CyberWire Daily - An update on the hybrid war, where Russia turns to missile strikes, physical sabotage, and nuisance-level DDoS. Surveys look at the state of the SOC and the mind of the CISO.
Episode Date: October 11, 2022Russia's Killnet suspected in DDoS attack on major US airports. Starlink service interruptions reported. Bundesbahn communications network sabotaged in northern Germany. Germany's cybersecurity chief ...faces scrutiny over alleged ties to Russia. Ben Yelin on the FCC's crackdown on robocalls. Ann Johnson from Afternoon Cyber Tea talking with Sounil Yu from JupiterOne about the importance and evolution of cyber resilience. Overworked CISOs may be a security risk, but in an encouraging counterpoint, another study shows a record of CISO success during the pandemic. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/195 Selected reading. US Airport Websites Hit by Suspected Pro-Russian Cyberattacks (SecurityWeek) Hackers knock some U.S. airport websites offline (Washington Post) Hackers took down U.S. airport web sites, Department of Homeland Security confirms (USA TODAY) Pro-Russian hackers claim responsibility for taking down US airport websites (Computing) US airports' sites taken down in DDoS attacks by pro-Russian hackers (BleepingComputer) Pro-Putin goons target US airport websites with DDoS flood (Register) Russian Sanctions Instigator Lloyd’s Possibly Hit by Cyber-Attack (Infosecurity Magazine) Lloyd's of London reboots network after suspicious activity (Register) Colorado.gov Back Online After Cyber Attack (GovTech) Defending Ukraine: SecTor session probes a complex cyber war (IT World Canada) Ukrainian officials reportedly say there have been 'catastrophic' Starlink outages in recent weeks (Business Insider) Frontline Ukraine troops are reportedly enduring Starlink outages (Engadget). Elon Musk’s foray into geopolitics has Ukraine worried (The Economist) Elon Musk needs to clarify Ukraine's reported Starlink outages: Kinzinger (Newsweek) Attack on German Rail Network ‘Targeted, Professional,’ Police Say (Bloomberg) An act of sabotage shut down parts of Germany's rail system for hours this weekend (NPR.org) Germany rail chaos could have been caused by Russia, says MP (The Telegraph) Sabotage blamed for major disruption on Germany’s rail network (The Telegraph) No sign that foreign state was behind German rail sabotage, police say (Reuters) Germany Won’t Rule Out Foreign Country Role in Rail Sabotage (Bloomberg) Germany's cybersecurity chief faces dismissal, reports say (Reuters) German cybersecurity chief investigated over Russia ties (ABC News) German Cybersecurity Chief to be Sacked Over Alleged Russia Ties: Sources (SecurityWeek) „Wir müssen wachsam bleiben“ (Tagesspiegel) 1 in 5 Chief Information Security Officers (CISOs) Work More Than 25 Extra Hours Per Week (Tessian) 2022 Devo SOC Performance Report (Devo) 2022 Deloitte-NASCIO Cybersecurity Study (Deloitte Insights) Cybersecurity Survey of State CISOs Identifies Many Positive Trends (PR Newswire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russia's kill net is suspected in DDoS attacks on major U.S. airports.
Starlink service interruptions have been reported.
Bundesbahn communications network has been sabotaged in northern Germany.
Germany's cybersecurity chief faces scrutiny over alleged ties to Russia.
Ben Yellen on the FCC's crackdown on robocalls.
Anne Johnson from Afternoon Cyber Tea speaks with Sunil Yu from Jupiter One
about the importance and evolution
of cyber resilience.
And overworked CISOs may be a security risk,
but in an encouraging counterpoint,
another study shows a record of CISO success
during the pandemic.
From the CyberWire Studios and Data Tribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 11th, 2022.
Over the long weekend, Russia's hybrid war against Ukraine saw two major developments on the ground. An attack Saturday, apparently by Ukrainian special forces, on the Kursh Bridge between Russia and its illegally occupied Crimean territory.
Russia and its illegally occupied Crimean territory, and Russian retaliatory missile strikes against Ukrainian cities that began Sunday, peaked Monday morning, and continued
on a smaller scale today.
Much of the Russian effort in cyberspace has been devoted to influence operations, designed
mostly for domestic spine stiffening, but some low-grade cyber operations have continued.
Killnet is suspected of being behind a wave of DDoS attacks on U.S. airports.
Security Week reports that airports in Atlanta, Chicago, Los Angeles, New York, Phoenix, and St.
Louis were among those affected. The Register, citing researchers at CyberNo, who found Kilnett's published target list of U.S. airports,
says the nominally hacktivist group Kilnett has claimed responsibility.
CyberNo subsequently shared a similar target list from Anonymous Russia.
Service was restored quickly, SC Media reported, but more attacks are expected.
