CyberWire Daily - CISA’s new Joint Cyber Defense Collaborative. C2C market update: Prometheus TDS and Prophet Spider. And naiveté about a gang’s reform, or optimism over signs the gang is worried?
Episode Date: August 5, 2021CISA announces a new public-private cybersecurity initiative. Prometheus TDS and Prophet Spider take their places in the C2C market. The money points to BlackMatter being a rebranded DarkSide. Andrea ...Little Limbago from Interos on Divergent trends of federal data privacy laws and government surveillance. Tonia Dudley from CoFense checks in from the BlackHat show floor. Our guest is Simon Maple from Snyk with a look at Cloud Native Application Security. And where some see naiveté, others see cautious optimism about putting fear in the hearts of ransomware gangs. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/150 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA announces a new public-private cybersecurity initiative.
Prometheus TDS and Profit Spider take their places in the C2C market.
The money points to Black Matter being a rebranded dark side.
Andrea Little-Limbago from Interos on divergent trends of federal data privacy laws and government surveillance.
Tanya Dudley from Cofence checks in from the Black Hat show floor.
Our guest is Simon Maple from Snyk with a look at cloud-native application security.
And where some see naivete,
others see cautious optimism
about putting fear in the hearts of ransomware gangs.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 6th, 2021.
Late this morning, CISA, the U.S. Cybersecurity and Infrastructure Security Agency,
issued a media advisory announcing the launch of a new Joint Cyber Defense Collaborative.
The goal of the Joint Cyber Defense Collaborative is to integrate unique cyber capabilities across multiple federal agencies, many state and local governments, and countless private sector
entities to achieve shared objectives. Specifically, the new initiative is expected to, first, design
and implement comprehensive whole-of-nation cyber defense plans to address risks and facilitate
coordinated action. Second, share insight to shape joint understanding of challenges and opportunities for cyber defense
Third, implement coordinated defensive cyber operations to prevent and reduce impacts of cyber intrusions
And fourth, support joint exercises to improve cyber defense operations
The initial private sector partners include Amazon Web Services, AT&T, CrowdStrike, FireEye, Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks, and Verizon.
Interagency federal partners include the Department of Justice, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence.
Sector risk management agencies are expected to join as the initiative expands.
Group IB describes a significant entrant into the criminal-to-criminal marketplace, the Prometheus TDS, that's Traffic Direction System, which distributes malicious files and directs victims to malicious sites.
Prometheus is widely used by a surprising range of criminals, and one of the prices quoted for a subscription comes in at just $250 a month.
Customers aren't just cybercriminals.
criminals. Conventional fraudsters are in on it too, like the all-too-familiar spammers on behalf of sketchy Canadian pharmacies counting on doing business with Americans too gullible to see emails
offering off-brand Viagra for what they are. Scams, Yankee Doodle, scams. Buyer beware.
CrowdStrike late yesterday published a description of Prophet Spider, a criminal gang
that's been active since 2017 at least. Active against both Windows and Linux systems, the gang
has recently been observed exploiting CVE-2020-14882 and CVE-2020-14750 to gain access to unpatched Oracle WebLogic servers, and thence to victims'
environments. CrowdStrike told us through a representative that ProfitSpider is opportunistic
in its choice of targets, which have included energy, financial services, manufacturing,
retail, and technology companies. The gang has also been selling initial access to a variety of ransomware operators,
and it may aspire to be a player in that corner of the criminal-to-criminal market.
Chainalysis says that tracing money through the blockchain has enabled it to confirm that
Black Matter is indeed a rebranding of DarkSide, and not merely a newly formed group that's learned from its predecessors'
best practices. So this may unravel a whopper someone claiming to represent Black Matter has
been telling. With this year's Black Hat Conference in full swing, we've been checking in with
attendees for their perspectives on the show. Today's contributor is Tanya Dudley, strategic advisor at CoFence,
who shares her approach to getting the most
from a conference like Black Hat.
When I'm here, I really want to be in sessions
where I'm going to hear what's going on
and what others are observing.
So for me, it's really looking at the,
first of all, starting with the keynotes,
making sure that I'm there present
and listening to what they have to say.
And then also for, you know, as I'm going through the session list,
just looking for things that are important to the fishing landscape, what could impact ProFence as a whole,
and just really kind of observing what's on the horizon or what we really need to pay attention to as we design our products to help defend against the threat.
How does this year compare to the last time you were there?
Is the feeling similar or do things feel a little different this year?
Probably a little different with so many, you know, starting with solar winds and the
supply chain attacks, the increase in ransomware that we've been hearing about in the news
lately.
So just really a little bit different atmosphere, right,
as we pay attention to the impacts of what these are going to have.
And then along with the executive order and what impacts that's going to drive
for policy and changes in the landscape.
What about beyond the show itself?
I mean, how much time do you spend at an event like this networking,
attending those events that happen before and after the show?
in their defenses? What are the things that they might be observing in their organization?
