CyberWire Live - Q1 2022 Cybersecurity Analyst Call
There is so much cyber news that, once in a while, all cybersecurity leaders and network defenders should stop, take a deep breath and consider exactly which developments were the most important. Join Rick Howard, the CyberWire’s Chief Analyst, and our team of experts for an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you’re responsible for, and the daily lives of people all over the world.
Transcript:
Rick Howard: Hey everybody. Welcome to the CyberWire's quarterly analyst call. My name is Rick Howard. I'm the CyberWire's chief security officer, chief analyst and senior fellow. I'm also the host of two CyberWire podcasts, Word Notes, on the ad supported side, meaning it's free to anybody, and it's a short, usually no more than five minutes description of the key words and phrases that we all find in the ever expanding alphabet soup that is cyber security. And CSO Perspectives, on the pro-side, or the subscription side. I like to call it the Netflix side. It's a weekly podcast that discusses first principal strategic thinking, and targets senior security executives and those who want to be them sometimes in their career. But, more importantly, I'm also the host of this program, reserved for CyberWire pro subscribers, and I'm happy to say that I'm joined by a good friend of mine, old army buddy of mine, Gary McAlum, who recently retired as the CSO for USAA, and is now serving on the board of the National Cyber Security Center, and working part-time as a senior cyber analyst with Tag Cyber. Gary, welcome to the show.
Gary McAlum: It's great to be back, Rick. But major mistake on your part, I'm an Air Force friend. You're an army guy.
Rick Howard: I know.
Gary McAlum: We can co-exist but I don't know if we can ever be friends.
Rick Howard: Fair enough, my friend. Fair enough. So, this is our ninth show in the series where we try to pick out the most interesting and impactful stories from the last 90 days and try to make sense of them. And oh my God, 2022 has started out with a bang. We got Jack Dongarra receiving the Association of Computing Machinery's Turing Award, often called the Nobel Prize of Computing, for his work in the 1970s, developing algorithms that run complex mathematics on what we now call super computers. We got digital supply chain attacks moving from being just anomalies to being a best practice for adversary group campaigns. And we have President Biden mandating the use of software building materials for all contractors selling software to the US government. But none of those made it in the top two for what we're gonna talk about today. So, Gary, let's go to you. What's your big story? This is the big elephant in the room, the one we all want to talk about. What are you talking about today?
Gary McAlum: Well, let's talk about Ukraine today and it's a story that we can't really completely tell because it's not over yet. It's been just over a month or so, five weeks, since the invasion of Ukraine by Russia, and even before then, as it was leading up to that particular event and since then, there have been a steady stream of government warnings and alerts about the potential for cyber attacks against the US and our allies, by Russia and their formidable cyber capability, which we've seen. Every day is a new day, and is today going to be the day that something happens? Because what we've seen really, over the past several weeks, what we expected to see has not yet materialized in terms of significant cyber [INAUDIBLE] country, at least that we know of. Now, Ukraine has been experiencing various types of service attacks. There's been denial service attacks. They've seen wiper malware on government networks. We've seen an attack against a satellite communications ground system that had some disruptive impact. But in terms of large scale destructive type of attacks, has not happened yet, but honestly the story is still being told. It's not over yet.
Rick Howard: Gary, let's talk about that because I know the press has been saying we all expected widespread destructive attacks. But you and I both did cyber operations in the service, back in the day, that's not what I expected. Is that what you expected? Giant destruction of things. I was absolutely expecting that the Russians would use cyber as supporting moves to help whatever their objectives was, but I wasn't expecting to see massive outages or anything like that. Were you expecting that?
Gary McAlum: I wasn't sure, and for me it depends on how this scenario plays out. If the scenario is Russia feels backed in a corner and Putin feels like he has no other option except to go [UNSURE OF WORD] I could definitely see where he might unleash very destructive attacks against the US and their allies. I can see that scenario. I think that was a lower likelihood scenario, but we're not sure how this is going to play out, right? We've seen hypersonic weapons being used, we've heard talk about nuclear weapons. Anything is possible with this guy. I think the more likely outcome is going to be very specific and targeted attacks against maybe particular sectors of our critical infrastructure if there was a need to accomplish some outcome. Whether it's retaliation for economic sanctions or some way to distract us while something else is going on. I think it's still very much a wild card situation.
Rick Howard: Well, there was precedent, right? I mean Russia's been using Ukraine as their private petri dish for cyber operations since about 2014. And what they did there, we've seen the same adversary groups move out and try them against other adversaries in the west after. But at least ion three separate occasions from 2014, they went after the electric grid and they had some success there. I think most of the pundits thought we'd at least see that, that the Russians would cripple the Ukrainian electrical grid, but even that hasn't materialized. What does that mean to you, as a planner for these campaigns?
