CyberWire Daily - Cyberattacks with kinetic consequences. Thunderspy and evil maids. Developing background to the US bulk power security executive order. Conspiracy theories and the culture of social media.
Episode Date: May 11, 2020A cyberattack with kinetic effect. Shiny Hunters post more stolen wares online. Thunderspy and evil maids. Some developing background to the US bulk power state-of-emergency Executive Order. Contact t...racing apps: reliability, privacy, security, familiarity, and rates of adoption all raise questions. The economic consequences of the pandemic emergency. Caleb Barlow from CynergisTek on Alan Brunacini’s concept of an Incident Action Plan, our guest is James Yeager from CrowdStrike on their Global Threat Report. And the reappearance of the yellow press in social media. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_11.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A cyber attack with kinetic effect.
Shiny hunters post more stolen wares online.
Thunder spy and evil maids
Some developing background to the U.S. bulk power state of emergency executive order
Contact tracing apps, reliability, privacy, security, familiarity, and rates of adoption
All raise questions
The economic consequences of the pandemic emergency
Caleb Barlow provides historical context for incident action plans
Our guest is James Yeager from CrowdStrike with results on their latest global threat report and the reappearance of the yellow press in social media.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 11th, 2020.
At DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 11, 2020.
Israeli authorities now see the April incident that affected the country's water system as an Iranian cyberattack, The Washington Post reports,
and various unnamed sources in other nations' intelligence services have reached the same
conclusion. Axios says that an Israeli cabinet meeting last week took the matter
up. A range of defensive and retaliatory operations are under consideration, but these are being
balanced against the risk of escalation. An attack on water distribution systems is especially
troubling since it aims at producing kinetic disruption of a system that broadly supports
ordinary daily civilian life.
The shiny hunters gang has continued to post stolen data for sale on the dark web,
according to Bleeping Computer. The databases so far on offer contain 73.2 million user records stolen from 11 different companies. More are probably on the way. The companies whose data have so far been exposed
include Tokopedia, HomeChef, Bineka, Minted, StyleShare, Gumim, Mindful, Star Tribune,
Chatbot, The Chronicle of Higher Education, and Zoosk. The Eindhoven University of Technology
has issued a report on a new vulnerability, Thunderspy. PCs manufactured
before 2019 that use the Thunderbolt connection are affected, The Verge reports. Exploitation
requires physical access to the device and effectively executed evil maid attack. That is,
someone with unsupervised access to the device could compromise it rapidly. Remote exploitation is not regarded as a realistic
possibility. A U.S. Department of Commerce Section 232 investigation that followed issuance of
Executive Order 13920, securing the United States' bulk power system, suggests that concerns the
executive order addressed may amount to more than a priori possibilities. Commerce is considering
national security grounds for extending tariffs on steel to cover material used in fabricating
transformer cores. Control Global cites sources who say acceptance testing found hardware back
doors in, quote, a very large bulk transmission transformer from China, end quote. Thus, the
Department of Commerce will determine whether national security requires tariffs to support a domestic transformer industry.
The presence of hardware backdoors in imported equipment, if confirmed, would seem to move the executive order away from a play in Sino-American trade competition and clearly into the realm of national security.
trade competition and clearly into the realm of national security.
An essay in Foreign Policy describes how Germany's push to deploy a contact tracing app has flagged.
A symptom-tracking app produced by the Robert Koch Institute achieved gratifyingly high rates of initial voluntary adoption before falling from favor after researchers belonging
to the Chaos Computer Club, an association of independent researchers,
reported that the app ran large quantities of private data
through centralized servers and data repositories.
The German-led Pan-European Privacy-Preserving Proximity Tracing Initiative
was also initially well-received, but it too fell out of favor
after a mid-April open letter from a group of scientists and researchers
made a general criticism of contact tracing apps and their susceptibility to mission creep
against the background of European privacy rules.
The current position is to default to decentralized exposure notification systems
like those jointly developed by Apple and Google.
So there's a dilemma.
The original domestic systems touched
national sensitivities about surveillance grounded in the experience of both the National Socialist
period and the more recent East German Communist system of social control by the Stasi. And
defaulting to Apple and Google is seen by many as handing tech leadership over to foreign companies.