Just to really kind of get a gauge for what's the temperature for, you know,
how organizations are adapting to the threats that they're currently dealing with.
Do people seem to be in good spirits? Is people seeming optimistic and like they're happy to be there? Yeah, it's funny to just watch people recognizing people that they haven't seen,
you know, in a few years and being able to just kind of be in their presence.
That's Tanya Dudley from CoFence. The Record reports that U.S. Deputy National Security
Advisor Ann Neuberger sees Black Matter's policy of not hitting critical infrastructure
as a hopeful sign that the U.S. message about prohibited targets
is getting through. She said, quote, as we looked at that interview, we took it as evidence or
perhaps as a sign that the message regarding the disruptive ransomware activity against critical
infrastructure is unacceptable and we will address it. We felt that message was reflected in some of
that, end quote. Neuberger's remarks have been
greeted with some skepticism by NBC's Kevin Collier, for example, who regards them as reposing
unwarranted trust in the word of a criminal. Collier tweeted,
A rebranded dark side hacker says in a single
softball interview that they're avoiding critical infrastructure in their ransomware relaunch,
and that's a win? End quote. Any thinking person would indeed agree with Collier that the evowels
of a criminal who's already been caught in one lie are worth little. How little? Well,
our classical desk says they're worth less than what Catalyst
thought of his girlfriend's flattery. Ah, write it on the running water, write it on the air,
as that raffish Roman poet had it. And it's easy to feel his frustration.
But in fairness, Neuberger's comment isn't really that naive. The goons who represented themselves
as dark matter numeros say they were acting out of
self-interest, concern over government countermeasures. And Neuberger did say that the
proof would be in the pudding. Fear of the long arm of the FBI or the cyber reach of NSA is a good
thing. And even if the goons were insincere, well, hypocrisy is, after all, vice's tribute to virtue.
So maybe the message is indeed being received by someone. Neuberger added, quote, we're looking to see the changes in addressing
disruptive cyber activity over time, end quote, adding, according to the record, that she realizes
it's quite possible their interview wasn't, in fact, with an actual Black Matter representative. We've heard that people sometimes misrepresent themselves online. Have you heard
that? Our classics desk informs us that once, while hanging out in a chat room devoted to
heavyweight boxing, someone falsely claimed to be former champion Larry Holmes, but a lot of the chatters were really excited to be
in proximity to the champ. So, naive but cautiously optimistic. Still, soundbite's gonna bite, which
is always an issue when you talk to the media, except, of course, with us. And what was the
classics desk doing chatting with the bogus Larry Holmes, you ask?
Who knows?
With those guys, write it on the running water, write it on the air.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Security firm Snyk recently published their Cloud Native Application Security Report,
highlighting security concerns from organizations
who have adopted cloud-native computing.
Simon Maple is field CTO at Snyk,
and he joins us with insights from the report. So beyond the cloud-native adoption being very,
very strong, particularly in containers, a couple of things that struck me as very important and
interesting is, first of all, the fact that security hygiene misconfigurations and known vulnerabilities were
key in terms of the areas in which respondents said that they were most concerned, as well as
where they have incidents today. So the survey showed misconfigurations were the biggest area
of increased concern. In fact, over half of respondents stated that it's a bigger problem for them since moving from a non-cloud native platform to a cloud
native platform. And I guess that's, you know, using whether it's Docker or your cloud environments
or your infrastructure as code, there being so much more configurations. Also, there was a really
strong correlation between deployment automation and people being successful with cloud native adoption. So seeing automation really driving where people test, what people testing, and also the ability to fix much, much quicker and really fix critical issues faster when you have a good automation in place.
critical issues faster when you have a good automation in place.
One of the things that struck me about the report was you all noted that developers are really taking responsibility for security. It's not being handed off to folks down the line.
Yeah, absolutely. And it's always an interesting question when we ask, you know, who has
responsibility for security? And it's kind of a very loaded question in, you know, whether any
one individual role should own security. I think that, you know, there are different areas of
application development or general security that different roles will have more of a leading
role in. So for example, when we think about pure application, you know, securely developing code,
so secure development,
there's a lot that developers need to own, right? They need to be responsible for the code they
write. They need to be responsible for when they push code into repositories, whether it's Docker
files, whether it's Terraform scripts, whether it's their own Java node code, whatever it is,
they need to make sure that they've done the necessary tests, etc.
before they're just pushing code into those repositories. So from that angle, you know,
developers should own the responsibility for that. And it's very interesting that when we asked that question, we actually did the split by respondent to see how developers and security
team answers differed. And yeah, absolutely. When we asked the question of who should own cloud native app security,
less than 10% of respondents in security roles
believed that developers were responsible for securing those cloud native environments.
And from a developer point of view,
over 36% of developers stated that they were responsible.
So developers are much more forthright in saying that they should own security than the security team would be at saying developers are.