Gary McAlum: You're right. Ukraine has been a cyber punching bag, if you will, for Russia. They've taken a lot of hits over the years. Go back to 2017, I think that was sort of the last big milestone when the [UNSURE OF NAME] destructive malware was released. It was a variant of an earlier ransomware variant, and that quickly spread outside of Ukraine. It did billions of dollars of damage across the world and that was something that I think was a significant wake up call for the world in terms of destructive malware and what could happen. So, what's happened since then, I think Ukraine has invested more in cyber security. I know that the US and their NATO allies have put resources and capabilities and assistance in there. I think that Ukraine is probably doing better than expected, in terms of the defense side of the house. But again, we don't know the level of sophistication that's been unleashed upon them. I'm guessing the intelligence community does know, but I think Ukraine has done essentially better than people expected them to do, both on the traditional kinetic side, as well as the cyber side. I think they've been getting a lot of help.
Rick Howard: Let's put Gary's poll question up there and see what the audience thinks about that particular question. I think what you said, Gary, is true. We all thought that the Russians were these giant super men, super women, in terms of cyber. Also in terms of physical combat, we thought they were going to be really exceptional at this, and I think we've discovered that they're just normal and maybe that good in both accounts, and so we've kind of swung back on the pendulum. What do you think about that?
Gary McAlum: I think it would be a mistake to under-estimated Russia and their cyber capabilities. Just because we necessarily haven't seen something dramatic, I think it would be a mistake. And there could be some reasons why we haven't seen that. Number one, I think that there's a lot more going on against Russia from a cuber perspective than maybe we know. We know that there's been various groups like Anonymous and perhaps some proxy organizations that have been conducting cyber attacks against Russia, so they may be dealing with their own situation, right? And that may have caused them to pull from the offense to help on the defensive side, which is a problem that a lot of us have dealt with in the past. They could be very much focused on protecting themselves right now. I think the other part of that is once you play that card, you play that card, right? And I'm not sure you could dial it back. They may be waiting for the perfect right time to roll out their true sophisticated cyber capabilities, but I do think it would be a significant mistaker to underestimate them, based on what we've seen in the past. If you look at some of the sophisticated activities like a solar winds cyber supply chain attack, for example, that was a very sophisticated operation. We know that they have various threat actors out there, threat groups, that have been tracked oer time that have a very high level of skill and capability. To unleash that and then unleash, you know, even more sophisticated variations of something like [UNSURE OF NAME] ransomeware or disruptive type of malware, I think we should not underestimate that potential.
Rick Howard: Let's show the poll results, Ellie, and I think that's what the audience is saying too. And I think Amanda is coming on too, right? So, we'll be able to bring her into this conversation. That's about what I expected, that we don't want to underestimate what the Russians have done and what they might do in the future. So, it goes exactly to what you're saying. Amanda, I'm not sure when you came in here but do you want to jump in and talk about your opinion here?
Amanda Fennell: I do. I do, just because it's come up on a couple of calls and conversations and so on as we've been looking at crisis management, and so on. Not to be underestimated that there is a lot of muck raking out there, and so much media that's going on that there's going to be these increase of cyber attacks from Russia, or so on. It's one of those very of things that it's like a self-fulfilling prophecy, but when you really dig into some of the numbers, it really doesn't legitimately show that there was this zero to 100. It was more consistency that we saw. I think it's one of those things that there's a lot of big talk, not to be underestimate, but certainly the data has to speak for itself as opposed to us making grand gesture ideas of what we think the attack schemer looks like. I've just been talking about this one a lot lately.
Rick Howard: Personally, I'm very excited that we use muck raking in a webinar. I don't think I've ever said that word out loud, so that's a first for me. Thank you for that, Amanda. And let me introduce her to the audience because she had a little technical problem coming on. This is Amanda Fennell. She's the CIO and CSO of Relativity. And she is the newest member to the CyberWire hash table collection of subject matter experts, and one of my co-podcasting hosts here at the CyberWire for her most excellent podcast called The Security Sand Box, right? So, Amanda, welcome to the show, if a little bit late.
Amanda Fennell: Yes, thank you. Always better late than never. I'm here. Thanks so much for having me.
Rick Howard: No worries. Alright. So, Gary, let me go back to you on this. The CIS has been very vocal about what organizations should do in the US to prepare for potential Russian strike in the cyber space, but most of their advice in the shields up initiative has been very passive. It's improve your defenses and make sure you do the things that you should have done by now. What's your thought on that? Do you think any of that was helpful, or was just marketing?
