CyberWire Daily - Pemex ransomware update. Spearphishing with spoofed government phishbait. Trojan two-fer. AntiFrigus ransomware avoids C-drive files. BLE bug. DataTribe’s annual Challenge.
Episode Date: November 15, 2019Pemex has recovered from the ransomware attack it sustained...or has it? TA2101 is spoofing German, Italian, and US government agencies in its phishing emails. A dropper in the wild is delivering a Tr...ojan two-fer. AntiFrigus ransomware is avoiding C-drives for some reason. Ohio State researchers find a Bluetooth vulnerability. And the results of the annual DataTribe Challenge are in--we heard the three finalists pitch yesterday, and the judges have a winner. Robert M. Lee from Dragos on purple-teaming ICS networks. Guest is David Spark from the CISO/Security Vendor Relationship Podcast on marketing to CISOs. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Pemex has recovered from the ransomware attack it sustained.
Or has it?
TA-2101 is spoofing German, Italian, and U.S. government agencies in its phishing emails.
A dropper in the wild is delivering a Trojan twofer.
Anti-Frigus ransomware is avoiding C drives for some reason.
Ohio State researchers find a Bluetooth vulnerability.
Want to get that marketing message in front of a friendly CISO?
David Spark joins us to tell you how.
And the results of the annual Data Tribe Challenge are in. We heard the three finalists you how, and the results of the annual DataTribe
Challenge are in.
We heard the three finalists pitch yesterday, and the judges have a winner.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, November 15th, 2019.
The Pemex hack was either a relatively minor matter quickly resolved, that's if you follow
Mexican Security Minister Alfonso Durazo and Finance Minister Arturo Herrera, or it was
a big problem that's still not resolved, that's if you believe what Pemex personnel are telling
Reuters on condition of anonymity.
Pemex personnel are telling Reuters on condition of anonymity.
Researchers at Proofpoint describe the work of TA-2101,
a relatively new actor that's spoofing official communications from German, Italian, and U.S. agencies as fish bait.
The campaign is interesting as an instance of what some observers are calling a trend,
crooks who are going for approaches that are more closely tailored to their targets
than the familiar spray-and-pray campaign that goes for volume.
Security firm Fortinet has discovered a dropper active in the wild
that's delivering two Trojans to its targets,
Revenge Rat and WSH Rat.
That's two, two, two rats in one.
Both of these rats have a history of being used in attacks related to financial institutions.
Revengerat collects system information.
WSHRAT is a data stealer, often seen in phishing campaigns.
An odd ransomware campaign is underway,
odd in the way it rules out certain files from receiving its ministrations.
According to Bleeping Computer, which has been in touch with the independent researchers who've been tracking the infestation,
the particular ransomware strain involved, Anti-Frigus, avoids files on the usual C drive,
reserving its hostile encryption for data on mapped network drives or removable devices.
It's being distributed by malvertising that redirects victims to the RIG exploit kit.
Researchers at The Ohio State University have found a vulnerability in Bluetooth low-energy devices
that exposes them to fingerprinting attacks.
And if the devices and the mobile apps that connect to them use weak encryption,
attackers could intercept data being passed between them.
We were at the second annual DataTribe Challenge in Baltimore yesterday,
held in the very hipsterish repurposed city garage down Port Covington Way.
And full disclosure, DataTribe is an investor in the CyberWire.
The challenge is open to young startups.
They're young, that is, they must be pre-A-series companies
whose total funding to date can't exceed $1.2 million.
They must offer an enterprise, big data, or cybersecurity product
that's in the beta, minimal viable product or concept stage.
Practical experience in the Five Eyes security, defense, or R&D systems
is preferred but not required.
The ideas the startups propose should be suitable for funding that would advance the product.
And of course, to the best of their knowledge, those ideas shouldn't violate any intellectual property rights.
The judges this year were executives from AppGate, CrowdStrike, Apple, Allegis Cyber, Cisco, and Shopify.
Last year's winners were Prevalian and Inertial Sense, each of whom received seed funding. This year, three finalists were selected from more than 300 applicants.
The applicant pool was very heavily involved in machine learning and artificial intelligence,
DataTribe co-founder Mike Janke observed in his introductory remarks.
The finalists were CodeDX from North Point, New York,
which automates application vulnerability management
in a way that enables various testing tools
to cooperate in developing a single, easily read set of correlated results.
