Cyber Risk Quantification, Level 6 Cybersecurity, & Intel Briefing
[ Music ]
Luke Vander Linden: Hello everybody. This is Luke Vander Linden, vice president of membership and marketing at the Retail and Hospitality Information Sharing and Analysis Center. And this is the RH-ISAC podcast.
[ Music ]
Thanks for joining us once again as we peer out our window for a look at cybersecurity in the retail and hospitality industries, brought to you twice a month via the CyberWire network. Can we talk for a moment about third party risk management? This is one of the two dozen or so working groups we facilitate here at the RH-ISAC. It's one of our more active groups, and it could cover a huge amount of territory. So from our cybersecurity perspective, it really focuses on subjects like how to work with other team members at your company to assess vendors and highlight which are the most susceptible to threats, as well as just how to understand inherit risk overall. But also then how to implement security controls, develop an incident response plan for third parties, really how to build and run a third party risk management program. The whole subject of third party risk is fascinating because while you could do everything in the world to protect your own systems, because our businesses are so interconnected, we really have to look at that next layer, and the one outside of that, and the next one outside of that, like the layers of an onion, to really protect ourselves and our businesses. Whether it's our technology vendors or the suppliers of the goods and services we sell, or the systems that keep the lights on, or the HVAC running in the stores, or POS systems, there are not hundreds, but thousands of third parties to think about. Now, this isn't anything new to retailers who are members, of course, but the resilience of the entire retail ecosystem is something we're thinking a lot about right now at the RH-ISAC and I'd love to hear your thoughts about it too, whether for use on the podcast with without attribution, or just to have that conversation to better support our members and the sector. And we're interested in all perspectives, if you're from a retailer or from a consumer goods company or somewhere else in the ecosystem. We don't use this as much as we used to, but #protectasone. That's how we make the whole retail ecosystem more resilient. We're all in this together after all. So shoot me an email at podcast@RHISAC.org to share your thoughts, or if you're a member, find me on Slack, or member exchange. Now, why did I bring up the third party risk management working group anyway? Well, at one of the working groups' recent meetings, we featured a presentation by Cam Sabatini, he's a senior analyst of info sec, planning, and architecture at retailer Abercrombie and Fitch. Cam has built, or probably more accurately, is building Abercrombie's cyber risk quantification program which can be a valuable tool for identifying the moving parts of a risk landscape, taking into account changing controls, attack trends and loss data to paint a picture of an organization's risk exposure without the need for your audience to have a technical understanding of the controls. It was such a good presentation that we asked Cam to come to the podcast and he graciously agreed. That being said, in the interest of that technical understanding I just mentioned, Cam will be joined by the RH-ISAC's own Kristen Dalton. Kristen is the director of strategic engagement, research, and Analytics. And one of the many things she's responsible for is our working groups, like the third party risk management working group. Now Kristen's no stranger to the podcast. She was last on back in January to discuss the results of our CISO and practitioner benchmark surveys, which she also overseas. Also on this week's episode, we'll talk with Kevin Jackson. Kevin has had a long career in cybersecurity and as a CISO with experience in both the government and commercial sectors, including pharma, defense, manufacturing, finance, telecom and academia. But Kevin is here to discuss the company he's founded, Level 6 Cybersecurity, one of the RH-ISAC's newest associate members and their flagship service, the Level 6 info sec strategy network, which is a pretty cool tool that uses AI and a huge trove of globally sourced, real world data to analyze and determine which cybersecurity strategies yield the best outcomes. And finally, we'll be joined for the RH-ISAC's own cyber threat intel analyst and writer Lee Clark for the briefing, a roundup of the threats and trends we're seeing out there in the wild. So don't miss it. There is a lot going on. Now, let's get to it.
[ Music ]
We are back with two very exciting guests. First of all, my colleague at the RH-ISAC, Kristen Dalton. She's our director of strategic cyber engagement research and Analytics. And Kristen, you brought someone with you today.
Kristen Dalton: Yes, we have Cam Sabatini, who is the senior analyst of information security planning and architecture with Abercrombie & Fitch. Welcome, Cam.
Cam Sabatini: Thanks for having me. Glad to be here.
Luke Vander Linden: Excellent. Welcome to you both. So what are we going to discuss today, Cam? I know you had a pretty successful presentation you gave to our risk management working group a little while back. Tell us more.
Cam Sabatini: Yes, so today I wanted to come in and talk about cyber risk quantification, which is a little passion project of mine. We talked about it with the risk management working group about a month ago at this point. Had a really lively discussion. CRQ is essentially the practice of taking that traditional high, medium, and low risk rating that we apply to risk management and taking it in a way that can be expressed numerically by turning different factors into a loss scenario and displaying that loss exposure as dollars and cents. It makes for a more effective way of communicating risk in my opinion.
Kristen Dalton: So Cam, I know we did talk about this in the working group, and it has been a hot topic of discussion for members I would say over last couple months or so, and we've been dedicating more and more time to this topic. But could you expand a little bit more around perhaps, maybe why this is gaining so much traction? And what the main purpose are overall goal is for some organizations who are stepping into this CRQ space?