Gary McAlum: I have to say, to be honest, I think for organizations that are already concerned and invested in cyber security, it wasn't necessarily helpful for them because they've been doing it and investing in it, right? It may raise the level of vigilance and it raised the level of concern maybe to some degree, but for the small and medium-sized enterprises out there, I'm not sure there's a lot they could do that they would not have already done because they simply don't have the staffing, the technical expertize and the budgets to do some of this. I do think there's good reminders out there about backing up your data and thinks like that. But I'm not sure it moved the needle at a large scale across the industrial sectors.
Rick Howard: How about you, Amanda? Are you on board with that, too?
Rick Howard: I think I may have lost Amanda? Can you hear me, Amanda? No.
Amanda Fennell: Yes, yes, New Orleans, I tell you what. The cyber here is really rough, but I heard what he was saying though and I got to say I agree but I'm also not shocked, I'm not surprised. There's a lot of times they put things that it really doesn't do much, but man, it looked good on paper.
Rick Howard: You know, here on my own podcast, CSO Perspectives, we spend a lot of time thinking about first principles and one of them is besides doing passive cyber hygiene or stuff like patching and zero trust and all those kinds of things, the other strategy we advocate for is intrusion kill chain prevention for known adversary groups. And we know the adversary play book, have known the Russian adversary play book across the intrusion kill chain since 2014, or so. And if you go the minor attack framework, there are legitimate things that people should do right now to block specifically the Russians. And we're not getting any help from the government on that, I don't think, and that's what I would advocate right now. If you haven't looked at the minor attack framework right now for all the bears, then don't be surprised when Russia lashes out here because they're in a corner and they want to do some damage to the US.
Amanda Fennell: I think they've got a different way of doing it because I think for them, look, as someone who supported government entities, they are like oh, well let's just disable the ability to use USBs. There's ways around that and there's ways to go back into a registry and re-enable it. They've got their own ways that they've approached it and I don't think it's necessarily the best way either.
Rick Howard: I agree with that. Let's go to a couple of questions from the audience. Gary, this one's for you. A listener called Been There Done That, which is a fabulous name. He says, "Gary, you have an interesting background in the Air Force, cyber business, and I'm sure you have been watching these events closely with maybe a different perspective than non-military community. What do you think? How concerned do you think we should be about the potential for Russians cyber attacks? And if we are attacked, what should the response be?" This is a tricky question. Go for it, Gary.
Gary McAlum: Well, I'll put on my Air Force uniform from the cyber days past and I will tell you things have significantly changed over the past 15 years. We now have a US Cyber Command, which is a very positive thing. I was in the pre-cursor to US Cyber Command and worked with the organizations that did offense. We were focused on security and operational availability of our networks and we worried about a lot of different things. When I think about this scenario, I would tell you that the military cyber world and the intelligence community have probably been very focused on this for a while and we are in a much better position than we were 15 years ago. And I suspect our potential adversaries out there, including Russia, realize we're much more capable of doing a significant response to anything they might do. I think there's a greater deterrence value than we've had in the past, and we do have a very capable cyber force, probably the best in the world, and I think Putin knows that. That being said, we're dealing with what some people may consider to be an irrational actor, and you don't know what he's thinking necessarily or how he's going to respond. If this was to continue to escalate and he felt like he was put in a corner and all cards were on the table and he was to unleash his most sophisticated capabilities against our critical infrastructure to include our systemically important financial institutions, our oil and gas, our energy, there could be a significant amount of havoc created. Now, would it be destructive to the point where we couldn't respond? No. But it would cause a lot of havoc so I do [INAUDIBLE] We can't underestimate what could happen, and I think we need to continue to maintain readiness. I do think that our cyber capabilities are at a high state of readiness right now.
Rick Howard: Amanda, let me go to you. Another listener question from someone called Tin Foil Hat, and I ask you this question because it's about the commercial sector. How prepared are companies in general to address these escalating nation state threats? And what do you see is the best practice to manage the risk right now as we prepare for a potential Putin attack against American companies?
Amanda Fennell: I only smile because I think I know who that is. I've come across Tin Foil Hat before. I think that's where we have a disconnect, to bounce right off of what Gary just said, when it comes to government, when it comes to financial sectors, a lot of readiness, a lot of intelligence and definitely a lot of adhesion for kill chain minor attack, pre-attack, all of these things we've got a lot of strong muscles, but I think you have so many other people in corporate America outside of those industries that either still don't think it's going to be them next, are still soft targets and have not invested in threat intelligence as th core of their security problem. As a consequence, you don't know what's coming and you're still sobbing for commodity. I can't emphasize enough that I feel like most entities, most industries out there, are not doing this, they should be doing this, and unfortunately time and time again, there are indicators that you're next. Anthem next. Chinese five-year plan, obvious indicators of what's going to get hit in the five years ahead, right? Health care, hit. Advanced education, hit. It's going to continue to happen this way. But to bounce also off of what Gary had mentioned as well, I do think the infrastructure is where a lot of this is going to be focused on. We saw it happen with Georgia years ago, 2008. We've seen it happen with Ukraine. We saw it happen with Egypt at one point when there was unrest. You take out communications, badness follows. That is the first rule and strategy, is isolate them, right? That is what we are trying to combat in a lot of these companies, if you have to have business continuity, disaster recovery, be prepared. They're not. SO, to answer Tin Foil directly, I don't believe a lot of the companies and entities in all these different areas are ready for it and I think it's fundamentally because they should be intel driven and focused, and they're not.