U.S. states whose websites were briefly disrupted
last week by Killnet remain largely closed-mouthed about their recovery, but recovery seems to have
been accomplished quickly. Colorado, according to Government Technology, is back online and
fully operational, but state authorities are providing few details until their investigation is complete.
Lloyd's of London has also recovered from the unusual incident it underwent.
Russian operators have been the leading suspects on grounds of a priori probability.
Lloyd's had been prominent in its practical support of sanctions against Russia, InfoSecurity writes.
But, as the Register points out, attribution is still up in the air. Lloyds concluded yesterday that no data was lost in the suspicious incident that came
under investigation last week. The insurance market told Reuters, the investigation has
concluded that no evidence of any compromise was found, and as such, Lloyds has been advised that
its network services can now be restored.
Two general points are worth making.
Russian cyber attacks continue to achieve little more than nuisance-level results,
and despite their hacktivist posturing,
threat actors like Killnet and Anonymous Russia are agents of the Russian state.
Ukrainian forces are said to have encountered disruption of
Starlink services as they've advanced into formerly Russian-occupied territory,
the Financial Times reported Friday. No cause for the outages has been established publicly,
but there's been speculation that SpaceX had interfered with service in those areas
to deny them to Russian operators, but that they
hadn't been able to keep up with Ukraine's advances. There's also been speculation that
SpaceX might have put the brakes on Starlink as part of founder Elon Musk's recent suggestion
that Russia and Ukraine might be better with a negotiated peace. His suggestions, tweeted on
October 3rd, that a referendum might be the solution to the
conflict was well received in Russia, very poorly received in Ukraine, generally disapproved of
elsewhere, The Economist reports. For his part, Mr. Musk dismissed the Financial Times story as
bad reporting, especially insofar as it overstated the services Ukraine had bought and paid for.
For now, the reported outages remain under investigation. Starlink's early provision of
internet connectivity to Ukraine was widely regarded as crucial to blunting Russian jamming
and information operations in the theater. The Washington Post reported in August that the U.S. government had bought and delivered more than 1,300 Starlink systems to Ukraine, and SpaceX itself had donated about 3,600.
That Ukrainian forces missed their connectivity and raised its loss as a tactical communications challenge attests to how important commercial Internet service has become to battlefield command and control.
Rail travel in the north of Germany was disrupted over the weekend by sabotage that took down
communications used for train control. The incident was one of deliberate physical sabotage.
Cables were cut and remains under investigation. Bloomberg quotes German police as calling the sabotage targeted and professional
and says that they have so far developed no clear suspects.
Nonetheless, initial suspicion turned to Russia.
The Telegraph reports that Anton Hofreiter,
a member of the Green Party who chairs the Bundestag's European Affairs Committee,
said the Kremlin may have issued a warning because of Germany's support for Ukraine.
To pull this off, you have to have very precise knowledge of the railway's radio system.
The question is whether we are dealing with sabotage by foreign powers.
Reuters reports that Arne Schoenbaum, president of the BSI, Germany's Federal Information
Security Agency, is under scrutiny for contacts with Russia he may have developed through president of the BSI, Germany's federal information security agency,
is under scrutiny for contacts with Russia he may have developed through his participation in the Cyber Security Council of Germany.
Interior Minister Nancy Faiza is said to be seeking his dismissal.
The story is still developing, but sentiment in Berlin seems to be moving
in the direction of Herr Schoenbaum's replacement.
Devo's annual SOC performance report was released today.
The survey asked security professionals for their views on the state of the SOC.
The results show that 77% of respondents believe that their SOC is essential
or very important to their company's cybersecurity strategy,
while most respondents considered their SOC effective. is essential or very important to their company's cybersecurity strategy.
While most respondents considered their SOC effective,
those that didn't believe that their SOC had a lack of visibility into the attack surface,
as well as challenges hiring and retaining skilled employees.
Cyber risk compliance, threat detection, and incident response and remediation were found to be the most prominent SOC services provided by
organizations, with threat hunting and cloud-native capabilities listed as the top two services they
expected to add within the next year. The role of a security information and event management system
is also discussed for respondents with organizations that utilized a SIEM. Threat detection, threat
investigation, and incident response were among the most common services provided by the SIM.
90% of respondents rate their SIM as effective to very effective, with 25% of respondents giving it a 9 or a 10 on a 10-point scale.
Surveyors also asked about the downfalls of respondents' SIM capabilities, with a lack of machine learning capabilities by far being the largest reason the system is found to be ineffective,
with cost and lack of integration trailing behind.
Is overwork a security risk?
There's some evidence that this may well be so.
Tessian released a blog today detailing the results of its study of
overworked CISOs and how fatigue and burnout pose a security risk to their companies.
