Michael Daniel on Developing an ISAC, Plus the Intel Briefing
Luke Vander Linden: Hello, everybody. This is Luke Vander Linden, the Vice President of membership at the Retail & Hospitality Information Sharing and Analysis Center. And this is the RH-ISAC podcast. [ Music ] In this episode, we continue with our President Suzie Squier's series of interviews with the CISOs and cybersecurity professionals who had a hand in getting the RH-ISAC started. As I mentioned in the last episode, and as we've noted in our email newsletter, which if you don't receive, go sign up at rhisac.org/newsletter, 2024 marks our 10th anniversary. We're planning celebrations throughout the year, starting at our summit in Denver of April. For more information at summit@rhisac.org, at regional events, and then culminating at our member meeting and celebration in the fall. All the details to come. So, for this episode, Suzie sat down with Michael Daniel. Michael is now the President and CEO of the Cyber Threat Alliance, which like the RH-ISAC is the sharing organization. This should be a great conversation. And then, as it is the second episode of the month, I will be joined by Lee Clark, cyber threat intelligence analyst and writer here at the RH-ISAC for the briefing. As always, if you have something cybersecurity-related that you'd like to contribute, shoot us an email at podcast@rhisac.org, or if you're a member, hit me up on Slack or member exchange. And if your company is not yet a member of the RH-ISAC, what are you waiting for? Go to rhisac.org/join to learn more and to start the process. [ Music ]
Suzie Squier: Well, today my guest is Michael Daniel, President and CEO of the Cyber Threat Alliance. But for our conversation today, we're going to take a little step back about close to 10 years ago, but it probably was around 10 when you and I first met, when Michael had a position of -- am I getting it right -- cybersecurity coordinator at the White House.
Michael Daniel: Yes, that's correct.
Suzie Squier: In the Office of the President, I think it's what they say.
Michael Daniel: So, yes, I was on the National Security Council staff.
Suzie Squier: Okay. Okay. Great. And during that time while we were building the then RCIC, Retail Cyber and Intelligence Center, I think it was, Michael was gracious enough to meet with me and someone from the government affairs at RELA to talk about what we were doing and how we were pulling this group together. So, what I've been talking to the folks is what was it like in the White House at that time, obviously, not the first breach that the retail industry had encountered but the largest at the time, and was a lot of upheaval in the government, a lot of conversations in the houses of Congress and things like that? What was it like at the White House if you can remember conversations that you were having during those times about particularly cybersecurity and the retail industry perhaps?
Michael Daniel: It was an interesting thing because we were still, you know, in 2014, we were still on sort of the front side of really grappling with cybersecurity, not just as this esoteric intelligence issue that affected the defense industrial base or, you know, the Pentagon or the State Department for espionage purposes but really starting to come to grips with the fact that it was a very pervasive issue that affected large parts of the US economy, whether you were talking about critical infrastructure or even down to individuals who were the victims of identity theft and other kinds of cyber-enabled crime to the retail sector, and some of the, you know, well-known breaches that started happening in that period of time. So, I think, you know, that period from 2012 to 2014 was really an evolution of understanding of the broader threat and just how pervasive it really, really was going to become.
Suzie Squier: Yeah, interesting. It was obviously also big growth, at least in our sector of the information security officer, you know, kind of the rise of the CISO. What were your thoughts on, you know, the elevation of that position within companies?
Michael Daniel: Well, I think, you know, and this is actually something that I think we've continued to talk about and wrestle with today which is that -- and, Suzie, this is something you and I have discussed quite a bit in other forum, which is that cybersecurity is not just a purely technical issue, right? And as a result, if you try to just park the chief information security officer as like an adjunct to the CIO, it often doesn't work very well because, you know, that tends to make it seem like it's very much, you know, just purely technical issue, buy the, you know, whatever piece of hardware and, you know, you're done with a problem. And, of course, that's not it at all. And so, you really need a CISO who can actually interact with the business lines, right, and understand how the business gets done. And really, again, you know, back at that time, we were just starting down this real path of -- you know, the leading thinkers were saying things like, you know, cybersecurity is a risk management issue and we were just starting down that path of, you know, really saying, yes, we need to actually change the mindset from thinking about cybersecurity as this technical thing that where you employee some firewalls and, you know, some web filtering and to this more holistic approach about like, okay, how do I manage brand risk, I manage legal risk, I manage natural disaster risk, I'm going to manage my cybersecurity risk? And we were just in 2014, we were really just starting down that path.
