Dave Bittner: [00:00:03] Pemex has recovered from the ransomware attack it sustained - or has it? TA2101 is spoofing German, Italian and U.S. government agencies in its phishing emails. A dropper in the wild is delivering a Trojan twofer. AntiFrigus ransomware is avoiding C-drives for some reason. Ohio State researchers find a Bluetooth vulnerability. Want to get that marketing message in front of a friendly CISO? David Spark joins us to tell you how. And the results of the annual DataTribe challenge are in. We heard the three finalists pitch yesterday, and the judges have a winner.
Dave Bittner: [00:00:43] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. Trial and we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:37] Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:00] From the CyberWire studios at DataTribe, I'm David Bittner with your CyberWire summary for Friday, November 15, 2019.
Dave Bittner: [00:02:08] The Pemex hack was either a relatively minor matter quickly resolved - that's if you follow Mexican Security Minister Alfonso Durazo and Finance Minister Arturo Herrera - or it was a big problem that's still not resolved - that's if you believe what Pemex personnel are telling Reuters on condition of anonymity. Researchers at Proofpoint describe the work of TA2101, a relatively new actor that's spoofing official communications from German. Italian and U.S. agencies as phishbait. The campaign is interesting as an instance of what some observers are calling a trend - crooks who are going for approaches that are more closely tailored to their targets than the familiar spray-and-pray campaign that goes for volume.
Dave Bittner: [00:02:55] Security firm Fortinet has discovered a dropper active in the wild that's delivering to Trojans to its targets - RevengeRAT and WSHRAT. That's two, two, two RATS in one. Both of these RATS have a history of being used in attacks related to financial institutions. RevengeRAT collects system information. WSHRAT is a data stealer often seen in phishing campaigns.
Dave Bittner: [00:03:21] And odd ransomware campaign is underway, odd in the way it rules out certain files from receiving its ministrations. According to BleepingComputer, which has been in touch with the independent researchers who've been tracking the infestation, the particular ransomware strain involved - AntiFrigus - avoids files on the usual C-drive, reserving its hostile encryption for data on mapped network drives or removable devices. It's being distributed by malvertising that redirects victims to the RIG exploit kit.
Dave Bittner: [00:03:53] Researchers at the Ohio State University have found a vulnerability in Bluetooth Low Energy devices that exposes them to fingerprinting attacks. And, if the devices and the mobile apps that connect to them use weak encryption, attackers could intercept data being passed between them.
Dave Bittner: [00:04:12] We were at the second annual DataTribe Challenge in Baltimore yesterday, held in the very hipster-ish repurposed City Garage down Port Covington way. And full disclosure - DataTribe is an investor in the CyberWire. The challenge is open to young startups. They're young. That is, they must be pre-A-series companies whose total funding to date can't exceed $1.2 million. They must offer an enterprise big data or cybersecurity product that's in the beta, minimal viable product or concept stage. Practical experience in the Five Eyes' security, defense or R&D systems is preferred but not required. The ideas the startups propose should be suitable for funding that would advance the product. And, of course, to the best of their knowledge, those ideas shouldn't violate any intellectual property rights.
Dave Bittner: [00:05:01] The judges this year were executives from AppGate, CrowdStrike, Apple, AllegisCyber, Cisco and Shopify. Last year's winners were Prevailion and Inertial Sense, each of whom received seed funding. This year, three finalists were selected from more than 300 applicants. The applicant pool was very heavily involved in machine learning and artificial intelligence data, DataTribe co-founder Mike Janke observed in his introductory remarks.
Dave Bittner: [00:05:28] The finalists were Code Dx from Northport, N.Y., which automates application vulnerability management in a way that enables various testing tools to cooperate in developing a single, easily read set of correlated results. Bloomfield Robotics, based in Pittsburgh, Pa., a Carnegie Mellon University spin-out that specializes in agricultural robotics and machine learning. And SecurityAdvisor, based in Sunnyvale, Calif., which applies an artificially intelligent behavior management platform to assist users in becoming an integral part of their organization's cyber defenses.
Dave Bittner: [00:06:03] All three companies offered interesting insights. Bloomfield Robotics supplies machine learning and artificial intelligence to a very old problem - crop scouting, an activity that hasn't changed much since the earliest hydraulic societies of the ancient world began to send people into the fields to judge the right time to harvest. Visual inspection by human experts remains essential, but it's difficult and expensive, especially given the worldwide shortage in crop-scouting expertise. Bloomfield's CEO, Mark DeSantis, pointed out that losses from crop failures, which in many, perhaps most instances, come down to failures in crop scouting, cause about $4 billion in losses annually in U.S. commodity crops alone. And mistimed harvests, which crop scouting affects directly, results in about 5% plant loss each year.
