CyberWire Daily - Bear tracks all over the US Government’s networks. Pandas and Kittens and Bears, oh my... Emotet’s back. Spyware litigation. A few predictions.
Episode Date: December 22, 2020The US continues to count the cost of the SVR’s successful cyberespionage campaign. Attribution, and why it’s the TTPs and not the org chart that matters. Emotet makes an unhappy holiday return. I...t seems unlikely that NSA and US Cyber Command will be separated in the immediate future. Big Tech objects, in court, to NSO Group and its Pegasus spyware (or lawful intercept product, depending on whether you’re in the plaintiff’s or the respondent’s corner). Ben Yelin looks at hyper realistic masks designed to thwart facial recognition software. Our guest Neal Dennis from Cyware wonders if there really isn't a cybersecurity skills gap. And a quick look at some more predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/245 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. continues to count the cost of the SVR's successful cyber espionage campaign,
attribution, and why it's the TTPs and not the org chart that matters. The U.S. continues to count the cost of the SVR's successful cyber espionage campaign,
attribution, and why it's the TTPs and not the org chart that matters.
Emotet makes an unhappy holiday return.
It seems unlikely that NSA and U.S. Cyber Command will be separated in the immediate future.
Big Tech objects in court to NSO Group and its Pegasus software.
Ben Yellen looks at hyper-realistic masks designed to thwart facial recognition software.
Our guest Neil Dennis from Cyware wonders if there really isn't a cybersecurity skills gap.
And a quick look at some more predictions.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 22, 2020.
The SVR cyber espionage reached an email system used by senior officials in the U.S. Department of the Treasury, according to the New York Times.
The compromise may not have reached classified networks, and the Treasury Secretary's email is still thought to have gone uncompromised.
Microsoft, and not any federal agency, detected the intrusion and warned Treasury. While SolarWinds has attracted
most of the odium surrounding the incident, and while the company's Orion platform has clearly
been exploited in a software supply chain compromise, Dark Reading reminds its readers
that other avenues of approach through federated authentication systems were also used by the SVR.
Some reports suggest that the SVR engaged in some
cross-agency collaboration with the FSB, the other KGB descendant in the Russian intelligence
community, but the situation remains under investigation. CNBC reports that U.S. Attorney
General Barr has joined his cabinet colleague, Secretary of State Pompeo, in
attributing the recent cyber espionage campaign that targeted SolarWinds users and others to
Russian intelligence services. He said at a press conference yesterday that the operation certainly
appears to be Moscow's work. Perhaps this is as good a time as any for an excursus on nouns, both common and proper. The common nouns
first. The word attack has long been casually used for any hostile cyber activity, spying,
stalking, theft, data breach, control system interference, and so on. We've on occasion used
it that way ourselves. But the Russian cyber espionage campaign the U.S. is now glumly trying
to contain, explain, and mop up has prompted a number of writers to call for more precision
and circumspection on calling something an attack. After all, espionage attempts, whether successful
or unsuccessful, aren't usually called or even thought of as attacks, although they're clearly unwelcome and usually unfriendly.
Similarly, disinformation of certain kinds, when it involves denunciation, for example,
might be called an attack, but that's pretty clearly metaphorical. In any case, the current
activity that's collected against the U.S. government by exploiting the SolarWinds software
supply chain, and probably other federated authentication systems
has been widely referred to as an attack.
However, it's also prompted calls for various forms of retaliation,
which has led some to suggest that attack be reserved for activity
that's clearly destructive, or at least disruptive,
and disruptive in a kinetic sense.
While the SVR operation against the U.S. was
clearly very serious, indeed, no one probably is yet sure how serious it will turn out to be,
it also doesn't seem to amount to an act of war. Not the usual espionage, maybe,
but the response won't be and shouldn't be Rangers, Marines, and Tomahawks.
And now for the proper names.
There appears to have been more than one SVR unit involved
in the family of cyber espionage activities currently gumming up U.S. networks.
A great deal of the coverage, however, has attributed all of it to APT-29,
that is, Cozy Bear.
A number of threat intelligence types have objected to this.
APT-29 is a particular unit of the SVR, or perhaps even better, a specific operational style of the SVR.
It's not, properly speaking, an organizational alias of the whole Russian Foreign Intelligence Service.