So based on the information that you've gathered here, what are your recommendations? What are the take-homes?
Yeah, great question. I mean, I think a lot of the take-homes are to make sure that when you are,
from a security point of view,
to make sure that when you look at your cloud-native applications,
you're focusing on the right areas.
And when we look at where the risk areas are,
we need to look at where incidents, people are having incidents.
That is largely around the misconfigurations,
largely around known vulnerabilities
about API configurations as well. So make sure that our efforts are being put into where
actual incidents occur. And of course, that's going to be different based on
org to org, but we've seen that big correlation there around that security hygiene. Typically, these are not the complex issues. This is general
security hygiene issues. My second area, which is a big recommendation here, is to that automation
pipeline. Automation is really important and pushing security into that automation is clear
as the value it provides, not just from the visibility point of view and testing regularly, but the impact that then makes on your ability to react to security issues and security incidents.
So automation and putting security into that automation is key to being able to fix faster and react to security issues much, much, much, much quicker.
That's Simon Maple from Snyk.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's
why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Andrea Little-Limbago.
She is the Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
You know, we've been seeing a lot of federal data privacy laws being passed, but I guess on the other side of that bit of tension,
we're also seeing plenty of stories about government surveillance. Can we dig into that
some? I mean, what direction are we headed here in your estimation? Yeah, I mean, so we're very
much at this inflection point. I feel like I've talked about for a couple of years, but it keeps
getting pushed farther and farther. And we're actually starting to see the divide starting to happen.
So there are roughly 100 countries that have a data protection law now, a federal data protection law.
For those who are in favor of data protection and security, that's great.
There are many other countries as well that have passed laws that just have not enacted them yet, so the number is even higher.
But at the same time, some of these same countries that are passing some of these laws also have some competing forces that are also leading toward either censorship or surveillance as well.
And so even if you can think about just Brazil in its recent history has passed a pretty large data protection law mirrored on the GDPR.
At the same time, in the recent history, they also have censored WhatsApp and done a variety of other temporally quick censorship and surveillance issues linked back. So they don't go together. It's almost like, well, how can you have
a data privacy law if there's some surveillance and censorship going on? They're just competing
forces. And on the one hand, it's hard, especially when you think about
for legitimate national security reasons, there may be reasons for
access to certain kinds of data.
The problem is that that argument is being used for almost anything, and certainly politically it can be used for political motivations.
And so we do see this push and pull going on where you do have a big push towards data privacy and protection,
and that's what a lot more of the people across the globe are demanding, that kind of protection.
But at the same time, governments, now that there are these tools that are out there that
enable them to have easy access to data, you're trying to circumvent some of that.
Even if you just think about some of the NSO tools and Pegasus and the spyware that became
so accessible to so many authoritarian governments.
And so even in those cases, you have some countries, Africa has over half of the African
countries, I think it's maybe 24, roughly 24-ish,
have data privacy laws.
But at the same time, we also see a lot of these
sort of spyware tools being used across the continent as well.
So it's really just competing forces going on.
And I'd argue it's unclear which one will prevail.
And I'd also say it's going to be a patchwork.
Some are doing better than others in
different parts of the globe. What about here in the U.S.? I mean, we've seen reports even recently
about, you know, watchdogs saying that our FISA courts are just sort of rubber stamping requests
from the FBI, you know, those sorts of things where perhaps there needs to be some more recognition of the privacy laws or people keeping an eye on them.
Who's watching the watchman, I guess?
Well, that's always the question, right?
And that's where the rule of law and transparency just becomes so, so, so important.
Because even like Australia passed their basically what they call the anti-encryption law, I think about two years ago now.
And there hasn't been a ton of transparency.
So there isn't widespread knowledge as far as how much it is being used or whether it was, you know, almost more formality for the very few cases, like the government said.
And so without that transparency, it's hard to know exactly whether there needs to be the watchmen watching them.
And so that, I would argue, is also where the freedom of the press becomes so very important. And so any kind of attacks on the
press directly go into this. But in the United States, without a federal data privacy law,
because we don't have one yet, and it would be great if at some point, with input from the
private sector, we had a coherent one. In the absence of that, we're seeing a patchwork across the U.S.
Virginia, where I live,
just passed a data privacy law,
a fairly comprehensive one,
and we're just seeing this popping up across the U.S.
And so for both the government,
for the federal government,
but also for corporations,
the United States dealing with 50-plus different data privacy laws,
that's sort of the direction that we're going, is not terribly efficient.
How do you keep track on any of those? Because also you get to the point where some of them
will contradict each other. Like in the data breach notification laws, some of them contradict each other
from state to state. So it becomes really hard.
That's where your democratic institutions have become so, so important
to ensure that those exceptions
are truly exceptions
and that there's good accountability
going along with it.
All right.
Well, Andrea Little-Dumbongo,
thanks for joining us.
Thank you.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks. proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Trey Hester, Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.