Cam Sabatini: Yeah, I definitely think it's gaining traction, because just has an industry we've gotten fed up with trying to rate things as red, yellow, green or high, medium, or low. It doesn't get the point across, and everyone you ask can define something differently. The main purpose of doing it this way, I think, is that there are multiple layers to it depending on how mature you are, or what you're hoping to get out of it, and how much you're willing to invest into it. I know there are some organizations out there that are using cyber risk quantifications to make control purchasing decisions, taking it as a simple, cost of implementation, or risk reduction equals X. So we invest or don't invest. Or you use it to make decisions on your cyber insurance policies. I'm not totally sure that we're as an industry there yet in terms of our faith and our confidence in these numbers. Instead, where I think there is so much value in doing cyber risk quantification, is it takes all of those different factors, whether they're internal controls, external risk factors, or even changing cost magnitudes in the world and breaks it into one piece of scenario where you can talk to how things are changing overtime. And it gives us a really good way to anchor our stakeholders in something that makes sense to them and be able to talk about some different things, what your security team's doing, what your tech teams are doing, or even what's changing in the world, and be able to say that even though we might have gotten more mature in one space, we are still seeing higher risk just because the world is an ever changing place.
Kristen Dalton: We hear a lot of being able to translate and communicate that cyber risk into business risk, which sounds like is also an objective or goal with CRQ. And you had mentioned that you do work with internal stakeholders on the business side. Could you perhaps maybe talk more about the types of stakeholders or executives that you work with and/or report to with the CRQ program.
Cam Sabatini: Yeah. So we typically report out on risk holistically on a quarterly basis, and there's a wide range of stakeholders from board to audit committee and then down to company execs, our finance partners, our internal audit partners, digital and tech leaders, and even our internal security team to make sure we're all kind of aligned on how A&F is viewing cyber risk. It varies in how we communicate that out, depending on the setting, but we can get into that a little bit more later. When we report out those risk reports, there a couple ways that could be expressed, usually, in smaller tidbits. So we're not saying we did a CRQ exercise, and we point to that whole thing as what we report out. Instead, we'll take maybe a loss exceedance curve, which I think is a really valuable tool in showing your audience the most likely loss magnitude of a certain loss event, or the worst case scenario, and how those probabilities relate with one another. It could be even something as simple as saying, we think there is an X percent chance that we experience material incident and this kind of loss. Or even as I alluded to earlier, being able to track trends over time. So showing that in our cyber risk quantification program we've realized that the regulatory fines in Europe for this kind of loss are going up. So being able to point to different bits and pieces that help drive that message of what A&F is seeing as risk overall.
Kristen Dalton: Would you say that also touches on the methodology that you use behind CRQ? And if there's anything else that you take into consideration when working with these stakeholders and when reporting out?
Cam Sabatini: Yeah, most definitely. I'd be remiss if I didn't talk about FAIR as the methodology behind cyber risk quantification, Factor Analysis of Information Risk. And what that does is it takes all of those factors into account, the control strength, the thread of event frequency loss magnitude, among others, allows us to link those actors together mathematically, usually in the form of ranges. And then we take those ranges and would run some sort of monte carlo simulation that shows what those different losses look like in a given year over the course of thousands of years within the scenario by adding some degree of entropy that allows us to randomly say where a loss either occurs or doesn't occur based on some of the probabilities we have defined in controls and likelihood or the magnitude if that loss does occur based on the ranges of cost. So it gives us a good population of different scenarios that might have happened and kind of land on what is the distribution of that most likely case scenario, or the worst case scenario.
Kristen Dalton: So what you described, seems very complex in certain ways. You're looking at different parts of the business. You're looking at different threats. You're making, you know, connections between them. And then also assessing, you know, like you said, the different levels of risk. How do companies typically start, or, you know, how do they implement a CRQ program? And I don't know if you want to share a little bit about, you know, how this came to be for Abercrombie and/or advice that you might give to someone, a company that is just starting out and thinking about cyber risk qualification.
Cam Sabatini: Great question. And what I think is most critical when you're trying to start out a CRQ program, is to be honest with what your goals are. If you are trying to set out to make control purchasing decisions on day one, you're going to be set up for disappointment because you're just not going to get there early on. Instead, if you're just trying to structure stronger conversations around risk, I think the best way to do so, is to start small and pick what maybe stakeholders think of as those top three loss scenarios and really build out CRQ assessments around those loss scenarios that you can talk to what controls you have in place to prevent those losses from occurring, what kinds of costs you would experience if that loss were to become an actual event. And then continue to build out that program over time. You bring in more types of loss that that occur. And then eventually, as if you were to get more confident in your numbers, then you could potentially see that growth where you start using it to make purchasing decisions, whether that's insurance or controls, and really grow the program there. Another thing that is highly valuable too is to just talk to different people within your organization and figure out where they view risk and get their expert opinions on cost. As a risk analyst, you're not going to be the expert on what everything costs, whether internally or externally, so use those contracts you have in place to figure out what like forensic or recovery cost would look like. Use your internal experts to figure out how many customer records you have, or what your productivity loss would be if a given system were to go down, and really build out your cost ranges that way. It also helps, shout out to Mark [Inaudible], who spoke on this a couple weeks ago, about just being able to use that process to build up buy in for your CRQ program. So as you're talking about those numbers, there are people that have already contributed to that exercise that are in the room hearing it and you have that buy in.
