Dave Bittner: [00:00:03] More advice to patch BlueKeep already. Facebook announces its planned launch of a cryptocurrency, Libra, and is greeted with considerable acclaim and at least as much skepticism. Updates on alleged power grid cyber operations. Catphishing and the adaptation of traditional espionage craft in the digital age. And cheap sunglasses turn up as phishbait in compromised social media accounts.
Dave Bittner: [00:00:33] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:30] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 19, 2019. If you haven't patched BlueKeep yet, you might want to get on the bandwagon. Microsoft and NSA have urged you to do it. And the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency this week has said users should patch vulnerable systems immediately. It certainly looks as if it would be unwise to sleep on this one.
Dave Bittner: [00:02:00] Facebook will soon launch its own cryptocurrency, Libra, complete with its own wallet, Calibra. The announcement prompted concerns from regulators and legislators in the U.S., France and Germany over antitrust, privacy, banking and sovereign currency policy.
Dave Bittner: [00:02:18] We've got some follow-up on stories that broke earlier this week. First of all, that news alleging that the U.S. implanted malware in Russia's power grid in an apparent move toward deterring Russian cyberattacks against the U.S. remains where it was when the New York Times broke its story at the beginning of the week. Observers tend to regard the alleged activity as problematic but nonetheless arguably legitimate as a deterrent or reprisal. Note again that the New York Times story describes preparation, not actual attacks.
Dave Bittner: [00:02:50] Argentina's blackout remains under investigation, but the likelihood that it was caused by a cyberattack seems increasingly remote. IEEE Spectrum's account of preliminary findings suggests that the outage was caused by disconnection of two 500-kilowatt transmission lines. The failure took place in the section of Argentina's interconnection system that supplies the grid with power generated by two major hydroelectric plants. One of the lines seemed to have failed in a short circuit. The other appears to have been disconnected by an automated system. Automatic load-shedding mechanisms that ought to have contained the outage failed for reasons still unknown. Investigation is in progress, but it seems likelier that the outages were the result of accidental failures than they were of a cyberattack.
Dave Bittner: [00:03:38] Many organizations, in addition to threat and vulnerability detection, are implementing microsegmentation, enhanced access controls and zero trust to better protect themselves and their employees. Tom Hickman is vice president of engineering at Edgewise Networks.
Tom Hickman: [00:03:54] One way that I think about this problem space is really personal. I've been building and deploying SAS solutions since 1999, 2000. I was in networking management before that and then, in year 2000, started working at a company that was doing early-stage software as a service before software as a service was even a term that was in vogue. And what we faced was a nearly constant threat of attack that, again, you know, early days of cloud computing, early days of, you know, the sort of ubiquity of awareness about cybersecurity threats. And I've been either fortunate or unfortunate to always be working in companies that were data rich, that were, you know, extremely relevant targets for espionage or for, you know, cyber risk and data exfiltration. So I've kind of been in the front lines of what has been a - you know, a cyber cold war for a long time as the cold war has heated up. And from that perspective, the kind of modern view of the threat landscape, which essentially presumes that, you know, there's two kinds of companies, those that will be breached and those that have been breached...
Dave Bittner: [00:05:09] (Laughter).
Tom Hickman: [00:05:09] ...Couldn't be more true. And that, I think, is really what's kind of led me on my personal journey to kind of feel a, you know, strong sense of resonance with the zero trust position and messaging.
Dave Bittner: [00:05:22] What's the evolution there? What's new about this?
Tom Hickman: [00:05:24] What's new about zero trust is really sort of taking a more - from our perspective here at Edgeways, a more app-centric and app-aware slice, really, across the security controls that you put in place. Right? Traditional firewalls looked at north-south traffic. They looked at IP address-port and were subject to, you know, just tremendous complexity as networks got more complex, as micro services became en vogue, as ephemeral and auto-scaling infrastructure came into place. And where we come in, and what I think the evolution of the industry really is, is to be more granular in the sense of looking explicitly at applications that are communicating on the wire and then more resilient, I think, to change, where we're able to look at things that are statistical aberrations and begin to layer controls over things that are anomalous. Right? So you can think of it almost as intrusion detection on your east-west communications inside your network. So it would be, you know, things like from your data tier to your app tier.
Dave Bittner: [00:06:28] Now, suppose I'm someone who's going about my day-to-day business, working in an organization that's - that has adopted zero trust in things like microsegmentation, what's going to be different for me? Anything?
Tom Hickman: [00:06:40] I think, day to day, nothing will be different except you'll be in a more secure position, and you'll be less likely to have data exfiltration from - spreading from any sort of toehold that an attacker might get in a network. Again, taking this from a personal perspective, and part of why I'm excited to be here and be building this solution, as DevOps practitioner, my day-to-day life gets easier when a solution like what we're building here at Edgewise is in place. I could bore you with war stories for hours...
Dave Bittner: [00:07:12] (Laughter).