Gary McAlum: I want to add one thin to that, Rick. Maybe folks may not agree with this, but I don't think it'll be controversial. But to be honest, if any company, no matter how ready they are, or no matter how much they invest in cyber security today, if a sophisticated nation state actor is focused on you, they will eventually be successful, right? There's no cavalry coming from Washington DC that's going to save the day, right? If you're focused on as a target by that level sophistication, prevention is not going to be successful and your best hope is going to be detection, response and recovery.
Amanda Fennell: I was going to mention what Gary had said there, and this is the other part of that pie, commodity. Most of the stuff we've got is just spray and pray, right? Tons of commodity stuff, hard to even tell if it's an APT a lot of the time because attribution is all over the place. But that slither of the pie that's left there with activism, the Sonys of the world, you're never going to protect from that. A truly motivated attacker who has a passionate reason to do something is absolutely going to get through, but a truly motivated security person is also going to defend, no matter what, they go down with the Titanic. So, it goes both ways, but absolutely agree, Gary. I don't think it's controversial.
Rick Howard: As Gary said, this is an ongoing story and I'm going to bet that we'll be talking about it the next quarterly analyst call, so keep our eyes peeled for that. It's time to move onto the next story and Amanda, that's yours. Your story is about the US government's formal adoption of zero trust as a strategy. What's going on here?
Amanda Fennell: The White House had a memo, it focused on implementation for zero trust architecture for all national security systems, and it was just really highlighting that continuation of the US government's focus to improve cyber security defenses. They built on last May's executive order 14028, in case anyone's taking notes on this one, it improving the nation's cyber security.
Rick Howard: There will be a quiz.
Amanda Fennell: But they're mirroring a lot of recent UK cyber security strategy announcements as well. The memo is significant for anyone listening here because it represents this shift, it's very important in the government's approach to cyber, and we're thinking you just need strong perimeter defenses and strong intel to keep attackers at bay. Now, this is about the larger and more defense in depth model that we all know and love, that will focus on implementing the more comprehensive security measures at every layer. I mean we know that there's the hybrid and COVID era of people having to be able to access the data from anywhere. You need to be able to be prepared for network and application access level. So, this effectively is going to melt that igloo theory defense that's put in place, which focused on we have strong defenses and perimeter defense, and it becomes this soft, cushy interior with little or no internal controls as people access this data. But implementing zero trust at any level whether you're a start-up or a company with 100,000 employees, or a US government level, this is going to be key in reducing that increased surface risk area that we had from hybrid and it's going to have an increase as well from nation state actors. They're just as active and accessible as we are, in terms of reaching in fro things outside the perimeter. But zero trust is going to be the buzz word there and everyone's used to it, but there's a reason why. It's important. It's great for reducing your application, particularly web application risk surface. It's not a silver bullet for security. You still need to operate under the assumption that no user link application should be inherently trusted. I mean I think all of us on here, none of us inherently trust anything, you should assume it's hostile until verified. But that said, people would remain the weakest link in the security chain, but can also be the strongest one if we have that constant training, reminders, testing. Making sure you've got an effective top down approach. I think that's pretty much everything I wanted to sum up on that one.
Rick Howard: Let's put Amanda's poll question up and see what the audience thinks. Gary, I'm going to throw this at you. There's a lot of distaste in the security community about the word zero trust because it seems like every vendor on the market has their own spin on it. I want to be particular here, we're not talking about a product, we're talking about a strategy, a philosophy about how you secure your networks. That's what the government's trying to do here and that's what all of us are trying to do when we're looking at zero trust programs in our own organizations. How did you look at that when you were at your old job?
Gary McAlum: I'm glad you brought it up and I'm glad Amanda brought this topic up. I love the concept of zero trust, but I think it's an overused term today. And most people, when they're using it, they're using it from the philosophical perspective, which is obviously a great security concept, right? But as you sort of alluded to, and a lot of vendors are talking about zero trust products, but at the end of the day, zero trust is a major commitment by an organization to implement a technical architecture that is non-trivial, right? It involves a significant amount of identify access management, foundation, encryption, segmentation, and so it's not a product that you buy, although there are products that can be involved in it, it's a significant investment, commitment, and it's a technical journey that is not going to be quick, depending on the size of your organization. So, everybody supports the philosophy of it, but when it comes to actually implementing it at a technical level, there's going to be a significant commitment depending on the size of the organization and it's certainly a journey.
