CyberWire Daily - Notes and lessons on the hybrid war. Update on Zimbra exploitation. Microsoft fixes misconfigured storage. The state of the cyber workforce. Trends in phishing and ransomware.
Episode Date: October 20, 2022DDoS as misdirection. NSA shares lessons learned from cyber operations observed in Russia's war against Ukraine. Advice from CISA on Zimbra.. A misconfigured Microsoft storage endpoint has been secure...d. Notes from a study on the Cybersecurity Workforce . The cost to businesses of phishing. Betsy Carmelite from Booz Allen Hamilton on managing mental health in the cyber workforce. Our guest is Ismael Valenzuela of Blackberry with insights on "The Cyber Insurance Gap". And updates to the ransomware leaderboard. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/202 Selected reading. Bulgarian cyberattack: Sabotage as a cover for spying? (Deutsche Welle) Bulgarian websites impacted by Killnet DDoS attack (SC Media) Lessons From Ukraine: NSA Cyber Chief Lauds Industry Intel (Meritalk) NSA Cybersecurity Director's Six Takeaways From the War in Ukraine (Infosecurity Magazine) NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry (CyberScoop) Investigation Regarding Misconfigured Microsoft Storage Location (Microsoft Security Response Center) 2019 Cybersecurity Workforce Study ((ISC)²) The Business Cost of Phishing (Ironscales) Leading Ransomware Variants Q3 2022 (Intel471) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
DDoS says misdirection.
NSA shares lessons learned from cyber operations observed in Russia's war against Ukraine.
Advice from CISA on Zimbra. A misconfigured Microsoft storage endpoint has been secured.
Notes from a study on the cybersecurity workforce. The cost of businesses of phishing.
Betsy Carmelite from Booz Allen Hamilton on managing mental health in the cyber workforce.
light from Booz Allen Hamilton on managing mental health in the cyber workforce. Our guest is Ismael Valenzuela from BlackBerry with insights on the cyber insurance gap and updates to the ransomware
leaderboard. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, October 20th, 2022.
Deutsche Welle reports informed speculation that Kilnett's recent DDoS attacks against Bulgarian government targets
may have been misdirection designed to draw attention from the real Russian goal, which may have been espionage.
If that's the case, the ultimate goal is probably not simply Bulgaria, but rather NATO.
the ultimate goal is probably not simply Bulgaria, but rather NATO. Compromise of Bulgarian systems could enable Russian cyber operators to pivot into the broader NATO networks to which Bulgaria
is connected. Some Russian official and semi-official discussion of the cyber attacks
against Bulgarian government sites was retaliation for Bulgarian cooperation with and participation in
Ukraine's strike against the Kursh Bridge. Deutsche Welle dismisses this as easily debunked
nonsense. The attackers had other fish to fry. Rob Joyce, head of the U.S. National Security Agency
Cybersecurity Directorate, spoke Tuesday at the Mandiant Worldwide Information Security
Exchange in Washington, D.C. He drew particular importance to information sharing by and with
the private sector, CyberScoop reports. He also drew six early lessons that may be learned from
the conflict so far. Meritalk summarized those lessons as follows. First, both espionage and
destructive attacks will occur in conflict. Next, industry has unique insights into these conflicts.
Sensitive intelligence can make a decisive difference. You can work and develop resiliency
skills. Don't try to go it alone. And you have not planned enough for the contingencies.
The advice he offered the private sector came from NSA's playbook.
First, harden.
Invest in the basics and hardening your systems and networks.
Actively defend.
Take an active stance against adversaries, not a passive one.
Contest.
Impose costs on malicious actors.
And scale. Collabor collaborate with industry. More lessons will emerge as the war is studied. In the meantime, Director Joyce has
offered a first draft of its history. CISA has updated its advisory concerning the exploitation
of several vulnerabilities in Zimbra. The update includes not only additional
technical details on the malicious files being used in exploitation, but also a summary of best
practices to mitigate the risk. See sysa.gov for the details. Microsoft has released the results
of its investigation into a misconfigured Microsoft storage endpoint, which exposed
some business transaction data corresponding to interactions between Microsoft and prospective
customers, such as the planning or potential implementation and provisioning of Microsoft
services. Microsoft has since secured the server. Microsoft, which we note in disclosure is a
CyberWire partner, explained the implications of the data exposure, stating,
The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.
customer and Microsoft or an authorized Microsoft partner. The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not
the result of a security vulnerability. We are working to improve our processes to further
prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security
of all Microsoft endpoints. ISC Squared has released its 2022 Cybersecurity Workforce Study.