Tom Hickman: [00:07:12] ...About the number of times that I've been wakened from a cold, dead sleep at 3 in the morning because the network team did firewall change and the app that I'm responsible for, that my teams are responsible for, suddenly stops working. Right? Where, today, what we're able to do as application-aware microsegmentation - the firewall changes of yore are essentially obsolete. And we would deploy our solution into an environment where the policy is sort of already, you know, essentially preconfigured. And by virtue of that, we don't have the late-night wake-up calls. We don't have the rollback of firewall changes to have to kind of peel back, you know, with a gun to our heads because we just induced a service outage.
Dave Bittner: [00:07:55] I'm curious. Are there some positive unexpected consequences? I'm imagining that through this process, you could uncover incidences of well-intended shadow IT.
Tom Hickman: [00:08:08] Well-intended shadow IT, and then just, I think, also, in general, the level of complexity of any large distributed system is approximately unknowable by any one person. So not only do you get to see the shadow IT, you get to see the systems that have been set up and deployed that are doing key critical business services that you had no idea about. You also get to see a topology map and a kind of 10,000-foot view of the way that your core and key business services work.
Dave Bittner: [00:08:41] That's Tom Hickman from Edgewise Networks.
Dave Bittner: [00:08:45] In the wake of stories about catphishing on social media, where Ms. Katie Jones turned out to be nobody at all, just a face generated by AI and an impressive resume designed to draw the eye of policy and security wonks, ZDNet took a look back at recent FBI counterintelligence warnings. The Bureau advised current and former holders of U.S. government clearances of the ways in which foreign intelligence services are using social media to recruit sources. The approaches they discuss show the ways in which long-familiar techniques for recruiting agents are being easily adapted to an online world. The Bureau says foreign intelligence services have, for example, been operating booths at technical trade shows. These are obviously booths for front organizations, organizations that appear to be what they aren't. Nobody is going to show up on the floor of RSA or Black Hat with a pull-up banner that says, GRU - innovation for a better world, or, Lazarus Group - working with you to build the future, or, Fancy Bear thinks disruptive technologies are just right. At least, we've never seen them. No, the booth would be for, let's say, the Acme Company. And they'll want to scan your badge, and they'll be happy to exchange business cards. At least some of the people approached at the shows gave personal information because they apparently wanted to stop the booths' people pestering them.
Dave Bittner: [00:10:08] Hey, I don't have purchase authority. Why do you still want to sell me something? Look. Here's my card. Good luck to you. Don't take this the wrong way, but I'm going to go across the aisle, and I'm going to get a free T-shirt. Have you ever had such a conversation? Most of us have. The personal information exchanged was minimal - usually just a business card - but useful nonetheless. The foreign intelligence services followed up with requests to connect over social media. Ever connected with someone because you vaguely remember meeting them at a conference? And maybe you're worried you were rude, so you want to be nice. Yeah, us too.
Dave Bittner: [00:10:45] And finally, who doesn't like cheap sunglasses? Well, Ray-Bans aren't cheap. They'll run you between 150 and 200 bucks. But what if they could be had for cheap? Would you jump at the chance to pick up some Wayfarers for 90% off? What's that, you say? You just saw an ad on a friend's Instagram wall? You don't say? Well, don't believe it, don't click and don't go there. It is, of course, a scam. And it's not just Ray-Bans being dangled, either. Other famous brands are being spoofed as well. The scammers use hijacked accounts to chum social media with their phishbait. If you see this kind of thing on one of your friend's accounts, let the friend know. Their account may have been hijacked.
Dave Bittner: [00:11:25] Recovery of an Instagram account that's been wrenched away from you has been notoriously difficult. But as Naked Security points out, Instagram has just said it's made the process easier and less painful. According to Naked Security, which is published by security firm Sophos, you can recommend that your friend first change their Instagram password - make it a strong one - second, set up two-factor authentication and, third, take a look at access they've granted to third-party apps or services and revoke any they don't recognize or use or ones that look suspicious. The chance of getting some discount Aviators just isn't worth it.
Dave Bittner: [00:12:06] And now a word from our sponsor ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know exactly who did what, when and why. Security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated insider-threat management platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself. No downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:13:22] And I'm pleased to be joined once again by Justin Harvey. He's the global incident response leader at Accenture. I wanted to touch today on tabletop exercises. And I wanted to get your take on what's good, what's bad, what's the right approach, what's not. You have some good opinions here. What can you share?
Justin Harvey: [00:13:39] When I think about tabletops, my geeky mind goes to Dungeons & Dragons (laughter), that we played in the '80s and the '90s. In fact, Dave...
Dave Bittner: [00:13:49] Yeah, yeah.
Justin Harvey: [00:13:49] I don't know if you know this. But they're still playing Dungeons & Dragons. And it's just as popular today. It's a great social interaction.
