Dave Bittner: [00:00:02] Iran took some missile shots at two US air bases in Iraq last night, and President Trump barked back a late morning press conference, but actually both sides seem inclined to move toward de-escalation. No major Iranian cyberattacks have developed, despite some low-grade skid vandalism of indifferently defended sites, but CISA's warnings seem generally to be taken seriously. And the Cyber Solarium gave a preview of its recommendations for a US national cyber strategy.
Dave Bittner: [00:00:38] And now a word from our sponsor ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning, defend and correct with deep learning, anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:58] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 8, 2020.
Dave Bittner: [00:02:06] Iran fired a number of missiles at two US bases in Iraq last night. The Washington Post puts the total at more than a dozen, but the attack and the US reaction were sufficiently limited that, according to Foreign Policy, observers think that both sides are signaling a desire for de-escalation. A news conference US President Trump held late this morning repeated the US case against General Soleimani as a terror master and also denounced both Iranian nuclear ambitions and Tehran's involvement in regional terrorism. He promised further sanctions against Iran, called upon US allies in what he pointedly called the civilized world to work in solidarity to contain Iranian ambitions.
Dave Bittner: [00:02:49] Specifically, the president said he would ask NATO to become more involved in the Middle East peace process and extended an offer of negotiation to Iran. He also stressed common US-Iranian interests, especially including the recent near-destruction of ISIS. And he called upon Iran's government and people to join the US in seeking common ground. So the Islamic Republic received the back of the verbal hand, and then an invitation to rejoin the civilized world.
Dave Bittner: [00:03:19] In any case, no massive Iranian cyberattacks have so far materialized. There were some more low-level defacements of state government sites in Texas and Alabama, Vice reports. But these, like the weekend incident involving a government printing office site, are generally regarded as low-grade operations by sympathizers as opposed to attacks organized and controlled from Tehran. Nonetheless, the state of Texas has warned that it's seeing a very large volume of probes emanating from Iran against its networks.
Dave Bittner: [00:03:50] There are several possibilities here. There seems no particular reason Texas should be a particular focus of Iranian ministrations in cyberspace. If the Lone Star State is, in fact, being singled out, or whether other states are, too, and just haven't gotten around to noticing the probing, isn't clear. It's also possible that this is a case of the sort of background pinging that goes on all the time with people now sitting up and taking notice because CISA and the security industry have told them, hey, keep your metaphorical heads down for virtual incoming.
Dave Bittner: [00:04:22] Of course, people are spooked. Late yesterday, for example, the city of Las Vegas experienced an incident, and there's no shortage of people advising them on grounds of a priori probability that there's a good chance the Iranians are behind it. Here's what the city government told local news station KSNV - quote, "the city of Las Vegas experienced a cyber compromise at 4:30 a.m. Pacific Time Tuesday. The city's information technologies department is assessing the extent of the compromise. When aware of the attempt, the city immediately took steps to protect its data systems. People interfacing with the city may experience brief interruptions of service, but so far, those interruptions have been minimal. The city will have a clearer picture of the extent of the compromise over the next 24 hours," end quote.
Dave Bittner: [00:05:10] So, sure, it could be Iran. Or it could be someone else, too. In any case, however, the heightened levels of alert CISA has recommended remain, in general, a good idea. It's OK to get a little spooked because better spooked than sorry.
Dave Bittner: [00:05:25] Most serious concerns about Iranian cyber operations center on possible threats to industrial control systems. Ars Technica has a story about how Tehran sought to recruit a US expert who worked to help Saudi Aramco remediate Iran's Shamoon attacks on that oil company. They offered researcher Chris Kubecka up to $100,000 a month to come to Iran and teach a Global Information Assurance Certification penetration tester advanced course for industrial control systems and supervisory control and data acquisition systems. Ms. Kubecka declined.
Dave Bittner: [00:06:00] And the Telegraph quotes Tom Kellermann, a Carbon Black executive who worked as a cyber commissioner under the previous US administration, who warns that a cyber holy war could see Iran reverse-engineering US attack tools used earlier against the Islamic Republic. The big daddy of all the alleged cyberattack tools used against Iran was, of course, Stuxnet. We find ourselves obliged to say alleged because we want to be responsible. And Stuxnet, of course, targeted ICS systems involved with Iran's nuclear program. Kellermann also thinks that the rifling of US secrets in the form of WikiLeaks' Vault 7 and the material obtained and released by The Shadow Brokers were consequential and that Tehran's operators were among the principal beneficiaries of the leaks.
Dave Bittner: [00:06:48] But website defacements? As CNBC puts it, they're meaningless. Kick the skids out and fix the sites. And skids? Just a reminder, don't mess with Texas.