Results found that CISOs are working significant amounts of overtime, upward of two extra days a
week, working on average 16.5 extra hours a week. This is an increase of 11 hours over the past year. On top of that,
three-quarters of CISOs report not being able to switch off from work, with 16% saying that they
never switch off. The larger the company, the more overtime the CISO seems to be pulling.
CISOs at companies with 10 to 99 employees work an average of 12 extra hours a week,
while their counterparts at large companies with 1,000 or more employees work an extra 19 hours.
But it was also found that work-life balance, despite the lower number of excess hours,
is harder for CISOs at small companies.
Only 20% of CISOs from small companies report being able to always switch off, while 31%
of their counterparts at large companies say the same. 47% of employees report distraction as the
main reason for falling for a phishing scam, with 41% citing distraction as the reason for sending
an email to the wrong recipient. These incidents contribute to CISO's work time,
with reference to a separate survey by Forrester,
which found that security teams can spend up to 600 hours per month
on threats caused by human error.
Finally, however, we are pleased to end on a moderately encouraging note.
Deloitte has reached a study on a related topic,
the relative positions CISOs
have achieved in organizational hierarchy and influence. Their study, State Cybersecurity in
a Heightened Risk Environment, concludes that U.S. state CISOs have gained strength and authority
following their work in migration of government services and operations to the virtual landscape.
following their work in migration of government services and operations to the virtual landscape.
Their work during COVID-19 in particular should be counted a success.
It gave state agencies the ability to maintain a high level of service amidst a pandemic.
So, a well done seems to be in order. Coming up after the break, Ben Yellen on the FCC's crackdown on robocalls.
Anne Johnson from Afternoon Cyber Tea talks with Sunil Yu from Jupiter One about the importance and evolution of cyber resilience.
Stay with us.
Thank you. Stay with us. Real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. Cyber resilience is something that the security industry has been talking about for a long while.
But over the last few years, the concept has evolved quite a bit.
You have played a really big role in shaping the conversation on cyber resilience, and you've developed multiple frameworks that leaders use today.
So from your words, how has the conversation evolved?
What are some of the paradigm shifts we are seeing in the industry?
And how will that necessitate a new approach to cyber resilience?
Sure, Anne.
So one of the challenges that I saw,
one of the reasons why I tried to shake up the ecosystem is because I didn't see the conversation evolving as quickly as it needed to.
What I saw in the market was the propensity for vendors to sell solutions
that really solved all the problems.
And one of the frameworks that I created was this thing called the Cyber Defense Matrix.
And it's a simple mental model that helps us understand all the different things that
the vendors are selling us.
And it became pretty clear as I was mapping out all these different vendors that there
was a massive gap in the market for solutions that help us recover against cyber attacks.
in the market for solutions that help us recover against cyber attacks.
And as I studied this matrix and as I tried to understand why this was the case,
there was a revelation that came about in terms of why we might be missing something in that space from a timing standpoint and just our thinking standpoint.
So this paradigm shift is really, as we move into this stage of recover,
as we try to tackle the space around recover, just a massive gap that's in the market made it very clear that we needed to think differently about how we tackle that problem.
So when you think about that, then, and you think about protect, detect, and respond, and the fact that organizations continue down that path, how do you shake them up?
How do you get them to change their thinking and move
to a point where they realize? Because as you know, I've written and blogged a lot and spoken
about cyber resilience for the past four years. And you need to understand where your critical
business systems are and get them back online as quickly as possible is the core of it, right?
But how do you get organizations moving when they're really tied into the past technologies
and the past methodologies and the past architectures?
Yeah, so I took a different approach, which attempted to take a complete break from our old way of thinking.
And if I were to distill it into a common framework that we in security are familiar with,
I used a whole different paradigm or a whole different perspective.
And the old way of thinking is what we call the CIA triad in security.
And CIA stands for confidentiality, integrity, and availability.
The new paradigm or the new way of thinking, one that I tried to take a complete break from, is what I call the DIE triad.
And DIE stands for distributed, immutable, ephemeral. And the acronym, by the way, is intentional as well. So the DIE triad takes a complete break from the CIA triad.
How long do you think it's going to take the industry to start moving in that direction? And in doing so, what's going to get in their way?
in their way? Actually, so funny thing is, I think that what's going to get in the way is security people, because effectively, we in security are well vested and well employed and well rewarded
for doing CIA. And what I'm actually arguing is that on the other end of the spectrum,
we have a situation where we are not going to be where we lower our burden for security.
And one general way that we can think about the type of resources
that we oftentimes build in these environments that are on-prem
is to think about those as long-lived resources that we have to care about.
And one of the analogies I use is that we oftentimes build pets.
And these pets are things that we have to care about.
We give them a name and so on and so forth.
And so because organizations build a lot of pets, and these pets are things that we have to care about. We give them a name and so on and so forth.
