CyberWire Daily - Another DDoS attack against NATO governments. The US 2022 National Defense Strategy is out. Notes on ICS security.
Episode Date: October 28, 2022Cyberattacks against Poland’s and Slovakia’s parliaments. The US 2022 National Defense Strategy is out. Insights from SecurityWeek’s ICS Cyber Security Conference. The importance of zero-trust i...n industrial environments. Malek Ben Salem from Accenture on machine language security and safety. Our guest is Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware. And CISA issues four more ICS Advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/208 Selected reading. Computer networks of parliaments in Poland and Slovakia paralyzed by cyberattacks (Euro Weekly News) Slovak, Polish Parliaments Hit By Cyber Attacks (Barron's) Slovak parliament suspends voting due to suspected cyberattack (Reuters) "Also from Russia" - cyber attack on parliaments in Poland and Slovakia - Today Times Live (Today Times Live) 2022 National Defense Strategy (US Department of Defense) 2022 NDS Fact Sheet | Integrated Deterrence (US Department of Defense) Discussing cyberattacks vs system failures. (CyberWire) Zero-trust in ICS environments. (CyberWire) SANS 2022 Survey: The State of OT/ICS Cybersecurity in 2022 and Beyond | Nozomi Networks (Nozomi Networks) CISA Releases Four Industrial Control Systems Advisories (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber attacks against Poland's and Slovakia's parliaments.
The U.S. 2022 National Defense Strategy is out.
Insights from Security Week's ICS Cybersecurity Conference.
The importance of zero trust in industrial environments.
Malek Ben-Salem from Accenture on machine language security and safety.
Our guest is Nick Schneider of Arctic Wolf to discuss why he believes
2023 will see a resurgence of ransomware. And CISA issues four more ICS advisories.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 28, 2022.
In a recent development in Russia's hybrid war, more distributed denial-of-service attacks appear to have hit Eastern European NATO members.
According to AFP, the parliaments of both Poland and Slovakia sustained cyberattacks yesterday
that knocked out various parliamentary networks, including those supporting both voting and telecommunications.
From descriptions of the attacks, the incidents appear to be DDoS attacks.
Reuters quotes Bruno Kolar, Speaker of the Slovak Parliament, as saying,
We have identified a cybersecurity incident.
There is a signal coming from some point which jams our systems, computers.
We cannot even serve the lawmakers in our cafeteria.
Polish sources say that some of the attack traffic originated from Russia,
and it's widely suspected that the attacks were a Russian operation
retaliating for Polish and Slovak support for Ukraine in the present war.
On Wednesday, just a day before the attacks, Poland's parliament
had passed a resolution condemning Russia as a terrorist state. Slovakia had recently decided
to send Ukraine warplanes in exchange for U.S. fighters to be delivered later.
The U.S. has published its national defense strategy. The document highlights the threat from four familiar adversaries,
China, Russia, North Korea, and Iran,
all of whom deploy notable offensive cyber capabilities.
The strategy emphasizes deterrence, and with respect to cyberspace,
deterrence through resilience, which it suggests is achievable
through a range of measures that include encryption and implementation of zero-trust principles.
The document also says that the U.S. will pursue deterrence by direct and collective cost imposition,
which could include offensive cyber operations.
This represents a more assertive use of national power in cyberspace.
The document says,
assertive use of national power in cyberspace. The document says, we will conduct cyberspace operations to degrade competitors' malicious cyber activity and to prepare cyber capabilities
to be used in crisis or conflict. This week at Security Week's ICS Cybersecurity Conference,
OT ICS Security Practice Manager at IBM, David Lancaster Jr.,
described a challenge industrial operations face,
distinguishing system failures, asset failures, and cyber incidents.
The question, an important one in organizing resiliency,
has gained salience as the air gaps that once protected legacy industrial systems disappear.
Lancaster said, F fully air-gapped
systems where we are today truly don't exist, and explained that the line between IT and OT has
blurred as legacy systems are decommissioned and replaced by digitally connected IoT systems.
This convergence has occurred as manufacturing and critical infrastructure have grown increasingly attractive to threat actors.
It used to be conventional wisdom that many industrial systems were protected by default.
They used legacy equipment that preceded widespread networking, and so they came with built-in air gaps.