Dave Bittner: [00:07:00] The Cyber Solarium commission that's been working for the last year to develop recommendations for US cyber strategy offered a preview of their final report, expected in March or April, at the Council on Foreign Relations yesterday. CyberScoop has a summary. The Solarium will call for enhanced US offensive and defensive capabilities, the reappointment of a White House cyber czar to ride herd on federal efforts and increased recruitment of military cyber operators. They'll also outline a role for the insurance industry, and that may be of particular significance in developing standards and best practices.
Dave Bittner: [00:07:40] And now a word from our sponsor BlackCloak. Do you worry about your executives' personal computers being hacked? How about their home network and all those IoT goodies they got over the holiday, or credential stuffing attacks because of their password reuse? Executives and their families are targets. But unlike the corporate network, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executives' home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to deploy their specialized controls that protect your executives and their families from hacking, financial loss and privacy exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:09:00] And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. I wanted to touch base with you specifically about what's going on with the situation in Iran and the US government's targeting of General Soleimani. You have some specific background when it comes to this part of the world. Can you take us through what are your insights here?
Caleb Barlow: [00:09:27] Well, I do in that teams I've managed over the past number of years spent a lot of time responding to these destructive and Wiper-based attacks. And, of course, many of those were landing in the Middle East, and there's good reason for that.
Caleb Barlow: [00:09:43] Now, you know, the first thing we've got to understand, Dave, is that Wiper or destructive attacks are totally different than the attacks we traditionally see, where, you know, most of the industry is focused on, let's say, data exfiltration attack, where the bad guys get access to data, extort it for money, profit or influence. Well, your systems didn't go down. Or, of course, of late, we're getting more and more familiar with ransomware, which is somewhat destructive, at least if you don't pay the ransom. But you always kind of have that inkling in the back of your mind that, worst-case scenario, there's an out of, maybe I just pay these guys. And unfortunately, we see more and more of that happening as ransomware hits health care institutions and state and local governments all over the country. But the difference with a destructive or Wiper attack is it's all gone. And by all, I mean you walk in on an idle Tuesday, nothing works. You've got - in fact, even your phone systems may be down. And the type of response you need is much more about business resiliency.
Caleb Barlow: [00:10:45] Now, just to put this in some perspective, you know, my old team at IBM Security looked at - and this is actually public data - the average cost of one of these destructive attacks. Now, keep in mind the sample size for this is small. We haven't seen many of these destructive attacks. You can pretty much count them on two hands. But the average cost is over $200 million per incident. And on average, they're destroying 12,000 computers in each attack. So just imagine walking into a company, having a $200 million or more impact and having 12,000 machines that have to get rebuilt from scratch. You can't even restore from backup because the boot sector on these machines is gone. You have to low-level format or replace the machines.
Dave Bittner: [00:11:33] So let's bring that back around then to the specter of the possibilities of what could come out of Iran.
Caleb Barlow: [00:11:40] Well, Iran has been very active, you know, frankly, since the Stuxnet attacks where they saw over a thousand centrifuges destroyed. And depending on which numbers you want to believe, you know, Iranian cyber forces are estimated to be somewhere around 100,000, 120,000 actors. But most of these actors are loosely connected. You know, think of it as contractors that are sympathetic to the regime.
Caleb Barlow: [00:12:06] And we've seen operations in a variety of different angles. You know, in 2011 to 2013, we saw DDoS attacks on major banks. In 2014, we saw a highly targeted attack against the Sands Casino, where the CEO of Sands, Sheldon Adelson - I think I'm pronouncing that right. It was a staunch supporter of Israel had advocated for stronger nuclear threats against Iran. So we saw a Wiper attack where they took out about three-quarters of the company's servers at a cost of around $40 million. But over 2012, 2017 and 2018, we saw Shamoon. And Shamoon is the one to really look at in this case. This was a destructive attack predominantly focused on oil and natural gas infrastructure, so hitting ICS systems. It hit Saudi Aramco, Qatar's RasGas and then a variety of others over the course of Shamoon 1, 2 and 3.
Caleb Barlow: [00:13:02] And these attacks - again, they're totally destructive. But here's the thing to look at. We have to look at what was the intent of those commanders at the time? And how did they do their targeting? So the intent from their offensive operations was to focus on things that would drive economic change. They weren't after political change. They were after economic change. So by focusing in the Middle East, one, you limit the chances of repercussions from those attacks and, two, you're focused on an economic impact which would allow them either to see a decrease in the supply of oil and natural gas or to manipulate the supply, both things of which would benefit the regime. And for the most part, that's where the attacks stayed over these years. And, of course, there are some exceptions to this. But now, as we move forward today, we have to go back, Dave, and ask a question of, how might that targeting and how might that intent change based on the dramatic attack we saw last week?