Luke Vander Linden: You know, I think it's interesting that you talk about, you know, internal buy in and who you work with internally. You know, we get invited, the RH-ISAC, to speak and attend some loss prevention, or, you know, asset protection, physical security conferences. I was that a one from FMI not too long ago, which is the grocery store organization. And a lot of these folks, they're using terms like total loss and things like that. How often do you get into the physical world, or this crosses over into physical loss as well?
Cam Sabatini: So that a really hard jump to make. I can't say I've been successful in doing that. And I know a lot of times you really struggle with scope creep in the CRQ landscape of where do you stop? What kind of risk do you take into account? And what kind don't you? A story very early on as we were trying to figure this out was we tried to figure out, what's the cost associated with replacing laptops on a yearly basis because in theory, we should have good data of how many laptops we lose, either do to actually being lost or physical breakage. And it got to the point where we were trying to factor in so many degrees of entropy than it took up so much time for really something that in the grand scheme of things isn't that large of a risk based on how many laptops you're replacing and the cost of those laptops. So being able to try to set your sights, especially as you're starting out, on those top level risks and focusing your energy there is really key. And then breaking it out at an enterprise level gets very difficult, just due to the vast number of factors that go into play there.
Kristen Dalton: Yeah, I remember, in the working group, we did get a lot of discussion around it being so difficult to define what the actual scope of the CRQ program should include. And Cam, to your point, like working with those business leaders to identify, well what are the critical risks? What are their top priorities? Have you received any feedback from the folks that you've worked with on the business side, in terms of the impact or the value of the data that you are providing them?
Cam Sabatini: Yeah. I think the feedback is mostly around just it being a good way for us to break out what those top risks are to the business and talk about how they're changing. We're not at the point where philosophically we're making those purchasing decisions, or really changing a ton of the ways we do business based off of these exercises. So it's really that value is we're talking the same language. We have things that can be trended over time to point to from a risk perspective.
Luke Vander Linden: Since you gave that presentation at the working group, have you gotten any feedback from other companies, other retailers? And are their programs similar? Like how are other companies building their programs out similar to yours?
Cam Sabatini: Yeah so I have a couple of good conversations that are on the docket and hopefully can have an update for those later down the line. But of talking to groups that are one, way more mature than us and are trying to make those decisions of purchasing based off of their cyber risk quantification, or even trying to change the way an organization weights risk based on the results of a risk quantification exercise. But also teams that are really trying to start out and being able to talk about what our philosophy is behind it and how we can shift that narrative from CRQ needs to be at that mature state to drive value versus that intermediate value that you can see pretty early on as you do just a couple loss scenarios in your CRQ program.
Kristen Dalton: And you may have mentioned this earlier, Cam, but the types of data that typically go into calculating risk or assessing risk. Could you perhaps talk more about that and if there's data sources internally versus externally or both that you're using to make this assessment?
Cam Sabatini: Yeah. Would love to talk about this. One of the challenges that we face a lot in trying to build out a strong quantification program is how do you effectively reflect your internal controls in a consistent method across different quantifications. I'll give a shout out to the team at Alpha Hive that I think is doing a really good job of this of finding ways to map internal assessments they're already doing, whether it's at the CSF or the CIS critical security controls, and assigning some maturity scores to those controls that can be used in various exercises. So you're not trying to say we're 90% resistive to this kind of attack. Instead we're taking the controls that are relevant to that kind of attack and using the work that we've already done to assess our maturity to include those in the calculations that were consistent across different loss events. And then also, we can trend those over time, because we can point to an improvement in maturity in one control to a direct impact that it might have in a future stake quantification scenario. Other things that we take into account, like those cost factors, that's one thing where good partners are really critical, especially as you're starting out. And it's really difficult to build up those loss tables with internal brain power, and then also just some of that external cost data that you wouldn't have internally, like the cost of the data breach reports that are out there, the Verizon [inaudible], but trying to figure out which of those costs actually apply to a given scenario, what are those ranges, and how does that interact with the size of your organization? So having a partner out there, and there are plenty in the marketplace, that can provide that loss data is really valuable. And that control efficacy and the loss magnitude are probably the two hardest ones to get right. And I'm excited to see where we're going as an industry and trying to manage those better.
Kristen Dalton: Well, I don't know if I have any more questions. But Cam or Luke, is there anything that we should touch on that we haven't already talked about?
