Dave Bittner: [00:00:02] The US and Iran trade fire in Iraq, and a leading Iranian general is killed in a US airstrike. A corresponding escalation of cyber operations can be expected. Currency exchange Travelex continues to operate manually as it works to recover from what it calls a software virus. There's speculation that the RavnAir incident may have been a ransomware attack. And Taiwan adopts an active policy against Chinese attempts to influence its elections.
Dave Bittner: [00:00:37] And now a word about our sponsor, the Johns Hopkins University Information Security Institute. They're seeking qualified applicants for their full-time Master of Science in Security Informatics. The program covers the most current topics in information security with core courses covering security and privacy, cryptography, computer forensics, software vulnerabilities, ethical hacking and much more. It's a quality program, too, not just because it's from one of the world's great research universities, but because the institute is an NSA and DHS-designated center of academic excellence in information assurance in cyber defense and research. To learn more, register for the virtual information session at applygrad.jhu.edu. That's applygrad.jhu.edu. The virtual information session takes place January 23. And we thank Johns Hopkins University Information Security Institute for sponsoring our show.
Dave Bittner: [00:01:41] Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:08] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 3, 2020. In a case where the kinetic operations of a hot war can be expected to be accompanied by cyber operations, Iran has promised retaliation for the US airstrike in the outskirts of Baghdad earlier today that killed Iranian Major General Qassem Soleimani, commander of the Islamic Revolutionary Guard's Quds Force. One of Soleimani's principal collaborators, Iraqi militia commander Abu Mahdi al-Muhandis, was also killed. The Quds Force is responsible for unconventional warfare and intelligence. Its commander reports directly to Iran's supreme leader, the Ayatollah Khamenei.
Dave Bittner: [00:02:52] Reuters cites US sources as saying the strike was intended to disrupt further plans by militia aligned with Iran to attack US targets, including the US embassy in Iraq. Iranian operations against US assets and interests have long been asymmetric, and despite recent rocket and mob attacks, are likely to remain so.
Dave Bittner: [00:03:13] The Defense Department statement quoted at length by the Atlantic said, quote, "General Soleimani was actively developing plans to attack American diplomats and service members in Iraq and throughout the region," end quote. The US holds General Soleimani responsible for recent attacks on US-led coalition bases, including one in late December that killed an American contractor. General Mark Milley, chairman of the US Joints Chief of Staff, said yesterday, quote, "we know that the intent of this attack was, in fact, to kill. Thirty-one rockets aren't designed as a warning shot," the general observed. General Soleimani was widely regarded as an effective leader who traveled widely and worked intelligently to build Iranian influence in the Arab world. He had overtly supported Iraqi Shi’ite militia, which accounts for his presence in the vicinity of Baghdad.
Dave Bittner: [00:04:05] Observers expect an increase in cyber conflict, and the Telegraph took a look at the current state of Tehran's capabilities. Tehran claims to have some 100,000 cyber warriors. And while this total is almost certainly considerably exaggerated, Iran's capabilities in cyberspace aren't negligible. Most of their attacks in recent years have been directed against regional rivals, especially the threat group OilRig’s campaigns against Saudi targets. But Iranian outfits have hit US targets in the past.
Dave Bittner: [00:04:36] The US Justice Department, for example, in February, 2018, secured federal indictments against nine Iranian nationals associated with the Mabna Institute, an organization that serves as a cyber operations contractor for the Revolutionary Guard Corps. Charges included conspiracy to commit computer intrusions, conspiracy to commit wire fraud, computer fraud, unauthorized access for private financial gain, wire fraud and aggravated identity theft. The indictment alleges that their victims included approximately 144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international nongovernmental organizations. This, of course, represents a small sample of what Tehran's cyber operators might be capable.
Dave Bittner: [00:05:31] Travelex, a major London-based international currency exchange, is still working to restore online services after finding what it called a software virus in its systems on New Year's Eve. The exchange is still able to conduct in-person transactions manually, and it has reassured customers that no personal data were compromised.