The study shows that the cybersecurity workforce globally is at an all-time high,
with an estimated 4.7 million professionals in the field, but data show that 3.4 million more workers are needed in the field to be effective.
Three-quarters of respondents reported strong job satisfaction
and feeling passionate about their work,
but 70% of respondents report feeling overworked.
68% of employees that had low experience ratings
have said that culture
affects their effectiveness in security incident response. Over half of workers also reported
that they would switch jobs if remote no longer is an option. 64% of respondents seek out new
certifications in order to grow their skills and stay current with trends in cybersecurity.
in order to grow their skills and stay current with trends in cybersecurity.
20% say that they believe that their company would raise the security budget following a breach,
but only 16% say that the funding would go to more staffing.
61% of cyber professionals surveyed are concerned primarily with risks in newer technologies.
Iron Scales published a report this week conducted by Osterman Research that details the cost of fishing to business. The purpose of the study is said to investigate
direct costs borne by organizations in mitigating the fishing threat and to explore expectations
about how fishing will change over the next 12 months. It's noteworthy how much of the cost of a phishing attack is imposed in terms of simple time and labor.
Phishing costs to businesses are not just financial in nature,
but many security and IT teams have to dedicate time to resolving phishing attempts and attacks.
70% of organizations report spending 16 to 60 minutes on each phishing email, from discovery of the email to removal.
A composite IT and security professional was found by the research to cost $136,000 in salary and benefits,
and the cost of a single phishing email averaged out to be just over $31,
as the average time spent on a phishing
email is 27 and a half minutes. The research also found that IT and security professionals reported
that phishing-related activities took up about one-third of their work time, which would equate
to about $46,000 per year for the calculated composite security professional.
Phishing, of course, is not going away.
Most organizations expect it to increase over the coming year.
Phishing has also expanded beyond email,
as at least half of respondents report seeing phishing attacks in messaging apps,
cloud-based file-sharing platforms, and text messaging services.
So, stay alert, stay skeptical, and stay safe.
Finally, a look at the ransomware leaderboard as it shaped up during the third quarter.
Intel 471 released a report today highlighting ransomware activity in the third quarter of 2022.
ransomware activity in the third quarter of 2022. 455 ransomware attacks were observed in this quarter, which represents a decrease of 72 over the last quarter. Ransomware continues to have
a global impact. Here, in order, are the ransomware strains with the biggest criminal market share.
LockBit 3.0 was found to be the most prominent ransomware variant, coming in at 192 detected breaches.
Professional services, consulting, and manufacturing were found to be the most impacted industries by LockBit.
LockBit's builder was leaked on Twitter in September of this year,
and it's possible that a decrease will be observed in LockBit use in the fourth quarter.
The BlackBasta ransomware placed second.
It was used against 50 organizations this past quarter.
Consumer and industrial products were the most targeted industry by the ransomware,
and the U.S. accounted for 62% of all attacks.
This ransomware took Conti's spot as the second most observed ransomware following its dissolution.
42 attacks were seen by the Hive ransomware group in the third quarter,
and they most impacted the U.S. and U.K.
Consumer and industrial products were the most affected sector by this ransomware.
In August of this year, an alleged Hive threat actor revealed phishing emails are the initial attack
vector. ALF-V ransomware was observed in use in 30 incidents this quarter. Real estate and
professional services and consulting were the most impacted sectors. In September, the supposed
leader of the ALF-V ransomware as a service affiliate program claimed the group targeted
many systems of critical infrastructure.
Coming up after the break,
Betsy Carmelite from Booz Allen Hamilton
on managing mental health in the cyber workforce.
Our guest is Ismael Valenzuela of BlackBerry
with insights on the cybersecurity insurance gap.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
BlackBerry recently published a report titled, The Cyber Insurance Gap, What Is It and How Can
We Close It? For insights on the report, I spoke with Ismael Valenzuela, VP of Threat Research
and Intelligence at BlackBerry. The reality is that this is not very different from what we have
seen for many years in the world of compliance, right? When you approach cybersecurity as compliance,
it's just one more thing you're doing to just like feel peace or, let's say, to ignore things that you should not be ignoring
because you have a piece of paper that gives you some peace of mind.
And the reality is that cybersecurity is not about just going through controls
and just saying, okay, check, check, check, you have that.