Luke Vander Linden: I guess for me, just like, you know, what do you see is coming up next? And what advice or anything else you want to tell not only our, I mean, you had a great chance to talk to our member retailers at the working group, but now that you have kind of a larger audience here in the way of picking up some listeners from nonmember retailers, any advice or words of wisdom for them?
Cam Sabatini: Yes. So where I see CRQ going in our industry is really getting better at standardizing how we reflect some of that control data and some of that cost data. So continuing to see more and more orgs adopt this method of quantifying risk is only going to make us stronger. We're going to get better input data, both from marketplace forces of more orgs want to invest in this so there's going to be more maturity in the product space. And then also just standardization of talking about how different orgs measure their controls and having that kind of normalization across different orgs as you build out your program. In terms of other pieces of advice, I really just want to hit home that being realistic of what your expectations are with your program is really critical to being successful when you're starting out. And I know a colleague of mine, Jayden and I a couple years ago, really got in the weeds of trying to boil the ocean with our CRQ program and spun wheels a lot as we were trying to bring in every scenario. And often found ourselves double dipping because we were trying to have that all-encompassing vision of risk at our org. It because almost an insurmountable thing. So being able to be realistic with your expectations and starting small with a relatively limited scope, I think, is critical. The other thing too, is that it's really difficult to bundle up all of your CRQ exercises to one organizational annual loss exposure. It's the same thing where you'll find yourself double dipping and see a exorbitant annual loss exposure when you're trying to factor in all of those loss scenarios together. In practice, we don't see loss at kind of a snowball like that. So I'm a proponent at least for what I want to use CRQ for of keeping it at the scenario level.
Luke Vander Linden: Well, Cam Sabatini, senior analyst of info sec, planning, and architecture at Abercrombie and Fitch, thank you very much for coming on the RH-ISAC podcast. And Kristen Dalton, our very own. Kristen, you run, amongst other things, our working group program. How many working groups are we up to now?
Kristen Dalton: We have about 20 different working groups. And we have three different categories for them. So we've got domain specific groups, such as risk management. We've also got some tool based groups, and then special interest groups, depending on what role you play in your organization and/or what industry sector you're in? So lots of customization.
Luke Vander Linden: Yeah, and I know that you've been particularly active with these groups, putting them together recently. And generally, they're members only, but every once in a while there's a conversation like this one, or a presentation like Cam gave, that we can bring out to our broader audience. So thanks very much for bringing that to our attention, Kristen. And keep up the good work. And Cam, thanks for joining us again. Thank you both.
[ Music ]
And now I'm joined by Kevin Jackson, the CEO of Level 6 Cybersecurity. And you're also the founder of Level 6 Cybersecurity. How are you and welcome to the podcast.
Kevin Jackson: I'm doing great. Thank you so much for having me on. This is a great opportunity.
Luke Vander Linden: Excellent. Yeah. So tell us a little bit about your journey of founding this company, I guess, a little bit about your background, and what the need you saw for Level 6 to exist.
Kevin Jackson: Okay. Well, my background comes from, as you can well imagine, in cybersecurity and compliance. The majority of the 30 years that I've been in the industry has been focused on information systems, securing all sorts of enterprise architectures, and on managing compliance processes. I've had a kind of a balanced career across some DOD and government support environments earlier in my career with some more commercial and retail support here in the second half of my career. And as I've been going through those different environments, kind of moving along the chain of cybersecurity from more of an analyst and architect up to becoming a cybersecurity manager and decision maker, over the years it became more and more obvious to me that there needs to be more support for the cyber decision makers, more support on the strategy side of the house than cybersecurity. And that's what led me to create our startup, Level 6 Cybersecurity, about a year ago now, to really try to make a tool that's going to bring benefit, bring support to the cyber decision maker, and how they manage their cyber programs at the strategic level.
Luke Vander Linden: Oh that's excellent. So tell us a little bit about what Level 6 does for, I guess, selfishly retail and hospitality organizations for us, but assuming our members and listeners haven't heard of you, just summarize what it is and what it does.
Kevin Jackson: So our flagship product is called me Level 6 Info Sec Strategy Network, which is LISN, or listen for short. And it's easier to remember kind of what we're about because our tagline is, we listen to the data. We're listening to the data in the entire world and mining the data in the entire world for cyber strategy, outcome, and ROI information. Our whole approach is about listening to real world events, real world outcomes, and correlating those with the cybersecurity strategies that real world organizations have put in place, and then running the analytics. So we're using an AI powered analytic engine to find out what the correlations are between specific cyber strategy decisions and good and bad outcomes so that we can provide to our network of members, actual analytics on what works best in cybersecurity at the strategy level. So that's what we provide to the retail and hospitality industry and the other sectors we support. It's insight into what really works best in cybersecurity, especially considering limited resources of personnel and finances, which are baked into our model.
Luke Vander Linden: I love the acronym and I love the listen because that's a great descriptor of what it sounds like the product does. And so what kind of data are we talking? Without giving out any secrets, what kind of data are we talking about? And where do you get it?