Dave Bittner: [00:05:52] Little information has been forthcoming about the attack on RavnAir, but it is known that maintenance software peculiar to the airline group's Dash 8 twin turboprop aircraft was affected. How or why the attack occurred remains unknown, but the Register quotes speculation that this may have been a ransomware incident. We stress this is speculation. The story is developing. The investigations are still in progress.
Dave Bittner: [00:06:18] Taiwan's government has adopted a rumor-control program that appears to be enjoying some success, the Wall Street Journal reports, against Chinese disinformation campaigns mounted against the island republic's elections. Taipei's policy has combined a close relationship with social networks to ensure swift takedown of coordinated inauthenticity with very active outreach to push back against fake news when they find disinformation, they quickly debunk it in social media and try to have the debunking take the form of an easily understood and transmitted meme.
Dave Bittner: [00:06:51] This Tuesday, Taiwan's legislature passed a law. President Tsai Ing-wen fast-tracked with a view to counteracting Beijing's influence operations. The new law makes political activities that serve external hostile forces crimes, and the proscribed activities include not only spreading disinformation, but also making certain political donations and holding certain campaign events. The external hostile forces are, of course, to be found along the Straits on the Mainland.
Dave Bittner: [00:07:20] The program may hold some lessons for other governments concerned about hostile information operations during election seasons. It's only fair to note that Taipei's program hasn't been free of domestic controversy. The opposing Nationalists, the Kuomintang, have charged that the whole effort is simply motivated to benefit the ruling Democratic Progressive Party. The Kuomintang favors closer relations with China, which the Democratic Progressives do not. In any case, observers say they've seen some abatement in Chinese influence operations. But correlation isn't, of course, necessarily causation. And there is a school of thought that sees this as just a case of Beijing having concluded that the Kuomintang candidate doesn't have a realistic shot at winning and so are just cutting their losses.
Dave Bittner: [00:08:09] One lesson other governments might study with profit is the apparent effectiveness of humor in developing memes against misinformation. One odd rumor that required debunking held that the government intended to fine hairstylists who gave a customer both a dye job and a perm within one week, and that the fines would amount to the equivalent of $33,000. The country's head of government, Premier Su Tseng-chang, took to Facebook with a picture of himself as a young man complete with a full head of hair and an accompanying picture of himself in his current state as an egg-bald 72-year-old. He captioned the post by saying, although I have no hair now, I wouldn't punish people like this. And he added a winking caution to the effect that dying and perming within seven days really damages your hair, and in severe cases, you'll end up like me. His post got about 56,000 likes and more than 6,500 shares. The young Mr. Su looks very serious, but the current Mr. Su has a big grin.
Dave Bittner: [00:09:16] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. With over half of enterprise security budgets going toward threat detection and response in 2020, the challenge is investing in solutions that can scale, migrate and adapt with your business. Cloud-native security solutions from ExtraHop are purpose-built to help your team respond to threats across the hybrid attack surface. Everywhere your enterprise exists today and wherever it goes tomorrow, ExtraHop is there to secure it. Request your 30-day free trial of cloud-native threat detection and response at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:10:14] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute. He's also the host of the "IFC StormCast Podcast." Johannes, it's always great to have you back. I know you have been tracking some issues with NetScaler, some Citrix things here. Can you bring us up to date? What are you looking at?
Johannes Ullrich: [00:10:33] Yeah, so on the 17th, Citrix published an advisory with some workarounds for a critical vulnerability in their Citrix Gateway, also known as NetScaler Gateway and ADC. The problem here is - and this really only has become sort of apparent on the 23rd when Posit Technologies, the company that found the vulnerably wrote about it - is that an attacker can execute arbitrary code on these devices without authentication. And these device are usually, well, your perimeter. So it's not that you could say, hey, just hide these devices deep inside your network. In particular in configurations, you may use the device, for example, as an SSL VPN endpoint to expose internal applications. There isn't really much you usually have in front of it. And that's exactly sort of the configuration that's sort of vulnerable here.