As older systems age out and are replaced by newer, more highly networked technologies,
that former advantage has been vanishing, and it seems now to have largely disappeared.
There are few of those legacy air-gapped-by-default systems remaining in the field,
and there are fewer of them all the time.
And during another panel discussion at Security Week's ICS Cybersecurity Conference yesterday,
Del Rodillas, iStari's client partner for Industrials in the Americas,
and Jack Oden, Program Director, ICS Cybersecurity SME at Parsons,
outlined the importance of applying zero-trust strategy in ICS environments.
The principles they discussed are well-established best practices.
One of them is essential to any risk management process, identifying what needs to be protected.
Put another way, this can be seen as assessing the consequence part of the risk calculation.
Rodillas said, when I think about the things you need to do to get started in operation technology
environments, the steps that you would
apply in IT are also applicable, but just in a different context. And he added, visibility comes
first, knowing what you have. He stated, the first step is trying to understand what are your assets
that are in your environment? What are your crown jewels? So getting that visibility, getting that understanding of
risk is the first step. And then the next step is really using the capabilities that you have
to profile the traffic between the different assets to and from the different crown jewels.
And that'll really help you in terms of understanding how you might need to segment
your network. And once you kind of have that segmentation, that's when you start applying the granular policy.
Odin explained that zero trust can help prevent attackers
from moving around within both IT and OT networks.
He said, the bottom line to me
is to literally trust no one or nothing and always verify.
If you keep that in mind,
I think that's the most fundamental thing
you can apply here. Odin continued, we have been talking for decades about perimeter security,
and once you've verified the identity of the person, hopefully with good password security
and maybe multi-factor authentication, once they're in, for the most part, my customers
were just letting those people have their way. But if you think more about it, inside your network, you've got a lot going on.
Again, in the crown jewels concept.
And where are people coming from into your network?
They're usually coming through the corporate network and then coming down to OT.
And so up there, there's a lot of stuff going on.
But no matter what the operation is, that OT operation
is critical to you, whether it's the HVAC operation that keeps your computer center running,
or if you're a power plant providing power to the local community.
The SANS 2022 OTICS Cybersecurity Report, sponsored by Nozomi Networks, was released
this morning. It covers the current state of industrial control system security.
The survey indicates that OT, that is operational technology cybersecurity,
has improved in certain respects compared to last year's survey.
Ransomware comprised the leading threat, closely followed by nation-state attacks,
non-ransomware cybercrime, and threats to hardware and software
supply chains. One disturbing trend is a rise in attacks where engineering workstations were the
initial attack vector, but in general, most attacks, 41%, arrived through IT networks and
often spread through removable media. Nozomi Network's co-founder and CPO Andrea Carcano
summarized the results, stating,
While the threat actors are honing their ICS skills,
the specialized technologies and frameworks
for a solid defense are available.
The survey found that more organizations
are proactively using them.
Still, there's work to be done.
We encourage others to take steps now to minimize
risk and maximize resilience. And finally, the U.S. Cybersecurity and Infrastructure Security Agency
yesterday released four industrial control system advisories.
Operators should check their systems and take appropriate action.
Coming up after the break,
Malek Ben-Salem from Accenture on machine language security and safety.
Our guest is Nick Schneider from Arctic Wolf
to discuss why he believes 2023
will see a resurgence of ransomware.
Stick around.
Do you know the status of your compliance controls right now? like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
There are indications that ransomware attacks have slowed down,
and many speculate that Russia's war on Ukraine is a likely cause of that slowdown.
Some say this lull provides organizations an opportunity to catch up and shore up their defenses. Nick Schneider is president and CEO of Arctic Wolf, and he believes
businesses and organizations should be using this time to prepare for the next wave of attacks.
I think that they've gotten a lot more sophisticated, both in the manner in which they attack, but also
in their operations themselves. So by doing so, they've been able to get deeper and wider within
organizations over an extended period of time. And by doing that, they're able to do a lot more
damage or get their hands on a lot more company information. And as a result, they're able to do a lot more damage or get their hands on a lot more company information.
And as a result, they're able to or decide to act in a way that allows them to ask for
more ransom or more funds to get the company out of position that they don't want to be
in. And they've done that both through the capturing and locking of certain data or devices,
but also through, I think more recently, some extortion tactics.