This may seem pedantic, so much inside baseball, if baseball were played in Yasnivo, or at the
aquarium, or around the Lubyanka. Who cares which numbered department of what chief directorate did
it? Let the department heads save that for their annual reviews. Actually, however, it does matter.
Defenders aren't so much interested in who the bad actors are, they're interested in what they do.
Different threat groups use
different TTPs, tactics, techniques, and procedures, and the names are keyed to those.
Whodunit is important, as they say, only if you carry a gun and wear a badge. Or, of course,
if you're a journalist. So the operation that now requires the U.S. government to demair its
networks isn't all down to APT29, a point made
by people at Dragos and Domain Tools to take just two companies who work in this space.
So it's the TTPs, not the org charts, that matter to the typical defender.
Now hold on just a minute, Cyberwire, you'll say. You're one of the worst offenders with your
liking for those animal names that people at CrowdStrike, among others, like to apply.
What's up with that? It's always bears this and pandas that with you guys.
What you say is profoundly true.
And we asked our editor for an explanation.
He argues that the InfoWar value of cute animal names outweighs any potential loss of clarity with respect to TTPs. The Russians
absolutely hate, hate being patronized as cuddly and adorable. And he points out that we've generally
respected the naming conventions. If Cozy Bear was there, then they were there. And that doesn't
exclude any other bears. But here's our way going forward of having our precision and eating the cuteness
too. Henceforth, we'll call any Russian threat actor Huggy Bear, which one of our stringers
says is the only name her husband can remember anyway. We're open to suggestions on the rest
of the familiar four. Pixie Panda seems like a good one for China, provisionally. Iran? How about Karen Kitten?
And we draw a blank on North Korea.
We have no idea what counts as cuteness there.
So send in your suggestions.
Mopping up after the SVR's cyber espionage campaign will be arduous.
Security Week quotes Bruce Schneier to the effect
that the only way to ensure a network is secure after this kind of breach is to burn it down to the ground and rebuild it. Proofpoint yesterday tweeted that
Emotet has returned, evidently in time to catch the tail end of the holiday shopping season.
The gang has gone quiet for a short time before the holidays, but is now back in action.
Proofpoint says they're seeing 100,000-plus messages
in English, German, Spanish, Italian, and more.
Lures use thread hijacking with word attachments,
password-protected zips, and URLs.
It's now thought unlikely, the Washington Post reports,
that the long-contemplated, suddenly-invoked separation
of U.S. Cyber Command from NSA will happen during
the current administration's tenure. Microsoft complained last week that companies like NSO
Group amounted to the 21st century equivalents of mercenaries. Yesterday, Redmond put its lawyers
where its mouth is. Microsoft, Google, Cisco, and Dell have joined Facebook's lawsuit against NSO Group, Reuters says.
The companies filed an amicus brief with the U.S. Ninth Circuit yesterday.
Before we close out the news, it's time for a quick review of the predictions we're seeing.
Essentially everyone sees ransomware and remote work as trending up during 2021.
What about cybersecurity firms considered
as investments? Barron's says Cozy Bear's quiet recently discovered but months-long romp through
the U.S. government and corporate networks has already led to a market scramble for cybersecurity
plays. Market Insider reports that Wedbush is very bullish about the sector's 2021 prospects,
reports that Wedbush is very bullish about the sector's 2021 prospects, expecting a general 20% increase in security spending to drive a perfect storm of demand that will be reflected in
significant increases in the sector's valuations. Crunchbase thinks so too, quote, the cybersecurity
market retained investor interest in 2020 and many in the sector expect next year to be no different.
And how have past predictions fared?
Security Week looks back a decade at their optimist cybercrime predictions for 2011.
The author thinks they were, in general, pretty well borne out.
First, awareness is rising.
Well, that's been true, and some of that awareness has prompted better security.
Quote, cybersecurity budgets grow year over year,
and the conversation today is about the need of having CISOs and CIOs as board members,
which would have seemed in 2010 as science fiction.
End quote.
And there's been a rise in understanding of the attack surface the Internet of Things presents.
Greater awareness also seems responsible for the eclipse of hacktivism. It's been a long time since Anonymous,
to take one prominent example, has been relevant. Next up, law enforcement is getting better.