Bloomfield Robotics, based in Pittsburgh, Pennsylvania,
a Carnegie Mellon University spin-out
that specializes in agricultural robotics
and machine learning, and Security Advisor, based in Sunnyvale, California, which applies an
artificially intelligent behavior management platform to assist users in becoming an integral
part of their organization's cyber defenses. All three companies offered interesting insights.
Bloomfield Robotics applies machine learning and artificial intelligence to a very old problem, crop scouting, an activity that hasn't changed
much since the earliest hydraulic societies of the ancient world began to send people into the
fields to judge the right time to harvest. Visual inspection by human experts remains essential,
but it's difficult and expensive, especially given the worldwide shortage in crop scouting expertise.
Bloomfield's CEO, Mark DeSanti, pointed out that losses from crop failures,
which in many, perhaps most instances, come down to failures in crop scouting,
cause about $4 billion in losses annually in U.S. commodity crops alone.
And mistimed harvests, which crop scouting affects directly,
results in about 5% plant loss each year.
So what's all this got to do with cybersecurity,
you, the skeptical listener, will ask.
And quite rightly, because the answer is nothing, not directly.
But it's an interesting application of deep learning
to a very labor-intensive human task,
and an application in which the hype doesn't
seem to have outrun the reality. And of course, cybersecurity also requires the sort of labor-intensive
intervention of human experts, whose skills are also in short supply. DeSanti offered a prediction
that he acknowledged would be controversial, but which his audience didn't regard as crazy either.
In five years, he said,
deep learning would enable automation of all the image inspection tasks that now require scarce human expertise.
Feel free to draw the analogies to scarce human watchstanding expertise in cybersecurity.
The second company, Security Advisor, is very much a cybersecurity outfit.
Security Advisor's solution focuses on creating what the company's CEO,
Saiv Venkatraman, called personalized teachable moments
as a way of delivering security training that can create a culture of cyberimmunity in an organization.
They focus on outcomes and on adding value to other products their customers have already bought and deployed.
Security Advisor applies artificial intelligence and machine learning to such inputs as user
activity logs to tailor the training to the users and the organization's actual security needs.
They seek to do this in a non-intrusive but relevant way.
Security Advisor thinks a lot of training can become annoying.
Venkatraman said, once you become a nuisance, people ignore you. The third company, and this was the winner of the competition, was CodeDX, also a security shop.
Dr. Anita D'Amico, CodeDX's CEO, called her company a player in the newly recognized subsector of application
security orchestration and correlation. That category is newly recognized by industry evaluator
Gartner. D'Amico explained that software vulnerabilities are the major gateway to
breaches. Most breaches are caused by exploiting a web application, but application security,
she said, continues to be very hard to get right.
There are more than 150 point solution tools on the market, and they can be difficult and
time-consuming to configure. It can take weeks to correlate their siloed results,
and they tend to deliver many false positives. The problem is that AppSec analysts must assess
vulnerabilities at all the layers an application touches, from custom code to component to network.
CodeDX aims to orchestrate tools and results and to prioritize vulnerabilities.
It offers centralized risk assessment with one risk score
for each of the three levels that must be addressed.
They make it easier and cheaper to assess and reduce the risk of insecure software,
D'Amico said.
The Department of Homeland Security
is using CodeDX to help secure the software supply chain now. And one of the advantages of
CodeDX's solution, D'Amico pointed out, is that it's a system of record that can be used to
demonstrate due diligence and isolate responsibility for risk. The three companies split a $20,000
prize and CodeDX won $2 million in seed funding.
Security Advisor and Bloomfield Robotics were far from left out.
Both have received serious interest from venture capitalists in the course of the competition.
Congratulations to all three finalists and especially, of course, to CodeDX. the code DX.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee.
He's the CEO at Dragos.
Rob, it's always great to have you back.
Your team at Dragos recently published a series of white papers, and they were about purple teaming ICS networks.
I thought this is an interesting topic for us to cover here together.
Take us through, what are you sharing here?
Yeah, I mean, that was definitely a collection of work by a lot of folks in Dernal Company,
but I'll pay special attention to Austin Scott.
He was the one that really sort of spearheaded a lot of that.
And really, I think when we have customers and community members come to us,
they always ask about getting into their environments and doing some level of service and assessment first.
Usually you do that just to get a lay of the land, what's going on.
And you usually get requests like, I want a pen test, or I want a threat hunt, or I want this, or I want a red team.
And you try to ask them, what do you actually want?
They might know the words, but sometimes the value propositions are not aligned with what they're asking for. And so you're like, like, what do you actually want? They might know the words, but sometimes the value propositions are not aligned with what they're asking for.
And so you're like, well, what do you actually want?