So they're real businesses now.
So whereas it might have been a little bit more grassroots in, you know, years past, you know, some of these organizations have, you know, HR teams and, you know, picnics and, you know, things that you'd expect from, you know, a traditional organization.
And as a result, they're a lot more sophisticated in the way in which they approach, you know, kind of their business and their tactics.
in the way in which they approach, you know, kind of their business and their tactics.
Given where we stand today, what is your advice for organizations who are looking to dial in, you know, the amount of resources they apply to helping prevent ransomware?
Yeah, I think we have an interesting time right now in that the number of attacks has
subsided slightly. So there's been a little bit of a reprieve for organizations.
And I think what I've found or what I've heard
as I'm talking to folks in the market
is that people take that either as an opportunity
to kind of shore up their defenses
or in my opinion, the wrong decision would be
to take a slight lull as an opportunity
to move or allocate budget or priority elsewhere.
I believe that any lull that we've seen in ransomware relatively recently will come back
and it will likely come back and then some, meaning it will come back in a more, you know, meaningful way than we even saw, you know, prior to a slight slowdown.
And those organizations that use a little bit of slowdown and attacks to really firm up their security posture
will be the organizations that are in a really good position.
And those that have, you know, kind of neglected it, you know, over that period of time, you know, I believe or wish they had. And what to do or the advice would be
to make sure that it's a topic of communication with the executive staff, make sure that it's a
topic of discussion with the board, and make sure that you're investing in your security posture
in a material way so that you can ensure that you're protected over time. And I think as companies
do that, they'll find that the best way for them to be protected is to build a solution or build
an ecosystem within their own environment that allows them to deliver multiple outcomes to the
business. So how do you detect and respond? How do you, you know, make yourself aware, you know, aware of any potential vulnerabilities? How do you educate, you know, your employee base? How do you set up education around, you know, phishing and, you know, social attacks? And then do you have a plan if something does go wrong? So do you have, you know team or a retainer? And tying that all together
is going to be what's important for organizations. And unfortunately, that's a tall
order for a lot of organizations. So that's kind of how we specialize is we like to
view ourselves as a security operations cloud that can provide multiple outcomes to a customer.
But whether it's Arctic Wolf or not, having a comprehensive plan and leveraging what is a little bit of a lull in activity, I think will be really important for businesses.
You know, it seems as though the rise of cryptocurrency and the rise of ransomware kind of went hand in hand, that crypto was an enabler for some of these ransomware actors.
crypto was an enabler for some of these ransomware actors.
We've seen signs that perhaps crypto will be regulated or clamped down on.
Do you think that might move the needle?
Yeah, I think there's two conversations on this. One is the price or the value of cryptocurrency.
I don't think that that will have an impact.
They'll just adjust their requests
based on whatever currency
that they're benchmarking the crypto against.
The regulations, I think,
could have a short-term impact.
I don't believe it would be
a medium or long-term impact.
Again, these organizations
are now running significant businesses.
To believe that they will just fold up shop
with some adversity in the crypto markets,
I think is a naive belief.
So yeah, I do think that those things
will likely help in the short run,
but I believe in the long run
or even in the medium run,
the bad actors will find a way
to continue to capitalize on vulnerabilities
within an organization's cybersecurity posture. That's Nick Schneider, president and CEO of Arctic There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And I'm joined once again by Malek Bensalem.
She is the Security Innovation Principal Director at Accenture.
Malek, it's always great to welcome you back. You know, recently you and I were chatting about
machine learning security and safety, and I wanted to continue that conversation with you
about some of the ways that the issues that can come up with these sorts of things can be solved.
What can you share with us today? Yeah, so we talked about machine learning robustness, right, in adversarial settings and
in unusual event settings. And I think, you know, there are a few techniques or methods that we
can use as machine learning engineers and as people who are developing these systems to make them more robust.
One of them, obviously, is the use of robustness frameworks that we need to develop more of, that we need to expand, develop even further,
develop benchmarks further to stress test these systems and identify their breaking points.
There are techniques related to data augmentation, for instance, that can make these models more robust.