Rick Howard: Let's show the answer, Ellie, and Amanda, this was or quiz for the audience. Let's see how many people got it right. What's the correct answer, Amanda?
Amanda Fennell: It is true.
Rick Howard: It is true. Very good. That's going to be interesting, okay, very interesting for all those government organizations that have to get this done. Presumably, there are programs already in place, but Amanda, I may go to you on this, what should these government organization now be thinking about when they need to think about encryption at rest and in transit? What's the number one thing?
Amanda Fennell: I don't want to say it without sounding like I'm selling, but it's cloud, I got to say. I guess what I would say is probably trust the known entities out there that know what they're doing about encryption. Encryption and transit, there's bare minimums that we need to be doing there, encryption at rest, there's bare minimums. We all have the standards from this. We know that there are minimums that need to be met. But more often than not, the reason they wouldn't have already implemented that is because they don't have the infrastructure for it, they don't have the resources or they don't have the budget, which is the reason that [UNSURE OF NAME] was created was that they knew on the government side they just weren't going to be able to stick with this. They weren't going to be able to do this all themselves. Then they came up with standards and said okay, well, we'll let you move your stuff to the cloud but it must adhere to certain strict guidelines and requirements. I feel like a lot of people won't have the time, money, budget, resources to do this. Lift and shift it to people who are known, proven true, certified, have regulations, have frameworks all buttoned up and know what they've been doing for a long time. That's the easy out. Gary, I don't know if yo have something different you'd say.
Gary McAlum: No. I totally agree with that.
Rick Howard: I think it's amazing that the evolution of what we used to think about cloud just five years ago. Do you remember back in those days when said oh my God, no, we're not going to put anything in the cloud because we don't trust those guys. Now--
Amanda Fennell: But then you ask them and yo say wait, so are you using Microsoft 365? Okay. Can we talk about this? Do you know what that means? But yeah.
Gary McAlum: But I do think that there's a learning curve, right? I'll just say in general, I hate to generalize, but in general there are organization out there, when they go to cloud, they assume that the cloud provider, regardless of the platform, is going to handle the security aspect. They forget there's a shared responsibility. You can't really outsource the accountability for security. You have to be involved in that. Yes, there's economies of scale and capabilities you can get. Obviously, you want to patch as much in some cases, great. But there's configuration settings. They're identity access management considerations. So, you don't get to hand off the whole security pile to somebody else without giving up visibility and accountability that you don't want to. You really have to understand the shared responsibility model for the cloud approach.
Amanda Fennell: You're so right. The data flow and the boundaries. I've seen so many people who get a certification and it'll be like ISO or something, and they'll say, "Oh, but we're ISO certified." Yes, that's your product, what's your corporate situation? They're like, "Well that's not in our boundary." But it should be. It should be a holistic program. But yeah, really double clicking on what a boundary is and where the data flows is, you're so right, it's an awesome one.
Rick Howard: Let's go to some of the listener questions. This is from listener Kiss My Ax. I want to pronounce that properly, right? Do you think the White House's zero trust memo goes far enough in enacting security measures and defense postures to protect government data? And what else would you like to see implemented at a government level. Let's go to either one of you. Amanda, what do you think?
Amanda Fennell: I'll just start by saying that I don't think it goes far enough and I don't think it's got adoption at the level that it needs to. It's great that the government put this out, but we need to see adoption from the Fortune 10. We need to see adoption from a lot of people in the financial sector and so on. I think it has to go further. It's great for something like encryption as an example. This is great that you said there are standards there, but how do we know that those standards are being upheld, maintained, controlled? Some kind of a structure around them that let's us know that it's like that all the time and not that you just checked a box once. I don't mean to be a fan of the compliance realm. It's not that. It's that I just like to know that we did the right thing every time. I think that this was their shot across the bow. We got to start getting out stuff in order. I think they have further to go and I think there's going to have to be some structure in place that's going to require this control in that evidence collection.
Rick Howard: Gary, I'm going to go to you. It's always tricky with these memos. If you mandate a technology or a process, by the time we actually get it going the industry has bypassed it all and has something completely new. It's always tricky to get this right. Are you in favor of what's going on in here int his memo?