Kevin Jackson: Yes. So we actually mine data from all over the open sources on the internet is our first stop. There's so much information that's available, whether it's in news alerts, legal filings, breach analytics and post mortems. Lots of information increasingly more over the years, as the entire globe leans more into, hey if we share more about what we're doing and what's happened to us in cybersecurity, we all can learn more. Again, that's why we're so attracted to the ISACS, to the RH ISACS in particular about information sharing. Well, open sources have a ton of valuable content about cyber strategies that are really being used and about how they can be used to create true knowledge and wisdom for how to better design future strategies in cybersecurity. So open sources primarily, but we also use academia. And this is a piece that we feel is far too rarely leveraged in cybersecurity. We go deep into the thousands of peer reviewed journal articles in cybersecurity that are produced every year. And we mine data from those as well, because a lot of those are quantitative and qualitative real-world situations that are analyzed to figure out what actually works best in cybersecurity. So we bring that into our model as well. And then again, from our actual member organizations is the last piece. We anonymously gather data from our member organizations to add to the mix of all of this data in a single global data warehouse that we then run our model on to analyze what works best for the cost in cybersecurity.
Luke Vander Linden: Wow, that's fascinating. And I'm sure with more regulations and rulemaking about disclosure about events there will probably be, as you said, a growing amount of information. But the academia part of things is fantastic, because I actually used to work in academic publishing, and it's fascinating what's in there. Totally different industry, but fascinating that that stuff is out there to be seen, if you could just harness it.
Kevin Jackson: Right. You know, one part of my background that has kind of been parallel with cybersecurity has been in this intelligence and data analytics. I've been teaching business intelligence classes at Villanova University for about the past five years. And that's where this kind of, the mixture came in as I saw that there's all this data out there, and there's all this capability that's now available to do high end data analytics and AI driven analytics, especially, and yet no one was looking at the strategic data that's out there in cybersecurity to try to take advantage of it and run analytics on that type of data. So absolutely, there's a lot there in the academic side from Villanova and from other organizations or other universities. A key piece of what we're doing to try to change the way that cyber strategies are engineered.
Luke Vander Linden: Right. Now, that's two times you've mentioned AI. Obviously, it's a hot, hot, hot topic now, just generally around the world, but also in our sharing channels, our members are talking about it a lot. Could you go a little deeper on how to LlSN uses AI to benefit decision makers that may use it?
Kevin Jackson: Absolutely. So we actually use AI machine learning within three different aspects of the LISN tool. First, on the input side, we are in the process here now of developing and advancing how we use machine learning and AI to help us gather more data more quickly from the open sources on the internet and from academia, where we have a partnership with an AI firm that's helping us develop better and more efficient data gathering, data analytics tools for mining all that information from the open internet and from social media sites and from conferences. Any kind of data that's on the internet that relates to cyber strategy, we are using ML driven tools to bring the data in more efficiently and pre rank it and categorize it to bring it into our data warehouse. And then on the output side, we're using an AI engine to learn the trends and learn the output patterns that come out of our model. One of the key things about our model is producing an effectiveness score, a score that shows how well a given organization is leveraging their resources, versus what all the others in their industry are doing. And by effectiveness, we're really looking at ROI. We're looking at bang for the buck of dollars and personnel that are being put in place, implementing specific strategies. Well our model gives an output that learns what cyber strategies are going to give the best bang for the buck in specific cyber domains, like incident response, identity and access management, vulnerability management, you name it. Well, our AI engine is learning those results as they get produced and is being trained on how those patterns emerge so that over time, we're getting more and more insight from an AI on a what it looks like, and what the change patterns are like, and what we can predict is going to be coming in the future in cybersecurity, in a given industry or sector. And then the last piece, and I'm happy to say this, everybody talks about ChatGPT and all of that right now. Well, we were talking about that years ago before there were the ChatGPT, when it was only referred to as natural language query, natural language response technology. So we have, in our roadmap, probably within months to a year from now, our output will be integrated with that ChatGPT like construct, so that our users can simply interact with our data model in a very conversational way, as opposed to having to be in a just a business intelligence portal. They'll be able to ask LISN questions and get direct responses, and even get alerts pushed to them from our LISN tool when it's time to adjust their cyber strategy to optimize how they're protecting their organizations.
Luke Vander Linden: Oh wow. Yeah, I was going to ask, like, with is all this rich data, how a user, your customer, or members as you talk about them, how they actually access all that data and what it looks like for them when they're trying to secure their organizations?
Kevin Jackson: Right. And the primary way, and where we are right now in our beta version of LISN, which is going to be version 1.0, our first full live version in about four weeks. That is through a self-service BI portal. It's very similar to a business intelligence portal that our customers are probably used to from their forecasting or from their sales team and finance, wherever it might be, except, instead of being a financial business intelligence tool, it's a cyber strategy BI tool. But a lot of data visualizations to summarize and make quickly digestible views that give rankings, effectiveness scores, guidance recommendations on ways to change your current strategies that will give better outcomes based on real world data. So it's very much like a BI interface right now. But again, in the future, that'll be moving more and more towards this is a tool that can live on the phone and on the desktop of the CISOs in these different organizations where they have constant access to the live data that we're constantly collecting to learn what are the best strategies for them at any given moment.