Suzie Squier: And now, a lot of conversations about trying to be more of an enabler to the business. And it comes down to risk tolerance, risk acceptance, and I think, you know, to your point, what the CISO's role is to explain the risk, to state what they can do about it, but ultimately, it does really come down to the business and the leadership to decide where is that risk tolerance and where is that acceptance and what are they willing to, you know, move right or left on things.
Michael Daniel: Absolutely. And, you know, in different businesses, they're going to come down in different places, right? And actually, an individual business may come down in different places in different times, depending on, you know, their circumstances and other things that are happening in the economy. So, I really think that's why that concept of managing cybersecurity as a risk factor to an organization. And just like you said too, it's also important like just like you'd do in other areas, some risk you mitigate, some risk you transfer, right, you get insurance, right, and some risk you just accept like you say, "Yep, you know what, there is a measurable percentage chance we're going to have a cybersecurity incident. Here's what we're going to -- here's our plan, here's how we contain it, here's how we keep it small so it doesn't become, you know -- "
Suzie Squier: A really bad thing.
Michael Daniel: Right. You know, so it doesn't become a business threatening then but we just accept that we're going to have some level of cybersecurity incidents because we still have to, you know, run the business.
Suzie Squier: Exactly, exactly. And, you know, I think in retail and hospitality with our folks -- and all industries are different with we have margins of where you are and it really comes down to a conversation -- and they have to have a seat at the table at those risk level conversations, which is what we're getting to. And I know -- I don't know why this, you know, popped into my mind but the Cyber Threat Alliance, which I'll ask you to explain to our audience a bit about what you do. It's such a great organization and we're proud to be partners of it. But in addition to that, the work that you're doing on kind of the quantification or that qualifying I guess, the counting of ransomware and the efforts that you guys are involved in that. Can you go a little bit about the CTA and then some of the different strong initiatives that you guys are working on?
Michael Daniel: Sure. So, in many ways, you can think of the Cyber Threat Alliance as an ISAC. We're just an ISAC for the cybersecurity industry. You know, it's interesting when I left the White House in 20 -- early 2017, you know, one of the realizations we had was there were other -- you know, by that point, there had been ISACs established. You know, at the financial sector, ISAC was already, you know, very well established, you know, this ISAC was going strong, we had water, we had health, we had all these ISACs in all these industries, except the one that was actually doing cybersecurity, right? A large part of CTA's reason for existence is really just to say, okay, cybersecurity companies need to also be sharing threat intelligence with each other. And to do that, you have to have some -- you know, you have to put in place some special business rules to deal with the competitive issues and, you know, concerns about your competitive edge and make sure that, you know, there's equity involved. And so, we have some additional rules that a lot of ISACs don't have. So, for example, like to be a part of CTA, you actually have to share. When you sign up as a member of CTA, you actually agree that you will share a certain minimum amount of threat intelligence every week. And we do that to avoid the free rider problem which would make our version of an ISAC not work. But we are a membership association. We have about 34 or 35 members as of the end of 2023. And about half are located in the United States, about half are overseas. And we do what an ISAC does, which is we enable our members to share information in both an automated and human-to-human fashion. And we promote what our members are working on in terms of their threat research and other things like that. And then we also work to support cybersecurity across the digital ecosystem. And that's where our partnership program comes in. You mentioned that you partner with us and we're very excited that you are, and we have something close to 20-something partners now, again, as the end of 2023. Several different ISACs but also things like the State of North Dakota's, you know, Chief Information Security Officer Organization. We have the Dutch National Cybersecurity Center. So, the Cyber Peace Institute. You know, I mean, so it's an interesting array of partners, you know, a large number of different disciplines. And part of the reason for that is you never know when you're going to need a connection to some place, how a cyber incident is going to evolve. And so, you know, that's what really CTA is all about.
Suzie Squier: That's a really great point, Michael, that you brought up at the last point that I don't think I realized, it's like you're a great resource for us to reach out to if an incident is involving a key player or something like that that we need to get in touch with or to talk to, right?
