular. So connect with caution. And please don’t be put out if you’ve sent one of us here at the CyberWire a connection request that went unanswered. We’re stronger on stories than we are on names, so it helps if you can remind us where we’ve crossed paths. We'd be happy to connect, if you’re real and nice and collegial. Any fictitious people listening should instead send their friend requests or let’s-connect invitations directly to Chen Wenqing, care of the Ministry of State Security, Xiyuan, Beijing.
Dave Bittner: [00:08:52] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:10:07] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. You know, it's that time of year - it's graduation time. We're going to have a whole lot of people out there looking for jobs, and a lot of them are going to be looking for jobs in cybersecurity. And I wanted to check in with you to see if you had any tips or advice for those folks who are going to be out there on the job market.
Justin Harvey: [00:10:28] Absolutely. This is the perfect time to be entering the workforce for cybersecurity. The number of unfilled roles and jobs around the world - no matter what industry, no matter if it's nonprofit, business, military - there is simply not enough people to fill all of those roles. So it's a great time to get involved. And I also think that cyberdefense and cybersecurity is really exciting for a domain. I consider myself lucky getting in very early in the ground floor of the cybersecurity industry.
Justin Harvey: [00:11:04] And I think to myself, what would it be like waking up every day and still programming or working on ERP systems? I think that those jobs where you're just building systems or engineering them, they're certainly needed in today's industry, but it's also great to have an end goal in mind. The end goal, of course, is protecting whatever organization you're working for and with from cyberattacks, both commodity-style cyberattacks and targeted-style cyberattacks. I think that what newly graduated young professionals need to think about is, if they're interested in cybersecurity, thinking about what part of cybersecurity do they want to focus on.
Justin Harvey: [00:11:45] Do they want to be part of a master-level domain, like incident response? Where I liken it to, as a child, you want to fly the biggest jets, you want to fly in 747s and A380s, but it takes time and a lot of education to get up to that level. Let's say that you finished flight school, much like our young professionals have just finished college, and they said, OK, I'm ready to fly a 747. But what they don't realize is those large planes - and just like incident response - has a lot of moving parts to it, a lot of technical complications. It's about people. It's about pulling it - that all together. And you actually need to start a little bit smaller. For these pilots, they start with 737s and A320s and work their way up.
Justin Harvey: [00:12:29] The same is true for cybersecurity. You really need to start with the basics and learn about threat modeling and what threats are out there and what those style of attacks look like. And then, of course, you can branch out for them. Maybe you have a passion for identity and access management, and you want to go into a digital identity field. Or maybe you want to be crafty, and you like the ability to move around undetected and to socially engineer people. Well, that's a great penetration tester or adversary simulator.
Justin Harvey: [00:12:58] And then there's different aspects of the cybersecurity ecosystem. If you have business knowledge, and you're not really that technical, but you have a passion for cybersecurity, there's a ton of startups and well-established organizations out there that would love to have someone with a business mind work on and build new cybersecurity solutions. And let us not forget, Dave, that there are the technologists and the geeks out there, like myself.
Justin Harvey: [00:13:25] And there are so many both open-source and commercial off-the-shelf applications and platforms that have such a deep level of knowledge out there to discover. I think about my career journey when I really got into SIM and log management and working with ArcSight and Splunk and KeyRadar and all of the other types of platforms out there. But if you don't want to do commercial stuff, there's also open source. I'm really astonished, for people that have the personal drive, how much they can actually download from the Internet. They can download whole VMs that have malware, that simulate what an attack looks like, and you can wire those VMs up and connect them to Elasticsearch and Logstash and be able to actually code new solutions, new means to detect these types of attacks. So today is the perfect time for these young college graduates to get into the workforce.
Dave Bittner: [00:14:25] When you're sitting there and contemplating a stack of resumes that have come to your desk, what are the things you look for? What makes one of those bubble up to the top?
Justin Harvey: [00:14:34] From a pet peeve perspective I'd like to see short and sweet resumes. I can't underscore that enough. In fact, I had recently had a candidate resume come across my desk, and they had obviously been in the workforce for 20-plus years, but their history only went back to 2000. And I said, well, what was before 2000? The answer was, well, none of that's really relevant, if it would have gone to a second page.
Justin Harvey: [00:14:57] So I think a very concise, succinct resume is a big standout. I'd like to see examples or notations of big projects they've taken on and maybe a little bit of information of how they solved that. I don't like to see a broad listing of all the certifications and all of the programming languages they know. Candidates need to think a little bit higher-level and put themselves in a hiring role - and maybe they've never been in a hiring role. But they need to think about, what would someone look at when they read this resume? How can they truly convey that they have the skills necessary in order to get the role?
Dave Bittner: [00:15:36] Well, it's interesting advice, for sure. Justin Harvey, thanks for joining us.
Justin Harvey: [00:15:40] Thank you.
Dave Bittner: [00:15:46] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough - a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:16:44] My guest today is Dr. Matthew Dunlop. He's vice president and chief information security officer at Under Armour, one of the most well-known retail and e-commerce brands in the world. Before Under Armour, he served nearly 30 years in the U.S. Army, where he helped build Cyber Command and served as director of applied research and development. When he retired from the military, he had no shortage of opportunities.
Matthew Dunlop: [00:17:08] I really wanted to go a different direction. I didn't want to - I knew that if I made that choice, I'd probably pigeonhole myself into the federal space the rest of my career. And I'd like to continue to grow and experience new things, and so I wanted to have that flexibility. And I really wanted to work somewhere where I truly believed in the product. And I mean, don't get me wrong - working for the government is fantastic. I truly believe in that mission. But I just wanted something very different. I was ready for a change. And Under Armour is a fantastic brand with a fantastic history and a fantastic value system, and so that was a perfect fit.