Luke Vander Linden: Wow. So IR, vulnerability management, risk management, governance, compliance, how would you easily summarize what this tool is?
Kevin Jackson: You know, that's almost an easier question than the others, because what we really are is an umbrella tool above all of those cyber domains. We cover the strategies that organizations will need to put in place in their diverse management process, in their vulnerability management processes, in their policies, plans and procedures management. Everything from the personnel and the operation side, through to the processes, through the tools and the characteristics of the different tools, we're gathering data at the strategy level on all of the above. So LISN is really a tool that helps you devise strategies for all aspects of your cybersecurity program. And therefore it's kind of like an umbrella tool. We're giving guidance based on real world data, as opposed to when just one vendor or one consultant or even as broad as their history might be, nothing beats having access to an entire global data pool in a given industry that's going to give recommendations in an objective way based on a data model that shows, here's the optimal way to do and then fill in the blank. So all of those areas are included in how we're modeling the cyber world.
Luke Vander Linden: It's absolutely fascinating. And I'm glad we had the chance to talk about this. Level 6 Cybersecurity is one of our newest associate members of the RH-ISAC. Tell me, what can our members do, our listeners do to take the next steps or to learn more about it?
Kevin Jackson: Absolutely right now, again, we are, as we move towards LISN version 1.0, we are trying to attract as many new members as possible to help us with the details of how we're producing everything from our user interface, to some of our new features we've integrated. We just released a new feature in our beta that maps cyber strategy to the minor attack framework, for example, so that we can show our members based on their cyber strategy, where they are most likely to have adversaries try to take advantage of them. So things like that, when it comes to how we deliver and how we how we create reports, how our visualizations are designed, we are really looking for more and more feedback on all those. So right now we're offering a large discount to all the RH-ISAC members, 60% off, in a fact, of our annual membership fee. Because really right now, where we are as a startup, we are just thirsty for more information and feedback from the user. We've got several strong early adopters in place right now, but we're looking for more feedback. What would best benefit you as a CISO, as a information security director, as that decision maker when it comes to using a tool like this?
Luke Vander Linden: That's great. So it points not only to the benefit of being an RH-ISAC member, but also to the benefit of getting in early. They can help craft the usefulness of the product. It was great to meet you, Kevin. Thank you so much for coming on and letting us know about LISN and Level 6 Cybersecurity. Looking forward to following the progress as you move forward and hearing how it works.
Kevin Jackson: Wonderful. Thank you so much for the time.
[ Music ]
Lee Clark: Hi everybody. This is Lee Clark, the CTI writer for the RH-ISAC. I'm here for this month's The Briefing. The first story we've got for the month is still a continuing story. We've got a few developments recently. This is on the ongoing campaign hijacking the 3CX desktop app. Alright. So on March 29th, at the very end of last month, a bunch of cybersecurity firms started reporting that 3CX desktop app, a voice over internet protocol, VOIP, call routing software was being compromised in a supply chain attack. Now, multiple investigations originally identified that the app had been trojanized to deliver an information stealer. And originally, a couple of outlets attributed this attack to the North Korean Lazarus Group because of some things like shared code. And then eventually Kaspersky came out with a report that said they had seen the app delivering the Gopuram back door, which has a well-known Lazarus tool. So that started to really make it look like, to the open community, that the Lazarus group was involved over time. As soon as these reports started coming out, the 3CX CEO came out, confirmed that they had an ongoing incident, and publicly encouraged all users of their product to uninstall it and switch to the PWA client instead, which is the completely responsible thing to do for the security of the community. Now this tool, the 3CX desktop app, is widely used. Right? I've seen estimates that say up to 600,000 individual customers use it, more than 12 million daily users, some estimates. But then, interestingly, on April 11th, Mandiant released their initial analysis of what they had seen with the supply chain attack. They were actually brought in by 3CX to do the investigation. And they discovered a couple of specific malware being used in the attack that led them to attribute the ongoing incident to the North Korean threat group UNC4736, which should not be confused with the Lazarus Group. And without editorializing a quick analyst comment from the RH-ISAC is I would still, at this point, hesitate to fully assign a concrete certainty of attribution for this attack. Yeah, we see some tools that overline with the Lazarus Group. Yeah, we see some malware from Mandiant that they attribute to UNC4736. However, with the state of the tool environment for modern threat actors, I would really hesitate to say just because we see tools from certain groups mean that those groups are involved. Tools spread, they leak, they get sold. They get built on and changed over time. New groups adopt them. Groups dissolve and then reuse their code later on for new malware after they reform new groups. So even though we see a lot of this tool overlap, at this stage, until we get a little bit more information from Mandiant, I would caution listeners against fully assigning either Lazarus or UNC4736 at this stage of the investigation. Alright. The next report, I thought, would be prudent to talk about is the FBI IC32022 Internet Crime Report, which identified key business email compromise and ransomware trends. Business email compromise and ransomware are two of the leading threat trends that the RH-ISAC community sees, in addition to the points that the FBI reported, right? So if we go through some of the takeaways of the FBI report and sort of look at how they see this threat landscape over time, it doesn't look too different from the threat landscape that we monitor internally for the RH-ISAC, right? There are no real shocks here. Over the last year, the IC3 received more than 800,000 complaints and logged nearly $10.3 billion in reported losses resulting from cybercrime incidents. Phishing was by far the most reported cybercrime type with over 300,000 reported incidents over the reporting period as followed by personal data breaches, nonpayment and delivery fraud, extortion, and tech supports scams. All of these align with trends that the RH-ISAC community faces and successfully defends again regularly. Phishing is overwhelmingly the most common initial threat vector that we see as well