CyberWire Daily - No major threats showed up in yesterday’s US elections, so now we can start thinking about the risk during the holidays.
Episode Date: November 8, 2023CISA claims "No credible threats" to yesterday's US elections. Criminals seek to profit from the .ai top level domain. A Singapore resort sustains a cyberattack. A look ahead at holiday cyber threats.... A major Chinese cyberespionage effort against Cambodia. The four cyber phases of a hybrid war. Robert M. Lee from Dragos explains how outside forces affect OT and critical infrastructure security. Our guest is Dan Neault of Imperva sharing how organizations are behind the eight-ball when relying upon real-time analytics. Cyber and electronic threats to space systems. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/214 Selected reading. CISA Sees Smooth Election Day Operations, No ‘Credible’ Threats (Meritalk) The rise of .ai: cyber criminals (and Anguilla) look to profit (Netcraft) Singapore’s Marina Bay Sands Says It Was Hit in Data Breach (Bloomberg) Marina Bay Sands discloses data breach impacting 665,000 customers (BleepingComputer) Personal data of 665,000 Marina Bay Sands lifestyle rewards members accessed in data security breach (CNA) Report Examines Cyber Threat Trends Facing Retail and Hospitality This Holiday Season (RH-ISAC) Chinese APT Targeting Cambodian Government (Unit 42) Chinese cyberspies have widely penetrated networks of ally Cambodia (Washington Post) Cyber Escalation in Modern Conflict: Exploring Four Possible Phases of the Digital Battlefield (Flashpoint) Cyber Security of Space Systems ‘Crucial,’ As US Space Force Official Notes Recent Attacks (Via Satellite) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA claims no credible threats to yesterday's U.S. elections.
Criminals seek to profit from the.ai top-level domain.
A Singapore resort sustains a cyber attack.
A look ahead at holiday cyber threats.
A major Chinese cyber espionage effort against Cambodia.
The four cyber phases of a hybrid war.
Robert M. Lee from Dragos explains how outside forces affect OT and critical infrastructure security.
Our guest is Dan Nault from Imperva, sharing how organizations may be behind the eight ball when relying on real-time analytics and cyber and electronic threats to space systems.
I'm Dave Bittner with your CyberWire Intel briefing U.S. off-year elections.
CISA said yesterday that we continue to see no specific or credible threats to election infrastructure.
So the cyber threats against which election authorities prepared the voting seem to have, for the most part, been no-shows.
Cybercriminals are increasingly registering.ai domains for use in phishing attacks, researchers at Netcraft warn.
.ai is the country code top-level domain for the British Overseas Territory of Anguilla and is used by many
legitimate companies associated with AI technology. Malicious use of the domain has spiked following
the release of ChatGPT and other AI tools over the past year. The researchers say it's worth
noting that.ai domains are much more expensive than other domains, a.ai domain costs around $60, compared to $10 for a.zip domain or a.com.
We suspect that criminals believe that the implied legitimacy of.ai domains is worth the extra cost, as there is a notable proportion of purpose-registered.ai sites, particularly for cryptocurrency investment scams.
Singapore's Marina Bay Sands Resort has disclosed a data breach that affected the personal information
of 665,000 customers, CNA reports. The breach data belonged to non-casino rewards program members
and included names, email addresses, mobile phone numbers,
phone numbers, countries of residence, and membership numbers and tiers. The incident
occurred on October 19th and 20th of 2023. The company said in a statement,
we will be reaching out to SANS Lifestyle Loyalty Program members and sincerely apologize for the
inconvenience caused by this incident.
We have reported it to the relevant authorities in Singapore and other countries
where applicable and are working with them in their inquiries into the issue.
The incident has attracted notice because of the obvious comparison it bears to October's breaches
at MGM Resorts and Caesars Entertainment. The obvious dissimilarity is that the attack on Marina Bay Sands
apparently affected the non-casino side of the business.
We don't want to contribute to holiday creep,
but it's actually probably worth thinking in advance about the risks
that Thanksgiving, Hanukkah, Christmas, and the New Year
will present those who do business online.
Hanukkah, Christmas, and the New Year will present those who do business online.
Yesterday, the RHI SAC issued its 2023 Holiday Season Cyber Threat Trends Report.
The report outlines the threat landscape for the retail and hospitality sectors during the holiday season, which is typically the busiest time of the year for consumer-facing industries.