The security research team at CrowdStrike recently released the latest edition of their global threat report.
James Yeager is vice president, public sector at CrowdStrike, and he joins us with their findings.
Yeah, so there's a number of significant trends that we can highlight from this past year's report.
I think one of the first things to point out is a shifting threat landscape of malware
versus malware-free originated attacks. And the trend towards malware-free tactics has accelerated
over the past year with malware-free attacks finally surpassing the volume of malware attacks
in an exponential way. So in 2019, 51% of the attacks used a malware-free technique compared to 40%
of the attacks being malware-free in 2018. So pretty significant rise there.
And what does that mean, malware-free? What falls into that category?
Right. So the TTP is going to be using lateral movement, living off the land techniques, using known systems, applications, and processes versus having a payload be predominantly delivered by malware only.
What are the takeaways from this year's global threat report?
What are the things you want people to learn from it?
Yeah, so I do think that we should take a step back from a security policy development perspective.
A lot of security, you probably heard the term, a lot of security attention is being shifted towards hygiene, and rightfully so.
So some basics, like making sure that two-factor authentication should be established as a baseline for all users.
Today's attackers have proven to be adept at accessing and using valid credentials,
quickly leading to deeper compromise. And then the other thing to do is really try and figure out
how you can employ speed, right? Because speed is a highly coveted asset in cyber and the adversaries
have it, they harvest it, they gain it, they leverage it. And it's a major disadvantage for our defenders.
Right. So we are encouraging our protectors to find ways that they can be more proactive and hunt to not always be on their heels and playing that game of whack-a-mole.
And one of the concepts that we're urging organizations to to pursue and a model that we want them to develop is the 110-60 rule. If you're
unfamiliar, it's a model that effectively allows cyber defenders to combat the most sophisticated
cyber threats. And the construct is built this way. So the one stands for one minute to detect
intrusions. The 10 stands for 10 minutes or less to investigate and fully
understand the full depth and breadth of the threat. And the 60 stands for contain and eliminate
the adversary from the environment with confidence. And so it's a high benchmark, right? But in today's
day and age for cyber, we should be ambitious, right? Our standards of excellence and performance
for defending our nation's most precious assets should be very high.
And so we're asking all of our customers to try and develop their security program around that model.
That's James Yeager from CrowdStrike.
In the U.S., state and federal public health agencies have been reluctant to adopt too many technological adjuncts to the traditional contact tracing practiced during epidemics.
The states, Wired reports, have shown divergent willingness to automate contact tracing,
with Utah being most interested in doing so,
but with New York, California, and Massachusetts having turned down offers of automated tools.
These decisions seem to be based more on varying judgments of effectiveness
than on concerns about privacy or security.
Manual analog approaches are familiar and proven.
Automated contact tracing is not.
The British government is considering requiring people to install two contact tracing apps
before they're permitted to cross the border between Northern Ireland and the Republic of Ireland, the Telegraph reports.
One app is the one developed by the UK's NHSX app, the other an app under development in the Republic.
And finally, for all their efforts at deplatforming conspiracy theorists,
the ability of social media accounts to monetize their content by maximizing clicks, views, and other engagement
has outrun the ability of the social media to moderate content and exclude fringe theories
from their services. MIT Technology Review sees conspiracy theories as being especially
deeply rooted in YouTube culture, and that culture is above all one of speed. One video
that pushed an anti-vaccine line was posted on a Tuesday afternoon
and was taken down Thursday morning for violating the platform's policy against medical misinformation.
But in less than two days, it accumulated more than a million views.
So various social media seem to be repeating the successful history of yellow journalism.
19th century publisher might quickly come to feel at home on YouTube.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Caleb Barlow. He is the CEO at Synergistech. Caleb, it's always great
to have you back. We wanted to talk today about incident action plans. You have some specific things you want to cover there.
What do you have to share with us today?
Well, so first of all, Dave, this really serves as an introduction to one of my heroes,
who I think most people in the security industry have probably never heard of,
but probably want to learn a lot about, a guy named Alan Brunicini.
So Alan Brunicini was the chief of the Phoenix
Fire Department. And he's, if you ever spend any time in fire or EMS, and I actually grew up in
that world, this guy is a god. And he is the original father of the incident command system.