Gary McAlum: Well, there's good in this. Obviously they're trying hard to raise the bar, and that's good. But the reality is it feels a little bit like a compliance pile-on to the existing pile of compliance things the government agencies have to do.A ll we have to do is look backwards and say has it really made a difference so far? I'm a victim of OPM and multiple government data breaches, multiples. My colleagues out there that are on the civilian government side, they've been trying but they have these huge compliance burdens. They have to produce documentation. The physical requirements of reporting, right. And in the meantime, operationally, it just doesn't seem to be adding up to a really high level of effectiveness. Is it good? Yeah. I mean I think there's some goodness to it. Is it going to result in an operational level of effectiveness that's going to be really needed and be a great example to everyone? I don't know. I mean I don't know if that will turn out to be the case. I hope so.
Rick Howard: Amanda, I'm being told that you have an emergency going on in your neck of the woods and you need to bail. Thank you for this. We really appreciate it. We'll bring you on the next time, if we can.
Amanda Fennell: Okay. Thank you so much.
Rick Howard: Let's switch over to my topic, and I wanted to remind everybody on the call that log4J happened in December and we thought there'd be an apocalyptic meltdown and that's not really what's happened. Let's kind of go over and see where we are in our current state. First some background, the Apache software foundation released the general availability of the Log4J module some time back in 2014. The next year, the Apache logging services project management committee announced the log4J2 replacement. Now, fast forward to November, 2021, six years later, Ali Baba cloud security teams [UNSURE OF NAME] disclosed to the Apache software foundation a vulnerability in the module. On 9th December, Apache announced exploitation in the wild for the Log4J vulnerability, and named it Log 4 Shell. So, by the next day, 10th December, NIS classified the vulnerability as a critical issue in its national vulnerability database. And the reason for the severity was the ubiquity of the Log4J code module and the simplicity of the Log 4 Shell exploitation code. Its ubiquity stems for the fact that the code for the Apache open source cross platform web server is the most popular web server software on the planet. If you're a web server somewhere, there's a good chance that you're running Apache to do it. And then the simplicity results because any authenticated user of the Log4J servers can send just a simple 12 character code segment and take control of the server. Yikes. Right? So, Log4J shell leverages the third highest software vulnerability type from the O Wash Top Ten, that reference document that we all look at, that describe the most critical security concerns for web applications, in this case injection. In other words, the un-patched Log4J module doesn't isolate the code from its data, it interprets log messages, the data, as instructions, which is the code. So, when hackers send a URL to the module, the service grabs the URL, fetches the data located there, and runs the executable payload with the full privileges of the Log4J main program. That's what happened over the Christmas break and sent everybody running to determine if they were exposed. Let's put the poll question up to see how this affected our audience, okay? The interesting thing was, we didn't know at the time, but it turns out that there was an easy temporary fix, just block all inbound communication at the firewall to the log4J module. Of course, that didn't solve the problem, but at least it gave us some breathing room to determine where all the Log 4J modules were running and then to patch them when we found them, right? But the incident highlighted a much larger problem that we all knew about but didn't spend that much time thinking about, and it's the reason I picked this topic for discussion today. It's third party software supply chain risk, or open source third party software supply chain risk. And that's a mouthful, but according to Microsoft's John Douglas, the percentage of public software repositories that use open source software is north of 80% That's a giant number, right? And most of us have no idea what code libraries we are using directly and absolutely no clue about what code libraries the original open source developers nested within all that stuff. By the way, the attacks haven't gone away, even though we had a temporary work-around. According to the dark reading website, attackers have been recently targeting VM ware horizon servers, which many of us are using to enable secure anywhere, that's any time access to enterprise for remote workers. And they've been using the Log 4J shell exploit to do all that. But I think where I'm going with this, Gary, is that the cyber apocalypse that we were all predicting back in December seems to have de-materialized and I'm wondering what your initial thoughts about all that was, Gary.
Gary McAlum: Know, it's like there's always another big crisis, right? Solar winds, Microsoft exchange server, right? Log 4J. There is always one of these scenarios that's going to pop up. This one, like you suggested, wasn't one that no one had ever thought about before, but it's so complex, It's such a huger problem to understand your, what I call, the cyber supply chain, and since then we've had a government attempt to fix it by coming out with an executive memo on software building materials, which is a great concept, right? It's a very great concept. Everybody would love to have a nested inventory of all the software components, right, within your environment, obviously. But how you operationalize that on a day-to-day basis, that's the tricky part, isn't it?
Rick Howard: It's a hugely tricky part. Let's put the results up, Ellie, on the poll. That's even lower than I thought, Gary. I thought that most of us would have dropped everything and done it. So, apparently more people were protected from this than I thought, which is great. But the point you were making, I'm going to bring up a question here from one of our listeners, it falls right in line with what you were talking about with building materials. This is from listener Cow Girl Up. She says, "President Biden signed the cyber security executive order in 2021 that, among other things, mandated that all federal civilian executive branch agencies and key players will deploy a minimum S-bomb by the spring of 2022." And her question is this, "It's the spring of 2022 now. Have you seen anybody doing this? Has anybody had any success getting this done?" Have you seen any evidence of that, Gary?