And it's like, well, I want to take like an adversarial mindset to my defense, but I don't really just want to like exploit vulnerabilities or emulate a threat.
I really want to like see my gaps and also improve my security explicitly against kind of that adversarial mindset.
And so it's kind of a mixture of the blue team ops and the red team,
thus the completely unimaginative name, purple teaming.
But we're seeing this larger security community now really take hold.
And I like the little movement.
It's not anything different than what a lot of
practitioners have been doing over the year, but you're identifying it, calling it something and
drawing attention to it. And again, the mindset is I'm going to treat this like the adversary.
I'm not going to go down the list and just focus on compliance or checklist or quote unquote best
practices or frameworks. But what are the adversaries really doing? Almost taking that Intel-driven approach, but also let's put a real hyper blue team
spin on this of instead of going and having to do the red team engagement to get to the
answer, why don't we almost come up with hypotheses and work through them and put the
security around it as we go?
And so it's this beautiful mixture of like hunting with red teaming with like actionable
security controls while you roll it out.
And I think that's really critical in industrial environments.
A lot of the things that you might want to do from a red teaming or pen testing perspective, you might not want to do on your gas turbine.
Right. And so it's it's it's kind of getting to the point of being adversarial without introducing the same risks in those sensitive environments
with still getting to the end result and a big focus on defense.
Do you lose anything by not having those guardrails between red and blue?
I think there's definitely pros and cons on each and every one of them.
One of the things that can be done really well with a red team, and there's a lot
of value in doing, is when you're really emulating the threat. You're not just running like Nessus
and looking for vulnerabilities, but you're red teaming. You're emulating the threat. You're not
just testing your security controls. You're testing your defense. And what I mean by that is
your people. A good red team is testing the defense personnel and their training in in my opinion it's not can i
get past the firewall and the edr it's is the sock gonna see me is the instant response gonna
actually work are they gonna be ready for me and and i'm emulating the adversary like there's there's
a lot of value in that and that testing of the defensive people in like real time is not what you get in purple team.
You do get that in red teaming, but because you're moving it a little further over to the right and purple teaming, you're getting much more collaboration and kind of education throughout the process versus what sometimes come off as a test, even though that's not always fair.
There's a lot of red teams that do educate along the way.
But hopefully that's kind of clear on the difference of,
I'm going to emulate the threat, be adversarial,
and we're going to test you, and you're going to learn from that,
versus I'm going to think adversarially, show you what we could do,
but we're going to handhold each other throughout this process
and put a hyper-f focus on the defense throughout it.
All right. Well, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
My guest today is David Spark. He's the co-host of the CISO Security Vendor Relationship Podcast
and owner of Spark Media Solutions, which does content marketing for the tech industry.
He joins us to share some of the insights he's gained in the conversations he's had with CISOs,
specifically when it comes to getting their attention and earning their trust.
When you get right down to it, they just want to be considered.
So when someone is looking for a firewall solution, they want their product to be considered.
When they're looking for any kind of solution, just when they're looking at all, everything,
they want to be considered. The problem is if you're not considered, you are literally invisible
and there's no way to succeed if you're invisible. You are the host of the CISO Security Vendor Relationship Podcast.
What are you hearing from CISOs in terms of what they want, what works with them in terms of connecting with them to get your message to them?
So this is pretty much a big overarching theme on our show.
We talk about this a lot.
And that's why actually a lot of vendors listen to our show
because they want to know. I will say this. There is no combination of words that one can put in an
email that will automatically cause a CISO to open that email. I believe a lot of vendors believe
that that's the case. It doesn't exist. They have seen every bogus email under the sun. They don't
need yet another one. What they need now to speak positive to your
question is they just want to know what does your product do? How do you differentiate where your
product exists on a security plans roadmap or maturity roadmap? That's it. If you just
communicate that information and that alone, if they are interested or they will be interested in soon,
then they will reach out to you. But they don't want to talk to you about their security program,
you know, a CISO. Someone who sends a blind email saying, can we talk about your concerns or your
current security program? That is an extraordinarily private matter to a CISO and they do not want to
talk about it with you.
Once they trust you, they will. What about the message,
can I just have 10 minutes of your time? So yes, we've talked about this one a lot.
So that doesn't work for this reason. What you are preying on when you make that request or a
salesperson makes that request is you're preying on that person just being nice to you. What you need to more do is give them a reason to want to speak with you for 10 minutes. Honestly,
if you give them a reason to want to talk with you, they're going to want to talk with you for
a lot more than 10 minutes. And the problem is if you make the request of, may I have 10 minutes
of your time, you're not giving them a reason to talk with you. You're asking them, would you just be nice to me? And the problem is when you get hundreds of these,
they simply just can't be nice to random strangers.