Michael Daniel: Absolutely. And that's, we see our role as facilitating conversations all the time of connecting people up. Do you know somebody over at Fortinet or over at, you know, Outpost24? Have you got somebody in Italy? Yeah, we do. You know, like how about somebody in Australia? Got that too. You know, it's sort of that's -- and we see that as an important role in the community to help make those -- help make those connections.
Suzie Squier: That's great. Now, I mentioned the ransomware, and I know you have others, but can you fill us in on some of those initiatives that you're working on, you know, besides obviously, you know, the information sharing that you do?
Michael Daniel: Sure. So, I mean, one of them is, you know, we're very plugged into the ransomware task force. And the reason for this is that ransomware has really evolved from this kind of nuisance problem that used to kind of affect people, you know, at a personal level if somebody, you know, locked up your pictures and so they asked for, you know, 100 bucks and a Starbucks gift card or something to, you know, unlock it. And now it's become this industrial-level operation that affects, you know, all different kinds of people and sizes of businesses. And in fact, actually, when you look at incidents like Colonial Pipeline or, you know, affecting hospitals where you're diverting patients to other hospitals, you're potentially putting people -- their lives at risk. So, now this has gone from an economic nuisance to an economic problem, to a national security and public health and safety threat. And that puts an entirely different frame around the problem. And a lot of what we've talked about with our work in ransomware is it's driven by a few things, right? So, how do we get ourselves into the situation? Well, one is that you've had the rise of cryptocurrencies, right? But you can't really imagine asking for a ransom payment of, you know, $10 million in Walmart gift cards like, you know, like that is just not going to work, right?
Suzie Squier: Or, you know, via PayPal or something.
Michael Daniel: Yes. You know, so cryptocurrencies have really fueled the rise of that. They've been sort of the gas or the oxygen if you will that's sort of allowed that to grow. But it's also been the fact that the bad guys have professionalized. You know, I always tell people if your image of the hacker is the disaffected young man still living in his mom's basement wearing a hoodie, that is not our problem. You know, I mean, they may be part of the problem, but that's not the extent of the problem, right? These are very extensive, well-run, highly professionalized, highly organized groups. They've read their -- you know, they've read their Harward Business School cases, they, you know, are teaching their online economics courses, they run these things like businesses. And as a result, they've reached this sort of industrial-level scale, right, that -- and as the retail industry is very familiar with, the internet allows you to have an enormous reach, right? So, just like retailers benefit from being able to reach people all over the world, guess what, the bad guys can do the same thing. And so, they do. And I think that's really what's driven us to say, you know, we've got to have a fundamentally different approach to ransomware than we'd used in the past. And to do that, you know, you have to come at this problem at a little bit of a different way. You have to start thinking about it much more collaboratively across government and the private sector. You have to start thinking about like not only do you -- how do you make yourself more resilient to ransomware attacks in the first place, but how do you actually figure out where the money is flowing, for example, through the criminal ecosystem, where do you choke it, right? Where are they getting their target lists? How do you cut that off? What are all of the different ways that you can make it more difficult to carry out ransomware operations? Right? And again, I always frame this -- and this is actually something that I think probably the retail industry is familiar with thinking about it, right, like you're never going to drive shoplifting down to zero, right, you're always going to have some level of loss in your store, right? You just have to drive it down to a level that you can manage, right, and that you're willing to live with. And we're clearly way above that right now with ransomware. And so, what we want to do is figure out what are the ways that we can make it less profitable, more difficult, all those things to actually drive that level of ransomware down. We'll never get rid of it entirely, but we want to make it one of those things that is not sort of a public health and safety threat.
Suzie Squier: And you're working internationally on this.