This is a very dynamic world.
It's always been.
And as the business increases for cyber criminals,
there's more people into the business, right? This is the reality with any economy where there's money,
like there's more people jumping into it.
And unfortunately, there's a lot more bad people
jumping into these that probably like defenders
that are able to counteract.
So is part of the issue here the expense of these policies?
It's probably lack of knowledge that this is something available.
In some cases, probably smaller organizations, right?
Obviously, bigger organizations are aware of this.
One of the things we mentioned in the report is that it's typically the same broker
that offers this catalog of services.
Bigger organizations would definitely know that this exists,
but it could be definitely the cost.
One of the things that we highlight in the survey
is that the cost of sovereign insurance is increasing
as there's more and more attacks,
especially the ransomware attacks.
It could be maybe the inability to get coverage
because the organizations, not all organizations,
have or meet the basic criteria,
the minimum number of controls that they need to obtain one.
Yeah, that's a really interesting point.
I mean, I suppose in some ways,
cyber insurance is driving organizations to up their game
when it comes to a lot of these basic cyber hygiene issues.
You would think so.
And that's ideally what we want to see, right?
We want to see this as a good compliance.
That's the good thing about compliance too.
I keep comparing those two things,
but to me, it's kind of the same thing, right?
Somebody's pushing you to do something
that you should be doing regardless, and that's good.
So for example, you don't have EDR,
you need to have EDR, endpoint detection response,
to be able to monitor your endpoints.
In some cases, it could even lead up to
you don't have enough resources to monitor these solutions
on a real-time basis, because that's what they require. Well, if you don't have enough resources to monitor these solutions on a real-time basis, because that's what they require.
Well, if you don't have your own SOC,
because you're a smaller organization,
you need to have a managed detection response type of service.
You have to augment your capabilities.
All of these things are good.
There's also the other side of the coin,
which is some organizations could use this as an excuse
to not invest on things that they should be investing
based on their threat model.
I think that's the main gap here,
that in many cases, these insurance companies
are going to come and require a number of controls
that you could have in place.
But just as with PCI or HIPAA regulation
or all the type of control-based frameworks,
the fact that you have that doesn't talk about efficacy.
It doesn't talk about how well prepared you are
to anticipate, to withstand, to resist, and to recover.
What are your recommendations then?
I mean, if I'm the person in my organization
who's responsible for finding the right cyber insurance for us,
any words of wisdom there?
First of all, if I would be the person doing that internally,
and that typically comes because of a need, a business need,
hey, we need to have insurance because of this, right?
In order to continue conducting business,
or in order to have access to this partnership
or this contract.
Once again, it's like compliance.
Use it to go beyond what just the controls,
the framework is requiring you,
what the insurance company is requiring you to do.
That would be one recommendation.
Use this to do the right thing,
but not necessarily just to do the minimum to comply with that and just leave it. Because that's usually not enough, right? That
minimum is typically not enough. The second thing would be to make sure that you read the fine print
and clarify what coverage for a loss means. What we have found with this survey, is that in many cases, organizations thought that certain costs would be covered.
And there's a case that happened recently in Australia that illustrates this, where a company that was victim of a ransomware attack,
they found out that the cyber insurer, they were not covering the cost of doing incident response.
As we know, typically you would have an organization coming and trying to find out where the attacker
is, what's the scope of the attack, trying to contain the bleeding and then helping you
to recover.
They would not be covering that.
They would not be covering the cost of forensics.
cover, they would not be covering that. They would not be covering the cost of forensics.
And as we know it, forensics is what uncovers the evidence or unearths the evidence
that will tell you what's the root cause, right? Why did this happen? And that's what
you need in order to learn, in order to improve,
right? So all of these things are necessary.
In some cases, cyber insurance is not covering
that. We don't want to have these type of surprises after the fact. So it's good to
do that digging before jumping into this.
That's Ismael Valenzuela, VP of Threat Research and Intelligence at BlackBerry.
And I'm pleased to be joined once again by Betsy Carmelite.
She is a principal at Booz Allen Hamilton and also their Federal Attack Surface Reduction lead.
Betsy, it's always great to welcome you back to the show.
I want to touch base today on the issue of mental health in the cyber workforce,
something that I know is important to you from a manager's point of view.
What can you share with us today?