Gary McAlum: I would tell you I'm sure that there's been some level of effort and it's probably resulted in Excel spreadsheets and some manual efforts. That's not going to do it and that's not going to be a very operationally effective approach to do this. That's what I think is probably the current state. But I think, on the other side of that, is as one of the part-time things I do, I'm a research analyst for a company, so I get a chance to see new and emerging technologies, and I do know in this particularly case, when this first came out I said well, are there any software capabilities that could help with this problem? And sure enough, the market does have some capabilities out there. I think they're along the lines of software composition analysis tools, which can help a lot with this particularly problem. But I think the only way that this is going to become truly operationalized is from the market perspective. They're going to have to come up with tools that are sophisticated and automated, right? And help aggregate this data. Because it's one thing to collect the data, it's another thin entirely to figure out how to use it on a rapid incident response type of basis and then take some action from that.
Rick Howard: Let's take a back step 'cause I got a question from one of the listeners, Harry Poppins. Wants to know, "What is an S-Bomb?" Can you give the listeners a Reader's Digest version of what that thing should be?
Gary McAlum: At a very basic level, it's a nested inventory of a list of ingredients, if you will, that make up the software components in your environment and hat sounds very simple but the key phrase here is nested, right? So, it's all those dependencies that different components of your software environment depend on, right? Whether it's open source, whether it's libraries of other components, right? Knowing all of those inter-dependencies to be able to pull that up and analyze quickly in the context of a Log4J or the Log 4 next thing that happens, I think that's the tricky part. So, the concept is simple, but the operationalization of that is a much trickier thing to do.
Rick Howard: A proposition, yeah. Absolutely. Now, the idea of the S-Bombs have been kind of kicking around since the mid-200s, but again, didn't have a lot of traction because here just wasn't a lot of muscle behind it. I think the good news is that when President Biden signs this directive, at least the government's going to mandate that S-bombs materialize at some point. What I want to see out of this, when it's at a mature environment, is all the software that you have must advertise the software that it's using. There's no manual pieces to this. It's just I'm using this software, I can use an API to grab the modules and know exactly what those are. So, when a Log4J happens, it's a quick look-up in the database and say oh, well I got to upgrade clearly this module because I've been affected by that. We are, according to Gartner, we're five to ten years away from seeing anything that mature on the horizon. Is that what you're seeing too?
Gary McAlum: That feels like a very conservative timeline, right?
Rick Howard: Oh, it could be longer.
Gary McAlum: I think I could be longer. I do think the market will come up with solutions, and there are already some out there but I don't know how they scale and I don't know how they truly work from an effectiveness perspective, but there are already some capabilities out there that can help with this. But if it's another sophisticated tool that requires resources and lots of care and feeding on a day-to-day basis in a complex environment, how useful is that really going to be? I do think that automation needs to scale to this problem over time for this to be operationally effective, in terms of something that is just figured into the security program on a regular basis.
Rick Howard: I heard an interesting thing, some pundit comparing this to what was the big software problem we had back in 2000 when it was all going to change over?
Gary McAlum: Oh, Y2K.
Rick Howard: Y2K, right. Y2K was another problem that we all freaked out about and the question was when there wasn't a disaster when the time flipped over, was it because we all did such great work to prevent it, or it really wasn't a problem in the first place, right? They were comparing that to Log 4J. I don't know what you think about that.
Gary McAlum: I think the answer is a little bit of both. I think there was some overblown concerns and then I think there were some probably actions that were really effective, right? And prevented a problem. I don't know if the entire power grid of the United States and nuclear missiles would be launched if we hadn't done anything. But I don't think anybody really understood the implications of it, so I think good work was done, and looking back you can't say it was wasted effort.
Rick Howard: That's it for that segment. Let's finish this up, Gary, with some general purpose audience questions. This first one is from Helga Digournes Her question is, "It's always bad news out there in the cyberspace, right, but do you have any examples of good news out there?" Any good news stories that we've done well here, Gary? Can you brighten out mood a little bit?
Gary McAlum: I have to really struggle with this one, right? Good news, I think the level of awareness has never been greater across our country, in terms of cyber, right? I mean the level of awareness, right? I think the level of government commitment is improved, right? I think we're seeing goodness from all of that. Good news, we have a US cyber command focused on this problem. We didn't have that years ago, right? Now we have an organization that's focused on it. That's a huge capability for our country. I'm struggling now to come up with more good news because I think at the end of the day, what has happened also during this time-frame, we've become more interconnected. We've got more devices out on the network. We've got IOT. We've got more vulnerabilities. And so our risk has gone up and I don't think necessarily our security posture has come along with it, right? I don't think our risk has gone away. I think the awareness I great and I think the true good news, we won't know, right? I think there are things that have happened on the classified side of the military and the intelligence community that maybe have prevented things and pre-empted things, if you will, that would have been a problem. So, I think there's a lot of goodness that's probably happening that we don't know about. But in general I would say, this is not a time to pop open champagne bottles and say we've reached a point of security on the Internet that we can all be happy with, because we haven't.