Michael Daniel: Absolutely, yeah. No, the ransom -- the government's efforts are international and ours are as well because many of the criminal organizations that are behind a lot of the ransomware operations are located overseas. Their infrastructure is overseas, the money moves overseas. The bad guys really love the fact that they can cross those international boundaries quite easily and law enforcement is very much hamstrung by them. And so, you know, I think it's very much up to the private sector, which can also cross those international boundaries very easily. The nonprofit sector, which can cross those international boundaries. It's up to us to actually play a supporting role for law enforcement because of those, you know, inherently national limitations that they have. So, that really has to be part of the discussion. And so, yeah, this is very much an international issue. And also, I say Suzie, that's actually one of the things we've seen over the last year in particular is that in fact, I actually think you can say organizations in the United States have actually started to toughen themselves up a little bit. And the bad guys are noticing and they're starting to go after targets in other countries because they're like, you know, they're criminals, they're going to go where it's the easiest, right? You know, and so they're like, "God, it's getting a little tougher, the heat is getting a little hotter over here. I guess, I'm going to Brazil or Indonesia where things are a little, you know, they're not as good in their cybersecurity yet. Ah, maybe I'll make a little bit less money but -- "
Suzie Squier: The risk is also low.
Michael Daniel: The risk is lower and it's less work. So, you know. So, I think that's one of the things we're starting to see is actually an uptick in ransomware in other parts of the world. And I think it's going to become an expanding -- I unfortunately think it's going to continue to expand because the bad guys are also learning that there are lucrative targets, you know, outside of the United States and North America -- in Europe and, you know, Australia, and Japan, and places like that. So --
Suzie Squier: Right. Right. Moving to that next level. I was going to ask you what changes you've been seeing but obviously, that's it. Any kind of -- and in some ways I was going to say any hope on the horizon but I guess, if you're seeing some hardening that's making it a little bit more difficult for them.
Michael Daniel: Yeah, I mean, I think, you know, in my view, I think there are a few things that we're starting to see that are coming together that actually, believe it or not, provide some hope in this space. One of them is that we're starting to have a body of practice that we can really draw on, that we can point to, and we can say backed up by evidence. If you do these things in your organization, you are going to lower your cyber risk, period. If you implement multifactor authentication and actually require your users to do more than have just a username and password, you will improve your security. If you segment your networks, you're going to improve your security. Right. There are things that if you make sure that you have regular backups, right, that are offline and things like that, you will be --
Suzie Squier: And test them.
Michael Daniel: Right. You know, we've got this body of practice that we can point to that we can also -- and this is the key thing -- that we can now start to point to and say these are the standards of care. So, just like a retailer faces -- you know, you've got certain things you have to do with -- the acronym has got out of my head -- PCI, right, with like credit cards and how you handle credit cards, right, there are sort of minimum set of security standards you have to use. Right. We're starting to get to where we know kind of what you need to do for some minimum cybersecurity standards. That's going to be different if you're a large retailer versus, you know, a corner bodega, right, as it should be. But there's going to be some minimums that we know are out there. And so, that's actually a good thing because then that actually allows people to start differentiating and saying, I've done what I know I need to do, right, and so I can be more confident that if I have an issue, right, I can report it because I know that I've done what I'm supposed to do, I've done my due diligence. And bad things are still going to happen to people who have done the right stuff, you know, and I'm not going to be criminally prosecuted for negligence because I know I've done the right thing. That's actually a big step forward. Another really big -- I think there are two other ideas that have really started to come out in multiple countries around the world which is that -- well, actually three. One is we're going to really the all-voluntary approach to cybersecurity has just not gotten us to the level of cybersecurity that we need. So, we're going to start probably not so much at the retail and hospitality sector but in other critical infrastructure sectors, you're going to see the government start to -- governments, not just here in the US but around the world saying, yeah, you kind of have got to -- if you're a critical infrastructure, if you're an owner and operator of the, you know, power plant or telco, you're going to have to meet some cybersecurity requirements. Sorry. It kind of comes with the territory. The second big idea is that we're starting to look at the software and hardware, IT hardware market, and say, you know, wait a minute, why is it that the manufacturers of these things bear no liability at all for how their product functions for the security of it. Is that right? I mean, shouldn't we have a discussion about, you know, what are the requirements if you're going to market and sell IT software and hardware like you have some responsibility for it? Sure, they can't be responsible for stupid users, right? But, you know, we're going to say, yeah, you know what, you've got to show that you're actually doing security by design.
Suzie Squier: And the same thing, just show that you showed the care and did the security by design and you took the steps necessary.