And interestingly enough, I'm guessing, and I never met the man,
but I'm guessing he probably didn't know a whole lot about cybersecurity.
But some of the things he thought about and taught have directly parlay
into a lot of the things we're trying to do in responding to cybersecurity incidents.
Well, fill us in on some of the details here.
Okay, so he founded
this concept called the Incident Command System, and we're not going to go into a lot of detail
on that in today's podcast. Maybe we'll pick up that at another date. I want to talk specifically
about one of his things called an Incident Action Plan. But before we do that, we've got to at least
give you a little bit of a broad brush of why the incident command system is so unique and why it really matters with cybersecurity.
So the incident command system is all about putting together an organized system of roles, responsibilities, and operating procedures used to manage an emergency incident.
And it's tactical by definition. In other words, it manage an emergency incident.
And it's tactical by definition.
In other words, it's an org structure when you're in a crisis.
And Alan Brunicini came up with this idea when he was dealing with these large wildfires
that were spreading across Arizona and California,
and he needed to coordinate a response
between lots of different cities, towns, and across
two states. And who's in charge? Who's going to make decisions? And how are you going to process
through it? Now, why this is so important in today's world is think about what we're all
dealing with as we deal with coronavirus, right? Where, hey, we may need to respond to a cybersecurity
incident. Who's going to be in
charge? Who's available? Everybody's at home. Who's not sick and can help? And how does that
command and control roll from one person to the next? So that's what Alan Brunicini pioneered.
And these concepts of the incident command system are used everywhere. They're used in governments,
they're used in the military, and it's all about how you get organized in a crisis.
So what are some of the specific lessons that resonate with you?
Well, one of the things he came up with is this concept called an incident action plan. And
remember, in any time you're responding to a crisis, this is really about management by objectives. He came
up with this concept called an incident action plan or an IAP. And what it does is it lays out
a series of events and phases that a response needs to go through. So if I think about how
would I write an incident action plan for cybersecurity as an example? Well, think about how would I write an incident action plan for cybersecurity as an example? Well, think
about our response to, you know, kind of your typical malware infestation. You need to prepare
for that ahead of time. You need to identify that, you know, you've got a problem that you're
infected. You know, your sock needs to fire on this. You need to contain it, you need to eradicate it, and then you need
to recover and ultimately go through your lessons learned. Laying out, for example, those six steps
would be a very good example of an incident action plan. And what you're going to do in that incident
action plan is you're going to talk about the tactics, you're going to commit the resources,
and you're going to get everybody rallied around executing on it.
So what do some of the elements of an incident action plan look like?
Well, so there are four principal elements of an incident action plan.
What do we want to do?
Who's responsible for doing it?
How do we communicate with each other?
And what is the procedure if someone is no longer available
to execute the plan? You know, in the case of a wildfire, that would be what happens if somebody
gets injured. In the case of a cybersecurity incident in today's world, that might be what
happens if someone comes down with coronavirus. We still need to execute the plan. And these plans,
Dave, they're typically short. They fit on one page, but the brilliancy of
it is, remember, you're working across departments, across agencies, across companies to get this IAP
executed. You know, one of the things that strikes me about the incident that we're in right now with
coronavirus is that I think it has a lot of people taking a closer look at the depth of their bench,
because I think a lot of organizations, it's sort of planned around what happens if one person gets sick?
What happens if a couple people are unavailable?
And this is a situation where it could become more serious than that.
It absolutely could. tell you, the biggest failure most people have in responding to a large-scale cybersecurity incident
is they're looking to their org structure to make decisions. You know, the CEO is not the right
person to decide when and how you need to eradicate malware on your environment, and probably also not
even the right person to decide whether you're going to pay a ransom. You really need those
things thought out ideally ahead of time,
but then you want to bring expertise to the table.
So one of the things, again,
that Alan Brunicini pioneered
is it doesn't matter what your title is.
The person in charge is the person that's most trained
in the type of response that you need,
regardless of who they work for or where they work.
And that command
and control can pass from one person to the next person to the next as more seasoned and skilled
people respond to the incident. All right. Well, some good lessons there. Caleb Barlow, Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.