For instance, if you have a machine learning model or a computer vision system that is supposed to recognize
images, any perturbations in the input images may lead that system to completely misrecognize
what's in the image. It has been shown that if you combine the original image with certain
fractals, you may be able to make those models more robust against noise to these images.
There are techniques related to entropy minimization when building these models.
There are techniques in cyber-physical environments of including multiple sensors
physical environments of including multiple sensors and input streams from multiple sensors. Again, in the self-driving car setting, you don't want to rely just on one camera to make decisions.
You want multiple cameras and feed all of those or use all of those feeds from those cameras to
interpret what's going on in the surrounding environment.
And there are also techniques around how to train the models running within these systems
using adversarial data points.
So preemptively creating adversarial data that a threat actor may create and using those to train the models.
There are special, even special adversarial training techniques that have been
shown to be more robust than others. The smooth adversarial training technique is one of them.
And then finally, I think we need to, as a community, we need to have some way of verifying the adversarial robustness of these models.
So in some sort, having programs that can certify how robust these models are to adversarial attacks.
attacks. And, you know, again, that's a community effort that will require some work, some collaboration. You know, it's important if we are to deploy these AI systems and be confident and
trust them. I've seen most recently a program launched by researchers in Stanford University to call for attention to these problems.
It's sort of like a bug bounty program.
They're offering basically tens of thousands of dollars as rewards to people who can identify security bugs in these machine learning models.
these machine learning models.
You know, I recently saw a video that was making the rounds and it was a Tesla that was in a self-driving mode,
you know, looking and you could see
how it was interpreting its environment.
And it came up behind a horse and carriage,
like a Cinderella kind of horse and carriage,
a big fancy carriage and a whole team of horses.
And the system didn't know what to make of it.
It could
not figure out what it was. And that struck me as an example here of, you know, how do you predict,
how do you put a Cinderella carriage in your edge cases, and how do you decide what your fail-safe
mode is if you come across something like that? Exactly. That's exactly the challenge.
like that. Exactly. That's exactly the challenge. It's very difficult to predict what are these rare events that these systems will encounter when they are deployed in a real-world environment.
So again, it's important then to train them or to expose them to these cases. And one way of doing that is by creating sort of out-of-distribution data sets and using them to train the models.
There are some synthetic data generators that can be leveraged for developing these synthetic data sets and, importantly, out of distribution data sets.
I'm reminded of that, I think it's a military axiom that no battle plan survives contact with
the enemy. And I wonder if that applies to putting vehicles and things out in the real world, that
the set of possibilities is just practically infinite.
world that the set of possibilities is just practically infinite.
Oh, yeah.
And actually, that brings me to another point that is important also for making these ML systems secure and safe.
So we talked about robustness, right, and preparing them to deal with cases that they're
not used to.
But it's also equally important to have capabilities embedded within
these systems or outside of these systems to detect anomalies, right? If they're deployed,
how can I detect and respond to a situation that is abnormal? So, you know, in the case of,
again, self-driving systems, may you know one could say yeah they
these are not fully autonomous maybe we'll have people uh eventually oversee a fleet of you know
self-driving cars or you know if you have uber self-driving cars, you will have operators monitoring them. And that's important, but in that case, you'll need to have the ability of the car or the
AI system to recognize that a situation is abnormal, and you need to have that in a manner
where the signal-to-noise ratio is high, right?
manner where the signal-to-noise ratio is high, right? So, you don't want to overwhelm these operators with alerts that will cause alert fatigue and then that will defeat the purpose of
them monitoring these systems. So, that's another important factor, having or developing the ability for these systems to recognize anomalies,
to recognize unusual situations, that comes as a trade-off with building robustness, right? So,
on the one hand, you want them to recognize these unusual events and respond to them
appropriately. On the other hand, you want them to recognize them as anomalous. And
drawing the line between the two cases is not always, you know, straightforward.
All right. Well, interesting stuff as always. Malek Ben Salem, thanks for joining us. Thank you. a default-deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio,
or shake up your mood with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Federico Kirschbaum from Faraday Security.
We're discussing a vulnerability in Realtek's SDK for ECOS OS, honing thousands of routers.
That's Research Saturday. Do check it out.
Thank you. Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Maria Varmatsis,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Catherine Murphy, Janine Daly,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, Simone Petrella,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.