Michael Daniel: And then another idea is that we're talking about reallocating the burden of security. In effect, we've actually pushed the cybersecurity burden all the way out to the edge of the network, all the way out to the end users, no matter what their size or capability. And, you know, I think we're starting to have the discussions about like is that the model that we really want to use for cybersecurity. Now, when I talk about reallocating the burden, I'm not saying that you take all of the burden away because, A, you can't and, B, it's not smart. But we don't -- in the physical world, yes, you have to lock your house and maybe you put in an alarm system, but we also have police forces whose job it is to help protect, you know, a neighborhood, right? And so, I think -- so not all of the security burden rests on an individual. And so, I think the same thing, we need to start having some similar discussions in the cybersecurity world where we say, "Okay. How do we want to do this?" What are the organizations that bring more capability to the table? And how do we incentivize, how do we structure the market so that they actually step up and bear some of that cybersecurity burden because they're best able to protect the network as a whole? Now, there are some stuff that goes along with that, right? We've got to look at how do you protect those organizations for good faith efforts, right? It might actually have a negative consequence on somebody. Because right now, the reason that some of these organizations don't do it is because there's no upside for them. It's all downside. And so, we have to renegotiate some of those social contracts if you will. But those are the kinds of things that are starting to happen because we've realized that what we're trying to do just it's not going to scale, it's not going to work. And if we want to get a different result, we're going to have to try some different options. You can see that that is starting to emerge in, not just the United States but Europe, Asia, other places around the world. And so, that actually is, you know, that is some reason for some optimism.
Suzie Squier: I always love talking to you because -- and it's few and far between unfortunately, but the thoughts and, again, the magnitude and the scale of the conversations and what you guys are looking at, I think it's really important to let folks know it's an important work. And it's great. It's a really interesting idea. I'm going to talk about one thing, just as we wrap up, to the importance of information sharing because you -- I read your newsletters, it's always great, and I've stolen some of your lines. Hopefully, I've told you but maybe not. But I give you credit, they're great. So, for those out there wondering if and how they should be sharing what they're seeing. I'm going to turn it over to you for your thoughts on that.
Michael Daniel: And so, here is an interesting thing. We were just talking about this in another context which is one of the key reasons that people don't report if they've had a theft or a cyber incident or some kind of thing, they think that it doesn't matter, for example. But it does. Because you can't actually understand the full scope and scale of what's going on unless you're actually having that information sharing. And so, you know, one of the really good examples that's historical is, you know, we didn't really get going on pushing back on the Chinese theft of intellectual property and trade secrets until we started to assemble the picture of just how broad that effort really was. And sure, any little -- you know, each little individual incident was exactly that, little, right? But when you'd put them all together, it became a really huge issue.
Suzie Squier: Right.
Michael Daniel: And similarly, like in the retail sector, sure, maybe your loss from a particular incident or an activity that you're seeing isn't all that huge but if you actually assemble it and put the whole picture together, you're like, oh, wait a minute, this is, you know, a $100 million operation here. And suddenly, you know -- suddenly law enforcement's interests goes, you know, from I'm sorry, you're under the threshold to, oh, my gosh, we actually have to help you here, you know. And I think that's one of the really important things. The other thing is that the bad guys are moving in herds. I swear sometimes they act like high school students, they move in herds, and like you can see them like, oh, look, we've figured out that, you know, sit-down restaurants in the Southwest part of the United States seem to be a big juicy target right now. And so, they'll all move in that direction. And so, if you're actually sharing information, you know, about what's happening to you, you will get that back from others that might actually help you avoid the problem. And so, it's really important to be sharing this kind of cyber threat intelligence. And notice that a lot of what I'm talking about here is not the kind of data that I'm dealing with day in and day out, the really super technical, you know, indicators of compromise and all the really stuff that I love to geek out on because it's cool, but that's not the extent of cyber threat intelligence. Even sharing, you know, more sort of almost anecdotal or qualitative information can be equally as useful.