And so because organizations build a lot of pets,
we are veterinarians within our IT organizations.
You can hear more of this interview and indeed the entire library of afternoon Cyber Tea podcasts
right here on the Cyber Wire podcast network. Network. And joining me once again is Ben Yellen. He is from the University of Maryland Center for
Health and Homeland Security and also my co-host over on the Caveat podcast. Hello, Ben.
Hello, Dave.
Interesting story over from Gizmodo. This is an article by Lauren Leffer,
and it's about the FCC blocking calls from telecoms that ignore the robocall plague,
as they put it. What is going on here?
So we have all been there. I probably receive about 10 of these calls in a given week, maybe more. It's your warranty is about to expire. It's an automated message.
Luckily, the most recent version of cell phones are pretty good at sifting these out. I get a lot
of calls from quote unquote scam likely. Now I kind of want to meet someone in real life named scam likely.
I'll get extremely confused when I get an incoming call.
Sounds like a character from Guys and Dolls, you know?
Yeah, exactly.
That is really funny.
We got to invite scam likely to the dice game, to the craps game.
The dice game in the sewer.
Playing with Sky Masterson.
No.
The craps game, yeah.
The dice game in the sewer.
Right, right.
Playing with Sky Masterson.
No.
So the FCC is really going to crack down on some of the companies that propagate these robocalls.
They mentioned seven companies here.
I'm not going to publicly shame them, but they are listed in this article.
They may have earned it. And they have received final warnings from the FCC.
I think many of them have received previous warnings, and their responses have been,
well, we weren't aware of the federal standards, which are called the stir-shaken standards.
Or they've said that these are innocent compliance issues.
They're trying to comply with the standards, but for one reason or another, they were not able to comply.
And the FCC is sending a final warning shot saying,
this is no longer going to be acceptable.
It doesn't matter if purposely evade the standards.
It doesn't matter if you're negligent.
If these robocalls continue, and if you don't comply with shake and stir,
which I can tell you is signature-based handling of asserted information using tokens,
and stir secure technology identity
revisited.
Which are the technologies that verify phone calls are coming from a legitimate provider.
Right.
If these companies don't comply with those standards, they are going to be cut off of
our telephone communication system.
Basically, a wall will be placed in front of every call coming from
numbers belonging to these companies, and they won't make their way to me and you, the people
who receive these calls. This is a major escalation on the part of the FCC. I mean, they have the
authority to stop robocalls. Congress has granted them the authority. There was an effort in the mid-2000s to rid us of these burdensome robocalls, especially as cellular phones became more ubiquitous.
And I think companies were finding a way around those guidelines and those regulations.
to keep up with the technology and say,
we've now developed pretty robust standards and ways to verify that phone calls
are coming from actual human beings
or actual legitimate organizations.
And if you, as a company,
propagating one of these calls,
if you are not complying,
then we will fully cut you off.
It seems to me that this is something
that most people would be supportive of.
I don't think any of us like these robocalls.
The only exception is the seven companies listed here.
The CEOs of the seven companies listed.
Right.
Well, I mean, this is pretty much a poison pill for those companies, right?
I mean, this could be a death sentence for them.
It absolutely could be.
As it is, I still don't really understand how they make money in the first place
just because who would hear an automated message from somebody talking about an extended warranty
and actually take action beyond hanging up the phone and expressing their disgust?
Yeah.
But supposedly enough people do it that it's profitable for them.
Huh.
So they are going to continue to do it until they're stopped.
And I think that's what's going on here.
Yeah, it could be a death sentence for these companies,
or they're just going to have to move on to a less intrusive, illegal business model
that is based on preying on innocent Americans
and their inability to distinguish legitimate phone calls from BS.
So I don't have
too much sympathy for these seven companies. And I suppose there's probably nowhere else for
these folks to go. I mean, if I'm going to guess that when it comes to accessing the U.S. phone
system, these companies are probably the lowest common denominator, you know, like the lowest access point available.
These are the folks who are willing to look the other way.
You know, your T-Mobiles, your Verizons, your AT&Ts have probably already said to these folks, you can't use us for this sort of thing.
So could this make a difference?
Might we see these things stop?
I really think it could. I mean, the FCC,
if they are willing to use their nuclear option here, which is cutting off phone calls, then yes,
I think we could actually finally see this issue resolved. I don't see any reason why they would
not follow through on this threat. Right now, it's just these seven companies. I'm sure more
of these companies are going to spur up as these companies get taken offline. So perhaps the enforcement mechanism
is going to need to be broadened to account for new entrants into this marketplace. But yes,
I do think this potentially could be the death knell for these obnoxious robo phone calls.
Well, here's hoping.
Yes, I think you speak for all of us in saying that.
Yeah.
All right, well, Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios
of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.