Johannes Ullrich: [00:11:27] Citrix only published a workaround, meaning rules to block access to the vulnerable URLs. They have not actually published a patch yet. And with all the holidays affecting sort of, you know, 70% of the globe, I think this hasn't really gotten the attention it really should have gotten. Of course, you should apply the workaround really quickly. There is, luckily, no proof of concept exploit at this point. But I looked at the code on these devices. It's pretty messy. It's sort of what you would expect from a vendor that doesn't really worry too much about security like any security vendor putting applications out there. It took me a day, maybe less, to sort of come up with a partial exploit for it. So I wouldn't be surprised if there is already some exploit in the underground that's targeting specific devices.
Dave Bittner: [00:12:22] And that's really the game here, right? That's the race against time. When the vulnerability gets publicized, it's not just the good guys who are racing to develop a patch. The bad guys are off and running as well.
Johannes Ullrich: [00:12:35] Correct. And I think one reason actually that - and I'm just speculating here - but one reason that Citrix did not publish an actual patch is that it would be very obvious what the vulnerability is. By actually publishing the workaround, it sort of gave you what you need to protect yourself for now without releasing too much details about the vulnerability. Like, part of the vulnerability here is literally an already commented out part of the input validation. So some developer at some point decided hey, that input validation is maybe too strict. Maybe for debugging purposes, they comment it out. I guess QA got cut down along the way, so they didn't catch that when they made that code live about 5 years ago. And since then, this particular parameter, for example, has not been validated.
Dave Bittner: [00:13:26] Wow. Yeah. Isn't that interesting how things can just hang around in the code for years and years?
Johannes Ullrich: [00:13:33] And I think it's a little bit of a trend these days where researchers and the bad guys are really looking at this perimeter devices closely. Users ask for more and more features in these perimeter devices, meaning more and more code that's not exposed at your perimeter. You have seen like, for example, that FortiGate directory-traversal vulnerability last year and a couple hours. Basically, you know, know what you ask for. When you want more features, you'll also get more bugs.
Dave Bittner: [00:13:59] (Laughter) Right, right, right. They giveth, and they taketh away. All right. Well, Johannes Ullrich as always, thanks for joining us.
Johannes Ullrich: [00:14:06] Thank you.
Dave Bittner: [00:14:10] My guest today is Derek Manky. He's chief of security insights and global threat alliances at Fortinet. Our conversation focuses on artificial intelligence in cybersecurity. It's a topic that's been beat up quite a bit thanks to overzealous marketing in the sector, as Derek Manky addresses.
Derek Manky: [00:14:29] If we look at AI as a whole, using machine learning models and actionable artificial intelligence on things like voice recognition and other applications, it's been much more mature. Looking at cybersecurity specifically, there has been a lot of overreach, I think, with it. You know, when you look at marketing of AI as, like, this universal solution that's going to be introducing self-healing networks and all of these things, you know what? While I think that's certainly part of the future, the reality where we sit today, I believe we're entering into a second generation.
Derek Manky: [00:15:02] So backing up around 2 to 5 years ago in cybersecurity, most applications of AI have been antivirus-driven, you know, machine learning models that have been put in place specifically to recognize malicious code patterns, to be able to, you know, recognize that, push out signatures to block those, right? That's been a traditional approach to AI. It's been a monolithic model, meaning that it's cloud-based. So it's basically one learning node where, you know, all the viruses will feed in. And you can, through that model, do the processing, and then push out some sort of decisive pattern to other organizations where those security appliances sit to be able to act on that.
Derek Manky: [00:15:45] So in reality, what we need is an actionable AI system - right? - an artificial intelligence that can actually take decisive action with a very low risk of false positive. And again, right now, the current state of the industry is this first generation of AI, which is mostly driven towards code blocking and antivirus.
Dave Bittner: [00:16:06] And so where do we stand in terms of that next generation being within our reach?
Derek Manky: [00:16:13] Yeah. So we're starting to enter this now. Like, I'm seeing it around the industry. We're also doing this at Fortinet as well. And what I'm seeing is basically, the second generation is extended reach to those learning-modeled nodes. So instead of just having this monolithic brain, if you will, in the cloud that's doing all the processing and that's relying on everything to input into it, we're seeing now extended reach in the second generation of AI, which is a regional learning system, right? So you have - now you have - you're basically extending the same success that you've had from machine learning models of the cloud and putting them onto on premises - so regional sites, you know, different verticals, different environments, different nodes of inspection for traffic, different types of traffic.