Rick Howard: I put this question on the CyberWire slack's channel and I got a couple of bullets, so let's see if you can agree with these, Gary, right? The first one was we think it's relatively quick response to Log 4 Shell is on balance a good news story for everybody, right? Okay, I'll give them that. The second one was there's been an international crackdown on cyber gangs, okay. That's a piece of good news and just this last week, for example, the FBI and its partners took down a major business email compromise gang. So, good, we'll put that feather in our cap. This is from some of the military folks on the CyberWire. They said they think that the openness of the Five Eyes about their intelligence concerning Russia is really good news, especially in the way of pre-bunking disinformation. That seems to have damaged the Russians efforts in this regard. What do you think about that?
Gary McAlum: I think that's a great one. I really do think that, I don't think Ukraine alone could have been successful in their information warfare approach without help from the allies, right? I think that is a huge good news story, and there's been a lot of help and resources that most folks won't fully understand, right? There's been a lot of behind the scenes. That is good, right? So, Ukraine is succeeding in that regard, versus their adversary, thanks in part to the massive puring of resources and support they've gotten, so yeah, I'd say that is good news.
Rick Howard: I'm going to put that in the win column, okay, the CyberWire quarterly analyst call is not all doom and gloom. We have seen some good news out there. Here's a second question from Phil Nareg He says, "With all the complexity involved with managing a modern scene, what is the future of SIM technology going forward?"
Gary McAlum: I think what I look at it, the problem of generation alerts is not a problem, right? Volume is not a problem because ever system out there has a lot more capability to generate the alerts. The problem has to do with automation, prioritization, workflow automation. I think that there are some great, I won't mention products, I won't mention the ones that we've used in the past, but I have a positive shift over time in terms of the capabilities of SIMS and other security products in this space, right? To add a lot more automation, particularly around workflows, right? Because if you need an analyst to work something, you need them to focus on the essence of the issue and not have to pull data and look for correlations and try to figure things out. You want to get all of that data together to present them the best picture you can so they can make a decision as quickly as possible. If a SIM is not doing that, if it's just generating alerts and there's a lot of manual effort behind it, that's not a recipe for success in today's environment.
Rick Howard: I'm going to make a bold prediction here. I've been watching this for about a year now. I think that SIM technology and saw technology and XTR technology, all three of those things are going to start to merge and in five years we're not going to have separate terms for all that, right? I particularly like the idea of XTR capability, meaning the ability to collect telemetry from all sources, end points, networks, security stack stuff, right? Put the data somewhere and then run automation on that to see if you can find patterns of misbehavior or even look for Russian Adversary play books, that kind of thing. All three of those technologies, they do parts of it. The SIM guys are good at collecting the intelligence but not very good at automating it. The saw guys are really good at automating stuff, right? And the XTR folks are really good at connecting to APIs and doing something useful. So, I see all that merging into one giant product somewhere own the pipe. What do you think? Am I off-base on that, Gary?
Gary McAlum: No, you're not off-base. Without mentioning a name of a particular vendor, I've been advising a small start-up company that has sort of taken on a big piece of this problem and they're using the MITRE attack framework sort of as the framework to leverage and then they're adding a threat intelligence or a threat informed view on top of that through automation, and so by going into your environment, they can ingest all the security stack that you already have out there, whether you have it or not, they're going to pull in the data and they're going to overlay that against the MITRE attack framework and tell you, based on a threat informed view of your organization, how does your environment stack up, what's your risk posture. And so there's a lot of that type of thinking in what you've just described, and I've seen more out there in the start-up world that are starting to focus on those type of problem sets.
Rick Howard: I believe I am familiar with that company, and I won't say the name either but hint hint I think I'm the advisor to their board, right? I will just leave it at that. Gary, we are at the end of the show, so I appreciate you coming on and doing all of this. Ladies and gentlemen, thanks for coming on and listening to us go on and on about the greatest stories of the last 90 days. On behalf of my colleagues Amanda Fennell and Gary McAlum, thanks for participating. Gary, any last words from you?
Gary McAlum: No, thanks for having me on. I think the story of Ukraine is a fascinating story to watch from a cyber perspective. It's still playing out so I know everyone on this call will be watching closely on what's happening in the days and weeks ahead, but it's a fascinating story.
Rick Howard: Well, thank you, sir. We will see everybody back at the next CyberWire quarterly analyst call. See you, everybody.