Better, of course, doesn't mean infallible, but it's difficult not to appreciate the growth in
the attention, capabilities, and resources law enforcement agencies have devoted to investigating, stopping, and prosecuting cybercrime. They've also seen
success in taking down online criminal markets, including Silk Road, Silk Road 2, Alpha Bay,
Hansa, and Wall Street Market. Also on their list, it's getting harder to become a fraudster.
This is the one prediction that hasn't been borne out.
The criminals react, and the increasing commodification of attack tools,
the growth of affiliate schemes, more sophisticated and plausible social engineering,
and the resilience of criminal-to-criminal markets, sometimes abetted by state actors,
have combined to keep fraud thriving.
So, as Meatloaf would put it, two out of three ain't bad.
Now don't be sad
Cause two out of three ain't bad We'll see you next time. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives
are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Many lists of predictions for the coming year include the cybersecurity skills gap
as a continuing issue for the industry.
But is it?
Neil Dennis is a senior Intel analyst with Cyware,
and he has his doubts.
There's an unfortunate focus, I think, on how they
approach the training and how they look at what they're doing with the people that they currently
have on staff. We do see an uptick. So to be fair, before I go down this rabbit hole, there is an
uptick in companies that are understanding that they need to help with this supposed gap, right?
There's a decent amount of people coming online that know they need to take
the time to train, provide for, and hopefully maintain their current staff instead of having
them leave every six months and having to find new people. But that being said, the vast majority,
if they have anything, it's at the most, it might be a tuition reimbursement kind of concept.
And it doesn't really give that person who's spending 45 plus, maybe 60 hours a
week in that security environment already overworked, it doesn't provide for them with the actual
support to go out and take advantage of that fund, right? They make them take their own time off.
They make them, you know, under the old auspice, if you really want to do it, you'll show interest in it and utilize your own personal time to make yourself better for the company.
And maybe 15, 20 years ago, that was a good way to do it.
But with how exhausting and how overworked these people are to begin with, those two weeks of PTO they might get are going to be spent on actual PTO.
are going to be spent on actual PTO.
Only a very small group of people are going to go home after being burnt out all day and pick up a computer
and go read on how to be better at that role.
It's just a lot of people get in, especially in a SOC environment.
They see it, they want to be done with it when they go home,
play some video games, maybe have too many things to drink and be done.
What about sort of looking within, you know,
that you might have folks in other areas of your company
who already know the company culture, they may know all the players.
It seems to me like they'd be good candidates to cross-train
and you could get them up to speed maybe quickly.
Oh, definitely.
And we kind of see this a little bit with IT staff, like the actual cable
pullers and the install guys who come to put your desktop in and run cables and do the network
engineering stuff. We do kind of see a little bit of that where those individuals kind of try to
cross-train in. Some companies support that to varying degrees, but from a cultural perspective,
that's a great point. There's an unintentional barrier, I think, around perception that cybersecurity as a whole is
something hard to get into. And in reality, the right persona, and it doesn't take a whole lot,
for a couple of grand that the company could put out there for someone to go get something as basic
as like security plus. And for a couple of
grand in a week, you could take someone who was sitting in accounting and have them now be able
to come in in a kind of junior slash almost intern perception role into the cybersecurity org. And
as long as you continue to invest in that person and pay attention to the fact that they're new,
they're going to need some coaching, some couching in through all this stuff.
You can have some really good homegrown people in your org
come over to the cybersecurity side of the house.
But you have to break down those barriers to entry.
You have to break down the walls and the perception that this is hard to do.
And just, you know, put a couple of bucks out there on the table
and help motivate your team to do this.
That's Neil Dennis from Cyware.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host on the Caveat podcast.
Ben, great to talk to you.
Good to be with you again, Dave.
This is an interesting one from Reuters. And the title of the article is Wearing Someone Else's Face.
Hyper-realistic masks to go on Sale in Japan, of Course.
Describe to us what's going on here.
So first of all, you have to, anybody listening to this has to actually go to the article and see the pictures here.
These masks are incredibly creepy in how realistic they are in terms of portraying somebody else's face.