Dave Bittner: [00:14:10] And so in your estimation, what changes might we see?
Caleb Barlow: [00:14:14] Well, the first thing we have to look at is from a government perspective. Influence operations are probably the key thing we're seeing indicators of, and they have massive influence operations. In fact, Twitter last year indicated they had taken down thousands of Iranian-based Twitter accounts that appeared to be, you know, kind of pushing out false and fake news and influence operations. But at the moment, this appears to be targeting, largely, the US government and military and, frankly, everything Trump. There are even signs that they're looking to leave out kind of the American people in those influence operations. And let's face it. In an election year, there are ways you could respond with influence operations that, at the very least, certain parts of the US population might not have an issue with.
Caleb Barlow: [00:15:02] Attribution is often difficult as well with influence operations, but that's most likely going to be coming from kind of the intent of the official government entity. But remember; Dave, if we look at the structure of Iranian cybersecurity operations, much of these folks are independent contractors. So they're sympathetic, but they're not necessarily taking direct direction from the government. So if you are sympathetic, you start to ask a few other questions. So first of all, your weapon of choice, we know, is destructive by nature. But your target starts to change because now the goal post isn't changing an economic issue. The goal post is trying to enact political change, to raise the awareness overall to demonstrate that they can operate on the world stage. And you're now looking for a target that might more clearly hit the US population. And again, even though the government might be a little bit more resistant to do that because of potential repercussions, the odds are that a rogue actor, those that are sympathetic, which, again, represents a large portion of their cybersecurity offensive forces - they're much more likely to look for more opportunistic targets.
Caleb Barlow: [00:16:23] So if you wanted to hit someone destructively, if you wanted to cause an impact that you knew would get in the news, well, then you start to look maybe at what others have done. And the logical place to look is at ransomware targets. In fact, I would argue that the interesting thing about ransomware targets is you don't even have to spend the time doing the targeting. You can even buy those targets online.
Caleb Barlow: [00:16:51] So part of what we have to think about as cyberdefenders is with this new action, the potential implications in targeting may change. It may not be driven directly by the government. It may be opportunistic. And those targets that are particularly vulnerable to ransomware attacks are likely to be potential targets in this case. So we're talking about state and local governments and, certainly, health care institutions, where the defenses are a little weaker. It's already known that these targets will work. And it's already known that they'll gather significant press. Combine that with influence operations, and you start to get a much better picture of, how might the adversary pivot both their intent as well as their targeting?
Dave Bittner: [00:17:39] What is your sense when it comes to the degree of discipline that these contractors have? In other words, are they taking their marching orders from a central source, or might they be injecting their own level of chaos by doing what they think is in the best interest on behalf of the people that they work for, but maybe not so much?
Caleb Barlow: [00:18:05] I think that is the key question right now that, honestly, I've been debating over the weekend as I've talked with my peers, as I've talked with friends of mine that, you know, are kind of military thought leaders, and really thinking through, how is this likely to unfold? And I think the challenge is, at least in the public realm, we don't know exactly how much control they have. We do know that these capabilities and operations are distributed. But all it takes is one or two rogue actors that are particularly upset in the current situation to take an opportunistic action.
Caleb Barlow: [00:18:42] So I think as defenders, we have to change our line of thinking, right? This isn't about getting into a scare tactic, saying, oh, well, this is where - what's likely to be targeted. This is about realizing two things. One, historically, destructive attacks did not land on US soil. I think there's a reasonable argument that that is likely to change. I think the second thing that's a very reasonable argument is to say that areas of our infrastructure that were historically weak and opportunistic - and, again, I point to ransomware targets as a very good example - likely need to up their ante very quickly because the opportunity for a rogue actor to touch them and have a dramatic impact is quite high. The odds of a ICS attack on critical infrastructure - dams, power plants, things like that - I think everyone kind of immediately migrated there because that's where we've seen, you know, the Shamoon attacks - oil rig, things like that. All of that focused on ICS infrastructure. So as an industry, we naturally say, oh, well, of course that's what will happen next. What I'm challenging everybody to think about is to say, well, hold on a second. Yes, that is what they've traditionally done, but does the targeting and does the intent change? And do we, therefore, need to think about our priorities as defenders differently?
Dave Bittner: [00:20:13] All right. Well, Caleb Barlow, thanks for joining us.
Caleb Barlow: [00:20:16] Thank you, sir.
Dave Bittner: [00:20:21] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. You can learn more at observeit.com.
Dave Bittner: [00:20:38] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash (ph), Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.