Suzie Squier: We have members that, you know, post, "Hey, this is where we're starting to see this," you know. And like you said it's not the typical, you know, report but it's anybody else. And that leads to some great conversations. And to your point, it's exactly how you start pitching a picture -- putting a picture together on what's going on out there. So, it's great. Always great talking to you. Thank you so much. And I think your organization is great. And as I've said before, we're proud to be partners so that we do whatever we can to help you and I know you guys do whatever you can to help us. So, it's a great relationship. And I just want to say personally, it was so nice, you were so gracious when I was a terrifying person coming into your office back in 2014 and telling you about what we were trying to build at that time, and your insights and honestly your graciousness was really much appreciated. So --
Michael Daniel: Well, you're quite welcome. And I feel like that's another one of my missions is to partially demystify this issue and make it something that, you know, is much more understandable by a larger -- by a much broader audience. And I really -- I'm open to working with anyone who's serious about trying to tackle the problem. So --
Suzie Squier: Yeah. Well, thank you for all that you're doing. Thanks for joining us today.
Michael Daniel: Absolutely. Thank you for having me. [ Music ]
Luke Vander Linden: All right. I am now very happy to be joined by Lee Clark, cyber threat intel analyst and writer here at the RH-ISAC for the briefing. Good to see you again, Lee. I hope you're enjoying 2024 so far.
Lee Clark: Thank you for having me, Luke. It's good to see everybody after the beginning of the new year and amidst the giant I guess polar vortex that has encapsulated the entire East Coast of the US.
Luke Vander Linden: It is chilly, chilly today.
Lee Clark: So, Luke, for the first couple of weeks of January, we've had a kind of interesting set of coincidences, let's say. All right. There's this concept in software development, right, called Git, G-I-T, which is not the British curse words but rather describes a version control concept in software development. Now, there are two sort of competitor services to manage Git, one being GitHub and the other being GitLab. These are both incredibly popular services, some organizations use one more than the other, some organizations use both. The main distinction between GitHub and GitLab being that GitLab has continuous integration, continuous delivery, or CICD workflows they'll do. You can also self-host GitLab for free, and GitHub tends to be more expensive under their enterprise plans for money. So, these two services, GitHub and GitLab are used for version control purposes in software development. And they are between the two of them ubiquitous. All the organizations that conduct some type of software development tend to use them, right? So, we've had a number of vulnerabilities and a couple of proof of concepts for attacks, and a number of threats arise around these two services in the first weeks of 2024 which has been kind of interesting. So, I'd like to go through three specific sort of open-source discussions that have been going on that have seen pretty heavily discussion in the RH-ISAC, right? So, the first one I would like to highlight is a new class of CICD attack on GitHub, right? A recent open source report says that thousands of public GitHub repositories are vulnerable to a new code injection that goes through what are called self-hosted GitHub action runners which can lead to pretty high-impact attacks, including disruption to large organizations, right? The current proof-of-concept stage for the attack and the ability to easily mitigate the attack via simple configurations makes it a lower-stage threat than other things we might think of. However, for organizations that don't have proper configurations in place, it can be a pretty high-impact problem for a membership, right? For members who operate runners in GitHub, we strongly recommend prioritizing disabling default configurations in multiple settings, right? We'll keep an eye on this and continue to give sort of an update for the community as it arises, especially because it coincides with a couple of other things, right? So, that one was a proof-of-concept for a new attack type in the CICD workflows for GitHub, right? This next one is on two critical vulnerabilities being patched in GitLab, the GitHub competitor, all right, and all organizations being advised to update their instances immediately, right? So, a couple of days ago, GitLab released a security update that remedies two critical vulnerabilities in their software. Everyone is urged to immediately update to a recent current version because these flaws are pretty significant. I believe one of them is a severity level 10 and the others are 9.6, right? CVE-2023-7028 could allow user account password reset emails to be delivered to unverified email addresses and CVE-2023-5356 could allow a user to abuse Slack and Mattermost integrations to execute slash commands as another user, right? These vulnerabilities, because they're high-level of severity and what they actually allow threat actors to do technically, represent a pretty critical potential threat to organizations using the vulnerable versions of GitLab. So, everyone's urged to update immediately. This fix comes at a time when GitHub and GitLab instances are seeing this heavy attention from threat actors, right? In the past month, Recorded Future has reported frequent abuse of GitHub services by cyber criminals, and security researchers shared that supply chain attack type