So this is just kind of an entrepreneur, owner of a mask shop. His name is Shuhei Okawara,
and he is crafting masks that are based off real person's faces. They're intended to provide the
same sort of protection as a standard mask to protect against COVID. It's quite an
addition to the type of mask entrepreneurship that we've seen over the past nine months.
These are not going to be cheap. To purchase one of these hyper-realistic masks, you would have to
pay 98,000 yen, which isn't as much as it seems. seems it's about $950 it's still a very hefty price for a mask
I was able to get six masks for $5
at the convenience store
but the point of these is
that you can disguise yourself
and make yourself into a different person entirely
and that's why the demand for these masks so far has been
surprisingly strong. What's interesting in our context is
how would this work with something like facial recognition? What I want to know
is, is Mr. Okawara good enough at crafting these
masks that it could trick a facial recognition system?
Having seen these pictures, my prediction is yes, he probably could.
But I am not entirely sure about that.
Yeah, yeah.
I mean, these are, so what he did was he chose a model
and he paid the model to use their likeness
to make this hyper-realistic mask.
And now he's made several different versions since his initial one.
So the interesting thing here is
if I'm walking down the street
and I have this mask on that, as we say,
is a hyper-realistic version of that model,
am I going to get tagged as that person
while I'm walking down the street?
Is it realistic enough?
And boy, it's hard to think that
it's not. Yeah. I mean, it's one of those things where you have to see it to believe it. But if
you look at the pictures, I mean, just the finite details in terms of like facial marks, freckles,
like the sculpting and shape of the eyebrows and the nose. Like it's something that is, you know,
to be honest, going to give me nightmares
in terms of how realistic it is.
But you know what?
I mean, you and I have talked about this on Caveat
and maybe here,
and this was certainly in the pre-pandemic days
about whether or not it's legal
to simply walk down the street wearing a mask or not.
And it's not always, pre-COVID,
it was not always legal to walk down the street
wearing a mask to hide your identity. No, it's not. I mean, I don't think this is something where
there's, A, it's not going to be a broad problem because, you know, even in Japan, we're still
talking about a limited number of these masks that are getting sold, although demand is particularly
high. So, but yeah, there are some regulations and laws
about concealing yourself in public.
I'm curious as facial recognition develops
and becomes more accurate,
whether we're going to have laws that prevent
this type of behavior,
where the purpose of a face covering
is to disguise your facial features
to evade detection from a facial recognition system. So you'd have to add sort of a face covering is to disguise your facial features to evade detection from a facial recognition system.
So you'd have to add sort of a criminal intent requirement
to that type of statute where you are actually purposefully
changing the contours of your face to avoid detection.
And maybe this is kind of the first salvo in that battle.
Yeah, I don't know.
I mean, talk about your slippery slope here.
Because, you know,
what if I wear loose-fitting clothes
to hide my physique?
Or what if I wear uncomfortable shoes
to hide my gait?
You know, what if I put on a false mustache
or beard or a wig or, you know,
like you can see where you can-
I've got Joe Mark's eyeglasses and mustache.
Yeah, if you start legislating,
yes, I suppose putting a facial covering on that looks like a different person is a little different than those things.
But is it? Is it really?
I guess the root of what we're talking about here is, is it within our right to try to protect our privacy against automated facial recognition scanning?
That's the crux of the question.
It is, and I don't know.
I think the slippery slope is a problem
to the extent that I don't know
that we can properly answer that question at this point.
Because as you say, you know,
these masks are highly accurate, disturbingly accurate.
But if you start to outlaw masks like this,
you know, what happens to less accurate disguises?
Or somebody who likes to put on a lot of makeup that might conceal
some of their facial features.
Or face coverings in a non-COVID era for people who just want to protect
themselves from the cold or something.
I mean, you've been known to do that.
So yeah, I mean, I don't think we're at the point yet where we're going to start to criminalize this type of behavior,
probably because of these exact reasons.
Yeah, yeah.
All right, well, it's an interesting development.
It's one of those fun stories that I think leads
to some more interesting issues and conversations.
So for that, I'm thankful for this coverage.
Absolutely. And make sure you check out these pictures because they are a sight to be seen.
All right. Well, Ben Yellen, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
Save you time and keep you informed.
Don't delay and buy today.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Guru Prakash,
Stefan Vaziri, Kelsey Bong,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm
Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.