Well, let's look at it from the other direction. I mean,
what are the things that you would tell people absolutely to not do?
That list is unfortunately long. And I'd say the most popular article that I ever wrote on my site
is entitled 30 Things
That Vendors Say That Set Off a CISO's BS Detector.
That article blew up just because it hit so many nerves and all the CISOs were like, oh
my God, I can't stand it when they make claims of absolutes like we protect everything.
We have no competition in the market.
We are the market leader. Just
don't talk in absolutes. It sets off the BS detector. And if you are setting off the BS
detector in any manner, they don't trust you and trust is critical in this industry.
So I would say to any marketer out there, what can you do to build the community's trust? And I'll tell you, one of the things that does very, very well are companies that release research, unique research that is of value to CISOs.
That is one of the best ways to build trust.
That's interesting because, you know, I get sent a lot of research.
I get sent a lot of research, and I would say the ones that are truly interesting and what I would say truly valuable are few and far between. Do you have any tips on what sets a particular set of research apart from the pack?
Well, you know there's the kind of research out there that is so blatantly self-serving because they're trying to prove
the value of their own product. That's the kind of research that doesn't do well. But
one of the most popular research reports is the VBIR, the Verizon Breach Incident Report,
I believe that's what it stands for. That is beloved in the cybersecurity community,
and they work on it all year. And it's actually, they're always looking for volunteers to contribute information for this breach report.
But it's extremely dense, valuable information.
And many CISOs that I've spoken to use that report as a means to build out their security program, to determine where they need to make sort of their next levels of investment.
program to determine where they need to make sort of their next levels of investment.
So if you're not making a research report self-serving and it's very unique and nobody else is providing this information, that will be of great value to CISO. But I will tell you,
it doesn't come cheap. The cost of making the VBIR, I'm sure, is not a cheap endeavor.
What about FUD, fear, uncertainty, and doubt?
There's no shortage of people out there who are trying to drum up business by scaring people.
Does that work in this market?
Definitely not.
We've talked about this at actually a great length of the show, and it is honestly the reason the CISO series and the original podcast, the CISO Security Vendor Relationship Podcast launched, is because back in late 2017 and before, the amount of anger that CISOs were showing towards
vendors for trying to sell their products through FUD was extreme.
So with the introduction of our CISO series, we were trying to combat that like,
all right, there is an alternative to FUD.
Let's find a new way to communicate, there is an alternative to FUD. Let's find a new way to
communicate together that is not based on FUD. And I'm just going to say this purely anecdotally.
I am noticing a lot, while it's far from eradicated, I am noticing a lot less FUD in the
market. I would like if we took credit for that, because I think since we started our effort, I
mean, I've just noticed it
anecdotally, but I'd be interested to know if the listeners feel the same way that, you know,
since the middle of 2018, have they seen a little less FUD? I don't know, but I've noticed it
anecdotally and it's been our charge to try to get that communication to sort of tamper down.
What about the importance of one-on-one
communications, of being face-to-face with people, getting involved with your local groups,
rather than sending out email blasts or placing ads and things? What's your perspective on the
value of those sorts of efforts? So obviously, any salesperson knows that
anytime you can get one-on-one time in front of a
practitioner or security leader, that's of extreme value. And they will pay dearly for that. I mean,
there are these exclusive events that many firms put on that they charge a pretty penny to let
vendors have access to that kind of information. But there are other organizations like you referenced,
local meetup groups, I'll mention ISSA, ISACA.
These are security groups for which CISOs have repeatedly said,
if you bring your smartest people, vendors, speaking of vendors,
if you bring your smartest people to volunteer,
contribute, provide valuable information,
we will deeply remember that, and that is of great value to us.
I will say the problem is a lot of these security vendor organizations, they start with some very low-level people who don't have the security chops that a more advanced engineer, subject matter expert may have.
Those are the kind of people who are being put on the front line, the pawns, if you will, to reach out to CISOs.
And CISOs get a little frustrated with that. And they try to be polite, but when someone is obviously being paid to just
secure meetings with CISOs, and they're going through every effort to make that happen,
and that person who's contacting them is not the person who's actually going to have the meeting,
nor has the savviness, It can grate on their nerves.
And I've seen that happen.
That's David Spark from Spark Media Solutions.
He is also the producer and co-host of the CISO Security Vendor Relationship Podcast.
Do check it out.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.