focused on GitHub instances, right? And these instances remain high-value targets because of the importance in the sort of nature of data they store and the ability to mask malicious activity inside legitimate traffic and code, right? So, then the last one I would highlight for us as it relates to the Git software, right, is GitHub announced, I believe yesterday -- this is the time we're recording it, right? GitHub announced the week of January 17th that they are rotating keys after a new vulnerability CVE-2024-0200 has been discovered which allows credential exposure, right? They announced the rotating of multiple keys as well as GitHub actions, code spaces dependent upon customer encryption keys, right? The vulnerability could allow attackers to engage in remote code execution on unpatched servers and its patch in the most recent versions, right? So, with all these things coming together, GitHub having to rotate keys to adjust for a high criticality vulnerability, two high criticality vulnerabilities being released for GitLab, and then a new supply chain compromise attack focused on GitHub CICD. It creates a month of Git threats for us that GitHub remains a high-value target for threat actors who have demonstrated intent and capability, and all of these things together start to paint a picture of potential impact. They even recommend membership and all organizations moved to make sure that their GitLab and GitHub security is locked down as much as they can as quickly as they can, right, because these things when taken together can create a pretty high criticality threat to an organization, right? All right. With that part said, I'd also like to talk about a tactic that the retail hospitality communities have been seeing pretty heavily over the course of the last six months and especially over the last two months, right? So, since around August, we've seen a pretty heavy increase in discussion of threat activity targeting call centers and help desks in which threat actors impersonate information technology contractors, right? Overwhelmingly, threat actors call a publicly discoverable helpline, they claim to be IT support professionals, and they begin requesting access to sensitive systems or requests that help desk employees install remote access tools on the machines. And, of course, from there, they're able to escalate privileges to sensitive systems and they can cause all kinds of havoc from there, right, from stealing data to encrypting data to taking control of systems, right? So, this activity has been especially heavily reported by hospitality organizations. And in most cases what we see threat actors are seeking to gain access and elevate access to critical systems like say Okta or Salesforce where a lot of high-impact work is done in the management of enterprises, right? Multiple organizations are reporting this. And we know, right, just colloquially, we know that this is a major tactic for initial access that's been associated with Clop and with the ALPHV ransomware string, right, it's something that Scattered Spider, who often works as an access broker for ALPHV/BlackCat, it's something that they use a lot of the time. And this methodology has grown in popularity among threat actors across industries in recent months. We've seen a number of reports that it's hitting finance pretty heavily as well, right? So, hospitality members tend to be the most prevalent reporters but other large retailers have done this as well. So, we know it's across a few different organizations, right? So, for mitigation options, we have a couple of important options. And they mostly follow robust IAM, that's identity and access management, and security awareness practices, right? Call center pipeline recommends verifying numbers before callers ever get to help desk agents using effective authentication methods correctly, using a layered identity verification solution, maintaining situation awareness around emerging fraud techniques through services like an ISAC or through a third-party intelligence vendor that keeps up with threat actor behaviors over time. Enforcing appropriate identity and access protocols. Because weak protocols are especially vulnerable to pressure from callers, especially if someone's impersonating an IT support specialist and is making up, you know, an extremely difficult problem that feels urgent that can sort of pressure help desk employees. So, making sure those protocols in place are really strong helps build trust and helps build an understanding of expectations, right? In addition to that, security awareness training is going to be pretty heavy on helping mitigate this because help desk employees are often not as experienced in being on the front line of fraud activity as customer service representatives might be, right, expecting something like receipt fraud or a return fraud, right? Whereas help desk employees don't typically expect themselves to be the target of fraud activity. And they are now increasingly, right? So, making sure that they know the signs to look for and they know what their protocols and expectations are when they're faced with this activity. It's going to be really helpful. [ Music ]
Luke Vander Linden: Thank you, Lee Clark, for that threat briefing. And a special thank you to our RH-ISAC President Suzie Squier for interviewing Michael Daniel, President and CEO of the Cyber Threat Alliance. As always, thank you to the production team who do their best to make this sound good. For the RH-ISAC, that's the outstanding Annie Chambliss, and from N2K Networks, that's Jennifer Eiben, Tré Hester, and Elliott Peltzman. And thanks to you for tuning in. Stay safe out there. [ Music ]