Dave Bittner: [00:06:53] So what's all this got to do with cybersecurity, you, the skeptical listener will ask? And quite rightly because the answer is, nothing, not directly. But it's an interesting application of deep learning to a very labor-intensive human task, and an application in which the hype doesn't seem to have outrun the reality. And, of course, cybersecurity also requires the sort of labor-intensive intervention of human experts whose skills are also in short supply.
Dave Bittner: [00:07:20] DeSantis offered a prediction that he acknowledged would be controversial but which his audience didn't regard as crazy, either. In five years, he said, deep learning would enable automation of all the image inspection tasks that now require scarce human expertise. Feel free to draw the analogies to scarce human watchstanding expertise in cybersecurity.
Dave Bittner: [00:07:43] The second company, SecurityAdvisor, is very much a cybersecurity outfit. SecurityAdvisor's solution focuses on creating what the company's CEO, Sai Venkatraman, called personalized teachable moments as a way of delivering security training that can create a culture of cyber immunity in an organization. They focus on outcomes and on adding value to other products their customers have already bought and deployed. SecurityAdvisor applies artificial intelligence and machine learning to such inputs as user activity logs to tailor the training to the users and the organization's actual security needs. They seek to do this in a non-intrusive but relevant way. SecurityAdvisor thinks a lot of training can become annoying. Venkatraman said, once you become a nuisance, people ignore you. They've found they don't want to touch users more than four times a month with brief teachable moments.
Dave Bittner: [00:08:36] The third company, and this was the winner of the competition, was Code Dx, also a security shop. Dr. Anita D’Amico, Code Dx's CEO, called her company a player in the newly recognized subsector of application security, orchestration and correlation. That category is newly recognized by industry evaluator Gartner. D'Amico explained that software vulnerabilities are the major gateway to breaches. Most breaches are caused by exploiting a web application. But application security, she said, continues to be very hard to get right. There are more than 150 point solution tools on the market, and they can be difficult and time-consuming to configure. It can take weeks to correlate their siloed results, and they tend to deliver many false positives.
Dave Bittner: [00:09:22] The problem is that AppSec analysts must assess vulnerabilities at all the layers an application touches, from custom code to component to network. Code Dx aims to orchestrate tools and results and to prioritize vulnerabilities. It offers centralized risk assessment, with one risk score for each of the three levels that must be addressed. They make it easier and cheaper to assess and reduce the risk of insecure software, D'Amico said. The Department of Homeland Security is using Code Dx to help secure the software supply chain now. And one of the advantages of Code Dx's solution, D'Amico pointed out, is that it's a system of record that can be used to demonstrate due diligence and isolate responsibility for risk.
Dave Bittner: [00:10:04] The three companies split a $20,000 prize, and Code Dx won $2 million in seed funding. SecurityAdvisor and Bloomfield Robotics were far from left out. Both have received serious interest from venture capitalists in the course of the competition. Congratulations to all three finalists and especially, of course, to Code Dx.
Dave Bittner: [00:10:30] Now a word from our sponsor, KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's his chief hacking officer, Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind click-jacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways. That's knowbe4.com/10ways. And we thank KnowBe4 sponsoring our show.
Dave Bittner: [00:11:47] And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, it's always great to have you back. Your team at Dragos recently published a series of white papers, and they were about purple-teaming ICS networks. So I thought this is an interesting topic for us to cover here together. Take us through - what are you sharing here?
Robert M. Lee: [00:12:09] Yeah. I mean, that was definitely a collection of work by a lot of folks in our company, but all I'll pay special attention to Austin Scott. He was the one that really sort of spearheaded a lot of that. And, really, I think when we have customers and community members come to us, they always ask about getting into their environments and doing some level of service and assessment first. Usually you do that just to get a lay of the land, what's going on. And you usually get requests like I want a pen test or I want a threat pot (ph) or I want, you know, this, I want a red team. You try to ask them, like, what do you actually want? They might know the words, but sometimes the value propositions are not aligned with what they're asking for.
Robert M. Lee: [00:12:48] And so you're like, well, what do you actually want? And it's like, well, I want to take like an adversarial mindset to my defense, but I don't really just want to, like, exploit vulnerabilities or emulate a threat. I really want to, like, see my gaps and also improve my security, explicitly against kind of that adversarial mindset. And so it's kind of a mixture of the blue team ops and the red team, thus the completely unimaginative name purple-teaming. But we're seeing this in the larger security community now really take hold. And I like the little movement. It's not anything different than what a lot of practitioners have been doing over the year. But you you're identifying it, calling it something and drawing attention to it.