Dave Bittner: [00:13:53] My son - I will - my son Jack, who people know 'cause he comes on the show every now and then, just started learning Dungeons & Dragons.
Justin Harvey: [00:14:01] (Laughter).
Dave Bittner: [00:14:01] So it is alive and well. And I - it makes me smile.
Justin Harvey: [00:14:05] Awesome.
Dave Bittner: [00:14:05] But yes, go on. (Laughter).
Justin Harvey: [00:14:06] So tabletops in the cyber-defense aspect, there's kind of a spectrum. On the light end, there is your typical D&D-style approach. You have all the executives around a table. You have a game master, aka Dungeon Master, that says, OK - and I've seen various iterations of this. There's the classic, just-make-it-all-verbal paper-based. I've seen - one of our competitors is out there. They have a little card game. There's all sorts of approaches to this. But it's essentially a role-playing exercise where you're at the table. And the Dungeon Master, the game master, says now someone has encrypted all of your customer data. And they hand him a card, maybe, with some of the technical details. And the CISO looks at it and says, oh, my gosh. And she runs over to legal and brings them over. It's a very big paperwork exercise.
Justin Harvey: [00:14:55] And then on the other end of the spectrum, there is what I would consider full-blown simulation, but not in your environment. So there are facilities out there that people - that are cropping up that people are going to. And they're bringing their executive team, like the CISO, the director of IR, legal, PR, marketing. They all show up at a third-party site. All the systems are laid out. They go through the motions of a normal day. And then they're hit with a cyberattack. And they bring in actors playing CNN reporters. And it's very executive-centric. In my opinion, the best approach to this is a hybrid approach, which is doing it in the environment of the organization. I like to run scenarios where we're in their environment, where they are comfortable, using their own systems. So we've done simulations where we take one of their laptops, and we load some indicators of compromise on there - not live malware.
Dave Bittner: [00:15:51] (Laughter).
Justin Harvey: [00:15:51] But sometimes we'll put on some inoculated malware, some indicators that are definitely going to trip the AV, and we go hide the laptop in the building. We like to see a scenario where you force the technologists and the executives to get out of their comfort zone. And for me that is the most important thing. It's really making them uncomfortable. Not just to go through the motions and it's just a normal day of work; and they high-five at the end of the day, and it's Miller time. I'm talking about really presenting them some of the hardest questions and hardest scenarios that we've had to deal with.
Justin Harvey: [00:16:28] For example, one of the scenarios that we run that is based upon a real case is - executives love to say, yes, we're not going to pay any ransom. Doesn't matter - we are a no-ransom environment. So if we get held for ransom, we're just going to restore for backups. And that's when the Dungeon Master or the game master looks at them and says, OK, your manifest for all of your backups that you have at your offsite backup is now encrypted. What are you going to do? And they look - they say, oh, gee, we didn't anticipate this. OK, we're going to recover. OK, it's going to take you 60 days to recover. And in that period of time, you're not going to be able to ship product or take money 'cause your ERP system is down. Oh, gosh. So now you're looking at, do you go bankrupt or you put 50,000 people out of work, or do you pay the ransom? I'm not...
Dave Bittner: [00:17:15] Let me roll a 20-sided die...
Justin Harvey: [00:17:17] Yes.
Dave Bittner: [00:17:17] ...And see how that comes out.
Justin Harvey: [00:17:19] (Laughter). It's more like a Sophie's choice, right?
Dave Bittner: [00:17:21] (Laughter) Right, right.
Justin Harvey: [00:17:21] It's like, do you pick this over principles? Or do you pick this over restoring that? You know, back to the tabletops thing, I really like to see custom-made scenarios that are really tailored for that industry and that really throws the curve balls out to make them think through some of these problems. So if and when it does happen, they feel like they have enough information around that. And from the technology perspective, you know, we've worked cases where we interface with a forensics team for - during a breach. And we say, well, you need to go collect these 25 images. And they say, do you realize there's only me and this other guy? Like, there's only two of us. We can't collect and analyze 25, 50, 100 machines in parallel. So by making the technologists uncomfortable or putting them also through their paces, it really helps to underscore and uncover where there are some gaps and deficiencies with that sort of scenario.
Dave Bittner: [00:18:18] Yeah, I mean, it sounds like a real eye-opener for everybody.
Justin Harvey: [00:18:20] It's one of my favorite things to do, is to scare everybody (laughter)...
Dave Bittner: [00:18:22] (Laughter).
Justin Harvey: [00:18:24] In these - I don't like scaring them when the real stuff happens. I like putting them through and making them feel uncomfortable so that we don't have to come back, so that they are a little bit more prepared and able to defend themselves in today's threat-centric industry and market.
Dave Bittner: [00:18:39] Yeah. All right, Justin Harvey, thanks for joining us.
Justin Harvey: [00:18:43] Thank you.
Dave Bittner: [00:18:48] And that's the CyberWire.
Dave Bittner: [00:18:50] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:15] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.