So, Dave, the always-on cybersecurity environment,
and that's whether it's closing tickets, tracking open tickets, analyzing data, writing reports,
answering Slack messages, all of that leads to burnout among cybersecurity analysts. And there's
one major contributor. It's cognitive overload. And we've seen reports that nearly half
of senior cyber professionals in the last year have considered quitting the industry altogether
because of that stress, according to a recent survey. And a similar percentage of those
professionals in the industry knows someone who has quit. So what is leading to this?
I mean, are we understaffed?
From a manager's point of view, where are we coming up short?
Yeah, so my Booz Allen colleague, Mike Saxton, and I,
we both have been in the trenches of managed cyber defensive operations teams.
And we've seen a lot of what works and doesn't work.
So this will come at an angle of
what's causing this, but also how we can better support cybersecurity teams and reduce the most
common sources of that cognitive overload. So first, it's really important to establish a
clear strategy and team structure. Companies can combat cognitive overload by setting
a clear cybersecurity strategy for the team, and workers should have a strong understanding of
their role, their responsibilities, what their goals are, and where they fit into that larger
strategy. And so, for example, assign areas of specific infrastructure or threat groups
for certain people to focus on.
And this way, instead of feeling like a few dozen workers are in charge of
defending an entire organization, they view themselves as a structured force multiplier.
This also shows that the organization recognizes that focus and a training process will pay off in the long run. So that's one way.
Secondly, we look at really the need to understand the limits of technology.
There's really long been a misconception that one singular tool or product can get the job done,
but analysts are the ones responsible for interpreting the data,
coming out of those tools and making the decisions.
I heard the other day that a human makes about 35,000 decisions a day.
And I can't imagine what that number is for a cybersecurity analyst.
Right.
They probably say, oh, that's adorable.
Yeah, exactly.
And so we really need to listen to our team's feedback
to cut out the extraneous security tools
or use them better to solve the challenges.
More technology won't solve the issue
unless we listen to what the analysts have to say.
The last thing that I think is really critical
is recognizing cybersecurity's human side. And leaders should
really engage with their cybersecurity teams, encourage them to take a breather, understand
when their needs require them to help lessen the load. And if they can't take care of their
needs, they're certainly going to lack motivation to be on that team. It's as simple
as that. When you have time spent away, and I want to talk about that in a couple of ways,
that can make their daily tasks more fulfilling. So first, there's true time off. Unplug,
walk away to get the real break that your brain needs. And then secondly, find or offer creative and different ways to be in
the workspace. For example, I'm going to use this time with you on this podcast. This is something
I love. It keeps my mind fresh. It allows me to think in different ways. There's an excellent book
by Daniel Kahneman called Thinking Fast and Slow that comes to mind here in my daily delivery. I am just making decisions right
and left for client missions, for my team members. But when I come here, I can focus on
a thought piece that I want to share with you. My other colleagues volunteer with cyber nonprofits
or at cyber conferences. It redirects the mind and really generates productivity in a less stressful or more fulfilling way.
And then lastly, from the management side, when the manager models and offers the opportunity to have balance, that signals that the company has made the staff's mental health a priority and helps them recognize when they're fast approaching burnout.
So being attuned to your team.
And it's as simple as asking, how are you managing?
And often it needs to be that deliberate to find out.
What about setting boundaries?
You know, I hear folks talk about protecting their weekends, turning off the phone or saying, you know, I am not available during these hours. I know that's always not realistic for all positions in cyber, but it strikes me that as a cultural thing, it's something
that we should probably strive for. I would agree with that. I know with my own teams,
and again, this goes back to what I model, unless there is a real need for me to be emailing them about a crisis
or an important client decision that has to be made after six o'clock or on the weekends,
I'm going to maintain those boundaries as a matter of practice. When I do need to discuss with them,
hey, I'm going to need you to put in just a couple
hours this weekend. I'm very deliberate about what we need to have them do. We have a huddle
and, and we're very intentional about what, what that time is going to be spent doing.
And that way we can, you know, while, while it's not ideal to be working on a weekend and being protective of those boundaries is absolutely critical, at least we're very focused and we know what we need to accomplish.
Yeah.
So, I mean, communication is really key here.
Yes, absolutely.
And it's two ways.
It's communicating that to your team, and you have to listen to what your teams are up against. You have to listen to what's working and not working.
And then work within that environment and help them out.
Well, Betsy Carmelite, thanks for joining us.
Thanks, Steve.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and compliant. Or shake up your mood with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria
Varmatsis, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.