as multiple types of fraud being of high interest to our membership, right? So then the big point of the report, which we don't have internal metrics on that I can report publicly, is that the IC3 received in nearly 22,000 complaints related to business email compromise and estimated the adjusted losses related to those compromises to be over $2.7 billion. They noted a marked increase in the prevalence of BEC. They noted more sophisticated tactics such as spoofing legitimate business phone numbers to try to confirm details of victims, and increased targeting of investment accounts, meaning they're not just trying to take over email account of executives. They're hoping to take over accounts that have direct connection to a financial investment, so they can actually manipulate those funds and extract them from their victims, right? On the ransomware side, the IC3 received more than 2,300 ransomware complaints. And they recorded losses of around $34.3 million. Now that's still prevalent. It's still a large figure, but it's noticeably smaller than both the prevalence overall, and the monetary loss associated with business email compromise, right? For some of the community perspective on this, our commercial facilities reporting a total of 58 ransomware incidents, food and agriculture organizations reported 48 ransomware incidents, and transportation organizations reported 32 incidents. LockBit and BlackCat were the two most prevalent ransomware types with Hive as a third. Now major ransomware strains, like LockBit are routinely observed, stopped, and reported by the RH-ISAC intelligence community. So this FBI report pretty much corroborates the internal metrics that we track for ARC. And if we get a little bit more granular, we had a couple of interesting reports about new malware being reported by leading security vendors, right? In late March Trend Micro researchers reported a new malware they dubbed OPC Jacker. That includes a couple of interesting capabilities, like key logging, taking screenshots, pulling data directly from browsers, loading additional modules, and of course, the ever classic replacing cryptocurrency addresses in the clipboard, so you can just straight up siphon the cryptocurrency from your victim into your own account, right? Obviously, the key metric here is financial gain, right? That's the key motivation for this particular malware. And Trend Micro actually assessed that the malware is probably still in development and testing stage, because they've discovered a whole lot of tests IDs in the samples that they analyzed. So this is a crypto jacker that we may see emerge stronger, more developed, more sophisticated. And we may see it grow in prevalence over time depending on the capabilities of the threat actors. The next one would be the Miss Bantu bank trojan campaign. Towards the end of March, Metabase Q Security reported the technical details of about 20 different campaigns, targeting organizations in Chile, Mexico, Peru, Portugal, with a new banking trojan that they named Miss Bantu. Now, according to the report, the campaign attempts to steal credentials from users who are trying to access banking services, educational services, social media, specifically gaming and e-commerce online portals, as well as public repositories and outlook email credentials. It looks like in these campaigns, the threat actors are compromising legitimate websites to leverage for the commanding control infrastructure. And they've got automated payload building processes for rapid delivery. There are a couple of new features being developed for this as the campaigns go on, like fake certificates to escape the initial stage of the malware, new net based back doors enabled to take screenshots, or even fake windows for the victim, and finally, a new rust based back door. And rust is still not particularly well handled by a lot of endpoint protection softwares, right? And then the last sort of interesting granular campaign that we saw was on winter waiver. This is a cyber espionage campaign targeting telecom and government organizations, right? This was reported by Sentinel Labs. They've discovered a number of campaigns against government and telecom companies. They particularly note that winter waiver and activities align closely with the Belarusian and Russian government interests. This report that Sentinel Labs put out is also actively reported by the Polish CBZC and then the Ukrainian CERT. So far, the group has targeted organizations in Lithuania, India, the Vatican, and Slovakia. So both the EU and parts of the Asian region, right? The group appears to be targeting organizations that have publicly supported Ukraine during the ongoing war, either telecommunications organizations that have made public statements in support, or have actually provided material support in the form of, say, satellite communications to the Ukrainian government. According to Sentinel Labs reports, winter waiver and leverage as phishing sites, credential phishing, and malicious documents that are tailored as lures for targeted organizations. Then after they're infected, they deploy custom loaders that enable remote access for data exfiltration. So a pretty standard cyber espionage campaign aligning with Belarusian and Russian government interests is what Sentinel Labs basically assesses. Then the final report for The Briefing this month that I would highlight would be a recent ESG report outlining challenges in cyber threat intelligence for cyber executives. According to this report, about 95% of enterprise organizations, that being those with more than 1,000 employees, have some kind of threat intelligence budget and about 98% plan to increase their spending on threat intelligence over the next year. They surveyed around 380 cybersecurity professionals at organizations in the U.S. and Canada with knowledge of or participation in their organizations' CTI programs and had a couple of interesting key takeaways. So 85% of security professionals believed that their CTI program had too many manual processes and needed more automation to be effective. Eighty-two percent of those professionals believed that their CTR programs were treated as academic exercise and that lessons learned from CTI operations are not being effectively integrated into decision making within the organizations. Seventy-two percent believe that it's hard to sort through CTI noise to find what's relevant for their organizations, which is an age old problem in intelligence, signal from noise. Seventy-one percent of professionals said it was difficult for their organizations to measure return on investment for CTI programs. Now this is also a textbook problem with CTI in that you can't assign a dollar amount to how many intrusions did not happen as a result of the preventative measures and defensive operations that cyber threat intelligence enables. You don't get a dollar amount for that. And then the last one would be that 63% of security professionals said that their organizations are not correctly staffed to manage their appropriate CTI programs. Sixty-three percent report a skills and staffing deficit for being able to effectively manage the cybersecurity of our programs. Interesting statistics about the challenges that are facing the community.