Derek Manky: [00:17:01] All of this now is entering into the second generation of AI, where those regional learning nodes extend into the cloud. So now they're also collecting data and feeding the cloud based off of its learned results, right? So then the cloud model can still take that extra input from these regional brains, do some additional processing and crunching, and then distribute that out to security appliances.
Dave Bittner: [00:17:27] You know, I think there have been so much messaging about AI, so much marketing, and even to the point of hype. Do you have any insights on the organizations who are offering these services, how should they be formatting their messaging? How should they be getting the word out to the folks who might be buying these things to kind of cut through that hype, to spread the word about what it's really useful for?
Derek Manky: [00:17:55] In the security industry, most people rely on data sheets, and those can be quite biased sometimes. I mean, it depends on your datasets, on your test environments and all of those things. I really believe in third-party testing, right? So, you know, we do this with NSS Labs, as an example, ICSA, VB100, which does testing for proactive detection. Again, these are the sorts of things I think - you know, I believe you really have to put the rubber to the road and from a marketing campaign or standpoint, show that, you know, this can be effective. Show use cases. Show examples, like, real-world examples that we're actually seeing out there, not just numbers on a data sheet, right? I think that's really good approach.
Derek Manky: [00:18:33] It's easy to walk through things like, you know, APT groups. Quite recently, a big engineering project that we're undertaking at Fortinet is playbook development, so creating playbooks on attackers and adversaries, and then really showing how your technologies can relate to these real-world attacks that - they're quite well-documented now. You know, MITRE documents them, and a lot of other groups, too. So, I mean, it's an education standpoint for people to be more aware of these threats, but also show how AI can stack up to that. You know, especially - it gets even more important and interesting, I think, as we enter into the third generation of AI. I mean, it's 2020 now. We just turned into 2020, but not really that far away, I don't think.
Dave Bittner: [00:19:17] And what can we expect to see when it comes to that third generation?
Derek Manky: [00:19:22] In the future, I believe that we're going to get into this federated machine learning models, where you have different devices doing their own machine learning, but peer-to-peer, so talking to each other and being able to pass data so it's much quicker and then actually, you know, be able to act on that data. So it's like a regionalized response completely on premises, so more of a distributed AI as a system model. That's going to allow for a lot of fascinating cases, I think. Obviously, you'll have much quicker response, which is, by the way, incredibly important because I often talk about the weaponization of artificial intelligence, how attackers are going to be able to leverage AI to, you know, get in and out of networks much quicker.
Derek Manky: [00:20:04] So, yeah, in the future, these - this federated machine learning model, where you have all these different parts of the attack surface that you're covering with different machine learning nodes, appliances and models that can all interconnect and talk to each other. You know, only then I think, once we get into that model that we can start getting into these - I think what's been kind of promised before, talked about, this futuristic scene of, again, autonomous security, self-healing networks and so forth. A big journey that we're going into is threat intelligence.
Derek Manky: [00:20:34] So I think artificial intelligence - applications of that for threat intelligence is also going to be a very important thing in the future. We're already starting to use it. What we're starting to see now, you know, with threat intelligence is using AI to build playbooks, right? And so playbooks are obviously a complete guided map mostly using the MITRE ATT&CK framework, but a complete guided map to how an attack group is moving, you know, what regions are they operating in, what verticals are they hitting, what's their infrastructure look like, what do their tools look like, how are they moving. A lot of that's pattern-based, right?
Derek Manky: [00:21:10] And so by using machine learning and artificial intelligence for threat intelligence is really important because it starts exposing - you know, it's a lot quicker to see things that the human eyes can't see, you know, exposing patterns, exposing - doing trending and forecasting to attacks and how they've been moving and where they may move in the future. So predictive analysis as well. That's also a really interesting scenario that we're already starting to unravel a bit. So, you know, interesting things, right?
Dave Bittner: [00:21:38] That's Derek Manky from Fortinet.
Dave Bittner: [00:21:45] And that's the CyberWire. For links to all of today's stories, check out our Daily News Brief at thecyberwire.com.
Dave Bittner: [00:21:52] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT - the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.