Dave Bittner: [00:17:42] It's fascinating to me because one of the questions I wanted to ask you was about dealing with the scale of an organization like Under Armour. But scale was nothing new to you because of the scale you dealt with at Cyber Command.
Matthew Dunlop: [00:17:54] There were some of the jobs I had - one of the jobs I had at Army Cyber Command as the director of operations for the Joint Force Headquarters-Cyber, we were directing operations globally with 41 different cyber mission teams spread throughout the world, really.
Dave Bittner: [00:18:09] So let's go through what your day to day is like at Under Armour. What are your responsibilities, and how do you manage your team?
Matthew Dunlop: [00:18:18] So at Under Armour, it's actually a very unique environment that most people probably don't realize. Most people think of Under Armour as a retail shirts and shoes company. And it is that, but it's a lot more. Under Armour has a huge Connected Fitness application side to it where there's, you know, MyFitnessPal, Endomondo. Not only is there the traditional which you think about with global retail and e-commerce and infrastructure, but there's also security around the Connected Fitness and the whole app environment that I'm responsible for as well.
Dave Bittner: [00:18:51] Each of those environments has specific challenges. How do they differ, and how do they cross over?
Matthew Dunlop: [00:18:57] There's actually a great question because there's the team in Baltimore that has traditionally focused on more of the corporate and retail side of security. And as we expand more and more into the cloud, they're required to really stretch their skills. And it's a fantastic team. And they're really stepping up to the challenge and doing really well at it. It's really expanding their knowledge set into, you know, not only the traditional networking challenges that most people face. But it's the cloud. It's code security. It's bot management.
Matthew Dunlop: [00:19:34] It's all that stuff that you think about when you move into application development and cloud development and cloud infrastructure it's a huge span of responsibility. And that's the one thing I can honestly say is - that I find most fascinating about Under Armour. The team I have there, every single person on the team is fantastic. And, you know, you always have the one guy, you know...
Dave Bittner: [00:19:59] Usually it's me.
Matthew Dunlop: [00:20:03] Yeah. And I can honestly say that I - there is no one on the team that I feel like we could do without or I feel like is, you know, falling behind the rest of the group. And so it makes the job that much more rewarding.
Dave Bittner: [00:20:16] Well, how do you go about recruiting that team? Obviously, Under Armour has a strong brand presence. Does that help when you're out and about trying to recruit folks to join you?
Matthew Dunlop: [00:20:26] So I think, you know, I think the folks that join the team do get that cool factor from joining Under Armour. And I think that's one of the reasons why the team has been there as long as they have been. But honestly, you know, recruiting under that brand name is challenging. It's not because people don't want to work at Under Armour because you know, Under Armour, is a cool place to work. It's that if you're a cyber person, you know, you're thinking of Google. You're thinking of Apple. You're thinking of - if you're thinking federal space, you're thinking of, you know, the bigs in this area, Northrop Grumman and Parsons and those sorts of things. But you're not thinking about places like Under Armour because that's a retail company.
Matthew Dunlop: [00:21:05] And so what I've started to do is I've started to go around to the different universities and talk to their cyber groups and, you know, explain to them basically they're in a extremely unique position. They can work anywhere they want. There's no one else that can work anywhere they want. Every different company has a requirement for cyber from the smallest mom and pop, although they may outsource it, to, you know, the huge companies. And so there is a place for a cyber IT professional in every single organization. So yeah, it's pretty much, where do you want to work? And then go look at the job openings in that area because they exist. And the mission is really the same. It's just the - whatever you're protecting changes.
Dave Bittner: [00:21:46] So if there's something that you are passionate about, even if the primary business is not a cyber business, you can extend your passion for that thing, whatever it is, into their needs from a cyber perspective.
Matthew Dunlop: [00:21:59] Yeah. I mean, if - absolutely. If your dream is to design bike helmets or at least work with a company that designs bike helmets, you can certainly help them protect their designs.
Dave Bittner: [00:22:10] What do you see as you look towards the future? I mean, companies like Under Armour - we're in a, I think, a rapidly changing retail environment. In terms of the work that you and your team do in protecting an organization of that size, of that scale, what are you looking forward to? What are the challenges you think we're facing ahead?
Matthew Dunlop: [00:22:30] So that's a great question because, you know, a lot of people - you hear the machine learning, the AI, the blockchain, the typical cyber buzzwords. And it's true that technology continues to expand. And we've got to stay on top of technology. But at the end of the day, you really have to make sure you're doing the simple stuff right. If you're not doing the simple stuff, I don't care what tools you have in place. And so the approach I've taken is it's really all about the workforce. You've got to get the workforce onboard. You've got to get them security minded.
Matthew Dunlop: [00:22:57] And so I've charged my team with starting to do individual, you know, lunch-and-learns with different business units and say, hey, here's how to properly use the tools you have in front of you. Here's how to better protect your data. Here's how to more effectively leverage email and things like that to where, you know, you can reduce the risk. You know, some recent statistics said 95% of all cyberattacks are due to user error. Well, if you can make the users better at using the technology, then you reduce the chance of user error.
Matthew Dunlop: [00:23:29] And then once you are able to actually, you know, tighten up that space, then let's talk about the tools you can put in place. I mean, if you look at every one of these things in the news that you hear about recently, you can point to employee error. This S3 bucket was left open. Well, somebody didn't click something right. You know, this, you know, got infected by ransomware. Well, it was a phishing email.
Dave Bittner: [00:23:51] Right.
Matthew Dunlop: [00:23:51] You know, it's - you can point back to basic cyber hygiene in almost everything.
Dave Bittner: [00:23:55] That's Matthew Dunlap. He is vice president and chief information security officer for Under Armour.
Dave Bittner: [00:24:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIt, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:24:28] Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive Editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.