Luke Vander Linden: Excellent. Yeah. Thank you very much for that, Lee. You know, that last report, it's interesting. If I recall our 2022 CISO and practitioner benchmark reports touched on some of those same subjects didn't they?
Lee Clark: Yeah. So in trying to take a pulse of our community's preparedness and their sense of their own organizations' cybersecurity health, our research team puts out both a CISO and a practitioner benchmark that Luke mentions. And we get some key statistics from that that are interesting when you look at the ESG report. Sixty-six percent of our member analysts report CTI as a key job function. Eighteen percent of them ranked their skills as beginner level, 34% ranked their skills as intermediate, and 28% ranked their skills as advanced, with 14% saying that they were experts at CTI. Sixty-six percent of analysts identified under staffing as a key challenge to their job effectiveness compared to the 63% found in the ESG report. Overtasking, lack of environmental visibility, and inadequate tool sets were also key challenges that member analysts identified in the practitioner benchmark. Ninety-three percent of our practitioners felt that they had the necessary skillsets they needed. And more than 80 of them believed that their teams also had the necessary skillsets to effectively protect critical assets and information in their organizations. Eighty-seven percent of practitioners said their organizations allowed them to develop their skillsets over time. That's in the form of continuing education, certifications, skills training, things of that nature. And then 26% of practitioners said that threat intelligence was a top organizational risk and 7% of them identified threat intelligence as a top initiative. So that's from the grunt level, right? That's from the frontline perspective of our members, from the practitioner benchmark, which contrasts and compares, interesting a little bit, to how the ESG report reports what CISOs see. So as Luke mentioned, we also put out the CISO benchmark. And from that, we identify a couple of interesting comparisons. For instance, CISO’s outline CTI as the fourth priority in their responsibilities. So, it's lower on their list of the most important things that they're tasked with by their board of directors. It came behind security operations, vulnerability management, and security awareness. All of those were ranked as higher priorities than managing the CTI. Threat intelligence also was reported by the CISO benchmark report as one of the top most outsourced capabilities with between around 38% of our respondents saying they actually outsource their CTI capability, rather than run it in-house.
Luke Vander Linden: Interesting. So a little compare and contrast between our own survey and that from ESG. Now you linked the ESG report into member exchange, if anybody wants to see the whole thing. And our CISO and practitioner benchmarks are there as well.
Lee Clark: As well as TOP clear versions of the CISO and practitioner benchmarks included on our blog on the RH-ISAC website if non numbers are interested getting a redacted look at some of the key metrics and that could help spur them.
Luke Vander Linden: Excellent. We also had a segment of an earlier episode of our podcast on the findings of those reports as well. So lots of information out there. Lee Clark, thank you very much for joining us, our own cyber threat intelligence analyst and writer. Thank you, as always, for The Briefing.
Lee Clark: Thanks for having me, Luke.
[ Music ]
Luke Vander Linden: If you haven't already, you should check out that episode from back in January on the CISO and practitioner benchmark reports. Lots of good data and interesting insights in there. But that'll do it for me and another episode of the RH-ISAC podcast. I want to thank Lee and Kristen, and all the guests, Kevin Jackson from Level 6 Cybersecurity, and Cam Sabatini from Abercrombie and Fitch. And as always, thank you to our own production team at the RH-ISAC, Annie Chambliss and Marisa Troscianecki. And for making us sound good, the folks at CyberWire, our senior producer Jennifer Eiben and the sound team of Elliott Peltzman and Tré Hester. This episode, and all of our past episodes, can be found at thecyberwire.com or wherever you listen to high quality podcasts like ours. Once again, if you have anything you want to say to us, any grievances you want to air, shoot us an email at firstname.lastname@example.org. We'll have a new episode in a couple of weeks. In the meantime, stay safe out there.