Credential harvesting, phishing, and imposter domains are expected to be
the most common criminal tactics in cyberspace. RHISAC members report increased attention to the
details of specific threats, closer engagement with customer service, and increased cooperation
with other organizations in the sector as they prepare for the holiday season. They're seeing
an increase in imposter websites, and they see smaller, scrappier criminal attempts as threat actors cope with defenses that
have grown more alert and resourceful. We'll be hearing more from our colleagues at RHI-SAC
in future podcasts. Palo Alto Network's Unit 42 has found two major Chinese APTs engaged in cyber espionage against Cambodia.
They've hit at least 20 government and industry organizations in that country in what appears to be a long-term collection effort.
Cambodia and China enjoy generally good diplomatic and economic relations, but that's irrelevant to China's choice of targets.
Beijing's long-range goal is an enhanced naval presence in the waters off Southeast Asia,
and the intelligence being gathered is designed to support that end.
Friendly or not, Beijing wants those Cambodian port facilities.
Analysts at Forcepoint, looking at both Russia's war against Ukraine
and the war unleashed by Hamas's assault
on Israel, concluded that cyber operations in any hybrid war are likely to fall into four
conceptually distinct, albeit temporally overlapping, phases. They describe Phase 1 as an
increase in scale and impact of attacks. In this initial phase, attacks increase in scope,
attacks. In this initial phase, attacks increase in scope, evolving from hashtags to defacements to DDoS attacks. Phase two is expanded targeting and more sophisticated attacks, including the
emergence of state-linked proxy cyber threat actors who typically bring about more sophisticated
targeting strategies, including cyberterrorism. Phase 3 includes ransomware operations and false flags,
where ransomware groups and deceptive tactics become part of the cyber landscape,
impacting virtual and physical infrastructures as well as public perception.
Phase 4 includes coordination with kinetic operations,
impacting not only virtual but also physical aspects of the armed conflict.
Of these four phases, the fourth
has been least in evidence in both of the present wars. Wiper attacks have represented the closest
approach to effective targeting coordinated with operations on the ground. Among these, only the
Russian attacks on Vyassat networks in the opening hours of the invasion have had tactical effect,
and even that effect
was short-lived. Far more prominent have been the other three phases, and it's noteworthy that all
of these involve deniable auxiliaries, false flag operations, privateering, and co-opted criminal
activity. None of these lend themselves to the sort of combined arms coordination historically seen with traditional electronic warfare.
The U.S. Space Force sees the cybersecurity of space systems as crucial to mission capability.
V.S. Satellite quotes Colonel Richard Neisley, senior material leader of the Space Force's Commercial Space Office,
as saying,
The U.S. and our allied forces must now contend with growing threats from satellite
link interceptions. It's interesting that he sees the threat as representing a convergence of both
electronic and cyber attacks. He states, this results from advanced jamming techniques and
illegal satellite uplinks. Our operations are hindered by compromised communication integrity
and potential data breaches.
So, that convergence of electronic and cyber attack can be expected to continue.
Coming up after the break, Robert M. Lee from Dragos explains how outside forces affect OT and critical infrastructure security.
Our guest is Dan Nault from Imperva, sharing how organizations are behind the eight ball when relying on real-time analytics.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Dan Nault is Senior Vice President and General Manager of Data Security at Imperva.
I spoke with him about the challenges facing organizations when it comes to real-time analytics
and the potential advantages of predictive analytics.
In today's threat environment, a real-time alert to something that seems to be malicious,
well, that isn't enough, and real-time isn't even fast enough.
And the trick here is that by the time
something that is seemingly malicious is detected
and a real-time alert is triggered,
the attack is likely happening.
The barn door is open.
And that puts security teams in a reactive position,
scrambling to validate it
and then scrambling to contain the attack.
So while having real-time information is important, I guess I'm going to say necessary, it's probably not sufficient.
You can't rely on reactive technology when you want to stop these advanced attackers.
these advanced attackers. Instead, teams need to focus on predictive analytics that can ID the attackers before they get to the data and stop the incident before it even happens.
Well, help me understand here. When you say predictive, are we searching for potential
vulnerabilities here? What exactly is going on?
Well, these activities that will happen,
they're not mysterious in the sense that cyber criminals today will come in,
they'll disguise their signatures,
they'll make it harder to identify what's happening,
and then you have very limited time to react.
And in the past, you might have had days or weeks. Now you might have minutes.
The time to respond to one of these attacks is measured now maybe in minutes. And in the past,
it might have been days or weeks. And you have limited time before it's just really too late
to do anything and then it's all
mopping up and there might even be a real-time alert but somebody's looking at it but what's
possible now using modern technology is is to be proactive and predictive and you know in the
olden days like 10 years ago you might have just used algorithms to take a look at things.