Robert M. Lee: [00:13:30] And again, the mindset is I'm going to treat this like the adversary. I'm not going to go down the list and just focus on compliance or checklist or quote-unquote "best practices" or frameworks. But what are the adversaries really doing? Almost taking in that intel-driven approach. But also, let's put a real hyper-blue team spin on this instead of going and having to do the red team engagement to get to the answer, why don't we almost come up with hypotheses and work through them and put the security around it as we go?
Robert M. Lee: [00:14:00] And so it's this beautiful mixture of, like, hunting with red-teaming with, like, actual security controls while you roll it out. And I think that's really critical in industrial environments. A lot of the things that you might want to do from a red-teaming or pen-testing perspective you might not want to do on your gas turbine (ph), right? And so it's kind of getting to the point of being adversarial without introducing the same risks in those sensitive environments with still getting to the end result and a big focus on defense.
Dave Bittner: [00:14:31] Do you lose anything by not having those guardrails between red and blue?
Robert M. Lee: [00:14:37] I think there's definitely pros and cons on each and every one of them. One of the things that can be done really well with a red team and there's a lot of value in doing is when you're really emulating the threat, you're not just running, like, Nessus and looking for vulnerabilities, but you're red-teaming. You're emulating the threat. You're not just testing your security controls. You're testing your defense, and what I mean by that is your people. A good red team is testing the defense personnel and their training, in my opinion. It's not can I get past the firewall and the EDR, it's, is the SOC going to see me? Is the instant response going to actually work? Are they going to be ready for me? And I'm emulating the adversary. Like, there's a lot of value in that.
Robert M. Lee: [00:15:23] And that testing of the defensive people in, like, real time is not what you get in purple-teaming. You do get that in red-teaming. But because you're moving it a little further over to the right and purple-teaming, you're getting much more collaboration and kind of education throughout the process versus what sometimes come off as a test - even though that's not always fair, there's a lot of red teams that do educate along the way. But hopefully that's kind of clear on the difference of, I'm going to emulate the threat, be adversarial, and we're going to test you, and you're gonna learn from that versus I'm going to think adversarial, show you what we could do, but we're going to handhold each other throughout this process and put a hyper-focus on the defense throughout it.
Dave Bittner: [00:16:09] All right. Well, Robert M. Lee, thanks for joining us.
Dave Bittner: [00:16:17] And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood Campus. You can find out more at isi.jhu.edu and click on Sixth Annual Cybersecurity Conference for Executives. Learn about the dos and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at isi.jhu.edu, click on the Sixth Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show.
Dave Bittner: [00:17:06] My guest today is David Spark. He's the co-host of the CISO/Security Vendor Relationship Podcast and owner of Spark Media Solutions, which does content marketing for the tech industry. He joins us to share some of the insights he's gained in the conversations he's had with CISOs, specifically when it comes to getting their attention and earning their trust.
David Spark: [00:17:27] When do you get right down to it, they just want to be considered. So when someone is looking for a firewall solution, they want their product to be considered. When they're looking for any kind of solution, just when they're looking at all - everything, they want to be considered. The problem is if you're not considered, you are literally invisible. And there's no way to succeed if you're invisible.
Dave Bittner: [00:17:47] You are the host of the CISO/Security Vendor Relationship Podcast. What are you hearing from CISOs in terms of what they want, what they - what works with them in terms of connecting with them to get your message to them?
David Spark: [00:18:01] So this is pretty much a big overarching theme on our show. We talk about this a lot. And that's why, actually, a lot of vendors listen to our show because they want to know. I will say this - there is no combination of words that one can put in an email that will automatically cause a CISO to open that email. I believe a lot of vendors believe that that's the case. It doesn't exist. They have seen every bogus email under the sun. They don't need yet another one. What they need now, to speak positive to your question, is they just want to know, what does your product do? How do you differentiate where your product exists on a security plans roadmap, you know, or maturity roadmap? That's it. If you just communicate that information and that alone, if they are interested or they will be interested soon, then they will reach out to you. But they don't want to talk to you about their security program. You know, a CISO - someone who sends a blind email saying, can we talk about your concerns of your current security program? That is an extraordinarily private matter to a CISO, and they do not want to talk about it with you. Once they trust you, they will.
Dave Bittner: [00:19:13] What about the message, can I just have 10 minutes of your time?
David Spark: [00:19:16] So yes, we've talked about this one a lot. So that doesn't work for this reason. What you are preying on when you make that request or a salesperson makes that request is you're preying on that person just being nice to you. What you need to more do is give them a reason to want to speak with you for 10 minutes. Honestly, if you give them a reason to want to talk with you, they're going to want to talk with you for a lot more than 10 minutes. And the problem is if you make the request of, may I have 10 minutes of your time, you're not giving them a reason to talk with you. You're asking them, would you just be nice to me? And the problem is, when you get hundreds of these, they simply just can't be nice to random strangers.