But the modern way to do it is machine learning, the part of artificial intelligence that's machine learning.
So from a practical point of view, what does this mean to an organization?
You know, for the folks who are responsible for security, how does this change their day-to-day?
Let me give an example in the form of a metaphor, and then I'll come back to how it can change their day-to-day let me give an example in the
form of a metaphor and then i'll come back to how it can change the day-to-day visualize this like
you would physical security let's pretend you're a bank and let's say you have cameras in the back
focused on the safe for the back office well they might catch an intruder if you only have cameras
there that's a problem but if you have cameras elsewhere you'd an intruder if you only have cameras there. That's a problem. But if you have cameras elsewhere, you'd see them sooner.
If you had cameras, you could see them wandering around saying, hey, that person is doing a behavior that looks a little different.
I haven't seen that behavior before, or I have seen that kind of behavior, and I know what it means.
You might be able to look at them before they even enter the building and say, you know, you know, something doesn't look right there.
look at them before they even entered the building and say, you know, something doesn't look right there. Now, stepping away from the metaphor, in today's world, data is king. And especially as
the cost of storage goes way down, businesses are keeping more and more around. So using the
physical security metaphor, you can't put cameras everywhere that you should.
physical security metaphor, you can't put cameras everywhere that you should.
With all of this data being generated, it's impractical to do the discovery and classification on a subset of it instead of looking at all of the data. And what I mean by that is,
if you consider protecting your valuable data from your invention, from your planning, your execution,
you can monitor all of that data using machine learning that looks at the monitors of all that data
and then say, huh, I've never seen anything like that before.
I've never seen that kind of an activity on the data.
And the sheer fact that it's different enough allows you, first of all,
to baseline against a trained model
that's established in other companies.
But you can also just look at your own trained data.
You can say,
I've never had someone in that department
do that kind of a search.
I've never seen a search like that.
And all of this happens
well before any action would happen.
So think of it as the camera outside the building or the camera in the lobby, not the camera on the safe.
So what are your recommendations then?
I mean, for organizations who are intrigued by this and want to see if it's a good match for them, what's the best pathway?
Well, what I would encourage organizations to do is to change the way they think about data protection.
Rather than just look at the small subset of high-value known business-critical data, use AI and specifically machine learning tools to monitor user and app activity across the entire data environment.
ML is ideal, so we're fortunate to have it
because it's all but limitless in scale.
It doesn't get fatigued or distracted
and always get smarter.
Because then it can establish a baseline
of normal activity
and at the same time
highlight anything that goes outside that
for high judgment people to take a look at.
Because in this way, we can have people do what people do best, design these systems,
and then be high judgment looking at the alerts, and then have the computers take a look
statistically about, huh, this is different. Not quite sure why this is different, but it's
different. Human, go take a look at it and tell me if there's something going on before the breach ever happens or before the access even
happens. That's Dan Nault from Imperva. And it is always my pleasure to welcome back to the show Robert M. Lee. He is the CEO at Dragos.
Rob, I have been seeing a lot of these news stories about record-breaking heat waves,
and that brought to mind the question of how that affects folks in the critical infrastructure world when you have these
outside forces and perhaps to a degree that they have not seen these sorts of outside forces.
How does that affect an approach to security? To a massive level, it impacts the facilities
and those companies. I'll kind of weave it into security. But even before we talk about security,
when you have extreme weather events, extreme cold or extreme hot, especially if it's continual for any amount of time,
your operating parameters change.
And those operating parameters can mean everything from
I can no longer operate.
Like maybe I've got, you know, what we saw in Texas
where there's certain facilities that were so cold
that they basically froze portions of their generating capability
or couldn't do like wind and solar
to be able to generate the electricity
that they needed for the grid there. Or I might have such high heat that technically I could
operate the gas turbine as an example, but the heat exchange is going to be so insane that the
price to actually operate it is just cost prohibitive of I'm no longer efficiently
generating electricity there. Then you take it
into other sectors. If it is so hot that the trucks can't get into the manufacturing bay
or sit there on the tarmac of sorts, the pavement very long because then the tires start melting
against it. It's just anything you can think of from logistics to generating electricity to
the change of the physical
environment has on the physics for how we're doing wastewater treatment facilities or the rate that
a product will move through a pipeline. All of these things can have huge impacts. And our asset
owners and operators are very good about operating through weather events that they've been able to
plan for, but ones that they're either not able to plan for or not allowed to resource against
because it's such a far-off issue,
then we shouldn't be surprised
when our infrastructure sort of hits challenges.