Dave Bittner: [00:19:56] Well, let's look at it from the other direction. I mean, what are the things that you would tell people absolutely to not do?
David Spark: [00:20:01] That list is unfortunately long (laughter). And I'd say the most popular article that I ever wrote on my site is entitled "30 Things That Vendors Say That Set Off A CISO's BS Detector." That article blew up just because it hit so many nerves. And all the CISOs were like, oh, my God, I can't stand it when they make claims of, you know, of absolutes like we protect everything, we have no competition in the market, we are the market leader. Just don't talk in absolutes. It sets off the BS detector. And if you are setting off a BS detector in any manner, they don't trust you. And trust is critical in this industry. So I would say to any marketer out there, what can you do to build the community's trust? I'll tell you one of the things that does very very well are companies that release research, unique research. That is a value to CISOs. That is one of the best ways to build trust.
Dave Bittner: [00:21:02] That's interesting because, you know, I get sent a lot of research. And I would say the ones that are truly interesting and what I would say truly valuable are few and far between.
David Spark: [00:21:16] Yes.
Dave Bittner: [00:21:17] I mean, do you have any tips on what sets a particular set of research apart from the pack?
David Spark: [00:21:23] Well, you know there's the kind of research out there that is so blatantly self-serving because they're trying to prove the value of their own product. That's the kind of research that doesn't do well. But one of the most popular research reports is the VBIR, the Verizon Breach Incident Report (ph). I believe that's what it stands for.
Dave Bittner: [00:21:43] Right.
David Spark: [00:21:44] That is beloved in the cybersecurity community. And they work on it all year. And it's actually - they're always looking for volunteers to contribute information for this breach report. But it's extremely dense, valuable information. And many CISOs that I've spoken to use that report as a means to build out their security program, to determine where they need to make sort of their next levels of investment. So if you're not making a research report self-serving and it's very unique and nobody else is providing this information, that will be of great value to a CISO. But I will tell you, it doesn't come cheap. You know, the cost of making that - the VBIR, I'm sure, is not a cheap endeavor.
Dave Bittner: [00:22:28] What about FUD - you know, fear, uncertainty and doubt? There's no shortage of people out there who are trying to drum up business by scaring people. Does that work in this market?
David Spark: [00:22:38] Definitely not. And we've talked about this, actually, at great lengths in our show. And it is honestly the reason the CISO series and the original podcast - CISO/Security Vendor Relationship Podcast launched is because back in late 2017 and before, the amount of anger that CISOs were showing towards vendors for trying to sell their product through FUD was extreme. So with the introduction of our CSO series, we were trying to combat that. Like, all right, there is an alternative to FUD. Let's find a new way to communicate together that is not based on FUD. And I'm just going to say this purely anecdotally. I am noticing a lot - well, it's far from eradicated. I am noticing a lot less FUD in the market. I would like if we took credit for that because I think, since we started our effort, I mean, I've just noticed it anecdotally. I'd be interested to know if the listeners feel the same way that, you know, since the middle of 2018, have they seen a little less FUD? I don't know, but I've noticed it anecdotally. And it's been our charge to try to get that communication to sort of tamper down.
Dave Bittner: [00:23:47] What about the importance of one-on-one communications, of being face-to-face with people, getting involved with your local groups rather than sending out email blasts or placing ads and things? What's your perspective on the value of those sorts of efforts?
David Spark: [00:24:05] So obviously, you know, any salesperson knows that any time you can get one-on-one time in front of a practitioner or security leader, that's of extreme value. And they will pay dearly for that. I mean, there are these exclusive events that many firms put on that they charge a pretty penny to let vendors have access to that kind of information. But there are other organizations like you referenced, local meetup groups. I'll mentioned ISSA, ISACA. These are security groups for which CISOs have repeatedly said, if you bring your smartest people - vendors, speaking of vendors - if you bring your smartest people to volunteer, contribute, provide valuable information, we will deeply remember that. And that is of great value to us.
David Spark: [00:24:50] I will say the problem is a lot of these security vendor organizations, they start with some very low-level people who don't have the security chops that a more advanced engineer, you know, subject matter expert may have. Those are the kind of people that are being put on the frontline, the pawns, if you will, to reach out to CISOs. And CISOs get a little frustrated with that. And they try to be polite, but when someone is obviously being paid to just secure meetings with CISOs, and they're going through every effort to make that happen, and that person who's contacting them is not the person who's actually going to have the meeting or nor has the savviness, it can grate on their nerves. And I've seen that happen.
Dave Bittner: [00:25:33] That's David Spark from Spark Media Solutions. He is also the producer and co-host of the CISO/Security Vendor Relationship Podcast. Do check it out.
Dave Bittner: [00:25:48] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:26:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.