I think that's some of the irony about the Texas incident
and the cold weather event they had
and Ericot and all that.
There was some of those utilities
that went to the Public Utilities Commission
years before that and said,
hey, we really need to winterize our generation
equipment. And the Public Utility Commission
was like, what are you talking about? It's Texas.
It's warm, baby. Woo!
The utilities were like, dude, look at the NERC
weather forecasting guidance.
Look at what the DOE is saying.
We can start having any of these extreme weather events, and we need
to take care of this. And they looked at it like,
that's too expensive. It'll raise the rates
of the utilities bill, and people generally don't like to do that. So they said that you're being silly,
let's not worry about it. And then it happens. And they were like, electric utilities, how could
you let us down? And it's like, they literally are publicly regulated, man. Like they can't do
what they're... Yeah. So anyways, it's just a complex. I'm not saying everybody was like that,
but there's definitely examples of it. So long story short,
weather events can impact more often anyways, our electric system and manufacturing environments and everything than anything else. And these extreme weather events are hard to plan for.
I mean, it will ultimately mean making things much more costly. I mean, even just weather events in
terms of having more fires. Now you're talking about fires in California and elsewhere where
that impacts the transmission lines.
Or maybe you can't run that transmission line now
because it's right in the middle of a forest fire.
So huge impacts.
Now the security tie-in,
I mean, anytime you've got an operating window
or anytime you've got an already overtaxed system,
any additional complexities, downtime, et cetera,
just exacerbates the issues.
And in some cases, may not even be recoverable
in the ways that we want to.
So I don't think that there's a
bad guys strike more when there's heat.
I don't think there's a direct security tie-in of sorts.
But I think it just elevates the necessity of security
on these operational environments,
especially that if we're already constrained,
the last thing we need is additional disruption.
How do we encourage a culture of being proactive rather than reactive?
Resourcing and requirements. Outside of my role at Dragos, not affiliated, whatever else,
not a paid position, all sorts of legal language. I sit as the vice chair of Grid and Resilience
National Security Committee on the Electric Advisory Committee committee. So technically I'm a DOE government employee,
kind of in an advisory position.
And what's been interesting to me,
and not speaking on behalf of the DOE at all here,
but what's been interesting to me,
and it makes sense,
but in all these meetings,
there'll be, we need this and we need that
and we need to modernize the grid
and we want green energy everywhere
and we want this and that and weather events
and resilience against this and resilience against that.
And if you go and bring in
the utilities, they'll all go,
yeah, we agree. We've been saying
the same thing. But the question is,
who's paying for it? And
what are your priorities? What are the
requirements you want? Okay, well, we want more
green energy. Cool. We're also going to need transmission
right-of-ways then to actually be able to connect
all this stuff up. Ooh, yeah, no.
That's a messy business building new transmission lines
and we need 20 or 30 years to do that.
But you need to be mostly transferred over to green energy next year.
It's like, I just told you I'd be willing to do it,
but I need this to make it happen.
And I think people misunderstand how often that happens.
And I like our policymakers and government officials
and many of them doing a phenomenal job,
but it's so easy to throw the asset owners
and operators on the bus when most of the time
it's government's just got to set requirements
and talk about where it's getting resourced.
I think Mark Gabriel came to the SANS ICS Summit
and gave a keynote.
He's the CEO of United Power.
He was the CEO of WAPA before that,
a huge transmission government-owned company.
One of the more experienced electric utility guys
in that leadership level.
And his quote, I just,
oh, God, it was phenomenal.
And he's like, look, the power,
like electric power is governed
by the laws of man,
but electrons are governed by the laws
of physics. And those two things
don't often meet. And I think
that's where people are
really, really confused. Why can't we be more
proactive? We want to be. The industry would love to be proactive on these topics. That industry
executive at that electric company is going to be there longer than the politician talking about it,
promise you. They want to do it. They live and work in the communities they serve.
But who is paying for it? Who's allowing it? Because a lot of times, especially in industrial
projects, it's heavily regulated.
And what are your actual requirements and priorities so we can focus on the ones that you actually really want?
And I find that that is, yeah, constantly headbanging against the desk kind of conversations.
All right.
Well, interesting insights.
Robert M. Lee is CEO at Dragos.
Rob, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. anywhere, anytime. Police have warned the protesters repeatedly, get back. CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on
and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by
our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.