CyberWire Daily - RASPITE noses around the US power grid. Cisco will buy Duo Security. Sandworm afflicts lab investigating Novichok attack. Influence ops can be no-lose proposition.Crytpojacking and malspam.
Episode Date: August 2, 2018In today's podcast, we hear that Cisco plans to buy Duo Security. Dragos warns of the RASPITE adversary actor. Russia's Sandworm group is phishing people connected with a Swiss chemical forensics lab.... How influence operations can be a no-lose proposition. A cryptojacking campaign is discovered and stopped. Malspam is using gifs to carry a keylogger payload. And Facebook CSO Alex Stamos has fixed a date for his departure for Stanford. Robert M. Lee from Dragos with thoughts on categorizing threat actors. Guest is Wendi Whitmore from IBM with their 2018 Cost of a Data Breach study. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_02.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cisco plans to buy Duo Security.
Drago swarns of the Raspite adversary actor.
Russia's Sandworm Group is fishing people connected with a Swiss chemical forensics lab.
How influence operations can be a no-lose proposition.
A cryptojacking campaign is discovered and stopped.
Malspam is using GIFs to carry a keylogger payload.
And Facebook CSO Alex Stamos has fixed a date for his departure for Stanford.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 2, 2018.
Some major industry news broke overnight. Cisco has announced its intention to acquire Duo Security for $2.35 billion in cash.
Cisco believes that Duo's adaptive authentication will be a good fit.
Dragos this morning reported that threat actor Raspite,
which Symantec has tracked as Leaf Miner in the Middle East,
is operating against targets in Europe, East Asia,
and North America. Operations against electrical utilities seem focused on the U.S. For now,
it seems that Raspite, in Dragos' estimation, is capable of probes only and not of disruptive or
destructive attacks on industrial control systems. As usual, Dragos won't go farther in attribution
to a nation-state,
but Symantec, in its account of Leafminer, noted circumstantial evidence pointing to Iran.
The Sandworm Group, a less famous but still familiar relative of Cozy Bear and Fancy Bear,
is working against the Spitz laboratory in Switzerland. Spitz is the chemical agent
analysis facility that's performing
forensic work on the Novichok attack against a former GRU officer who'd spied for the British,
Sergei Skripal, and his daughter in the UK. A few first responders were also infected in that
initial attack. The attack has since claimed two additional victims, including one who lost her life
through what appear to be residual samples of Novichok agent staged in England and probably simply abandoned.
The incident has prompted considerable international dispute.
Russia has denied involvement in the chemical attack, but few believe this.
Moscow's claims have been fairly opportunistic and far-ranging,
this. Moscow's claims have been fairly opportunistic and far-ranging, but the basic line from the Kremlin is that the attacks were a put-up job by British and American intelligence
services, probably abetted by someone like Czech intelligence. It's all aimed at framing Russia
and sullying her good name, says they. As we've noted, few are convinced by this,
but such is the Information OOps narrative being peddled.
The forensic investigation at Speech is in service of an international inquiry into the incident.
Sandworm used phishing emails, spoofed to appear to come from Speech Laboratory accounts.
The emails carried maliciously crafted Word documents.
Swiss authorities are investigating.
Many of the bogus emails went to people who planned to attend an international conference maliciously crafted Word documents. Swiss authorities are investigating.
Many of the bogus emails went to people who planned to attend an international conference on chemical and biological weapons
near Bern this autumn.
The lab itself seems to have deflected the attack
and warned the conference attendees.
Sandworm is the same outfit believed to have used fishing
against the Ukrainian power grid.
the same outfit believed to have used phishing against the Ukrainian power grid.
IBM recently published the results of their 2018 cost of a data breach study. Wendy Whitmore is the director of IBM's X-Force threat intelligence team. She shares the results. First and foremost
is the average cost of the data breach, which this year averaged at 3.86 million, that's a global cost.
So when we look at that, that's a wide variety of countries throughout the world that are included in that.
That is a slight change over the numbers from last year.
One of the things I think we also see that's interesting is that different regions throughout the world continue to have much higher costs.
So in places like the United States, the average cost is over
7.8 million. So it's nearly double the cost of the global average. And then in the Middle East,
we see costs averaging about 5.3 million. So again, much more significant than the global cost.
Also, one of the new things that we did this year, which was very interesting and hasn't been done
before, not only in this study, but in others, was the focus on analysis of mega breaches.
So in particular with that, we're focused on breaches that are an exposure of over 1 million records.
And the cost of those and the difference between those and a smaller scale breach would be, say, for example, under 100,000 records is staggering, where the average on the mega breaches is between $40 million and $350 million in cost to respond.
So it's not necessarily a linear scale there. As the size of the breach goes up, the costs go up quite a bit.
That's correct. Yeah, it's a bit more on the exponential scale, I would say.
a bit. That's correct. Yeah, it's a bit more on the exponential scale, I would say. You know,
I think one of the biggest factors we see there is when you have these mega breaches, you also have typically a much longer time exposure where an attacker and for a mega breach,
we're typically talking about, you know, a determined attacker who's got a strategic
objective to either obtain, you know obtain data and records from an environment
or to at least obtain intellectual property. And when we see that, that time then increases. And so
on average, we see almost one year, so nearly 365 days that it takes an organization to detect a
mega breach and to respond to it, which includes getting the attackers out of their environment.
And that's nearly 100 days longer than it takes for some of these smaller scale breaches.
So pretty fascinating statistics, I think, there in terms of just the length of time
that a determined attacker can be within an environment.
Now, you all discovered also some interesting impacts that affect the average cost of a data breach.
Can you take us through some of those?
Absolutely.
So there's a number of direct costs, which I think organizations think of, which are things like how much is it going to cost you to hire a response firm, for example, or to conduct the investigation.
But there's a tremendous amount of indirect costs, which I think get a little bit less airtime.
You know, the kind of public sector
and the discussion around breaches. And so those are things like how much are we spending to notify
either customers or clients or work with regulators? How much is the cost of lost business
for, you know, reputational loss as an outcome of the breach? How much are we spending for our
employees who during the response, you know, that are focused on responding and not actually doing their day job? So there's a tremendous
amount of costs there. We continue to see though, year over year, that the number one factor in
cost reduction is having access to an incident response team. And, you know, what that means is
that it could be an internal team. It could also be an external team that an organization works with.
But ideally, if that organization and that team has visibility into the environment,
they can do things like detect an attack faster, limit the impact.
And when we get into a win of breach response, it really is about limiting the impact, right?
It's about limiting the amount of time an attacker is in because that has a direct correlation to the cost of the organization. And it's really not about preventing the breach from ever occurring. That's generally an unrealistic goal, but it's more focused on how do we detect quickly an attacker's actions and how do we limit the impact of that within our environment.
That's Wendy Whitmore from IBM.
do we limit the impact of that within our environment? That's Wendy Whitmore from IBM.
As analysts continue to work through the implications of Facebook's recent takedown of inauthentic accounts, one thing seems clear. For the attackers, it's a no-can-lose proposition.
If they go undetected and succeed in inciting direct animosity, confrontation, and even violence,
that's a win. If they're discovered and
exposed, that's a win too, because they've undermined people's trust in online conversations,
news, institutions, and so on. Graham Brookie, director and managing editor at the Atlantic
Council's Digital Forensics Research Lab, put it this way to Motherboard, quote,
if they're not caught,
it leads to action in the real world. In this case, a counter-protest that might lead to violence based on what we saw last year in Charlottesville. If they're exposed, they've already undermined
trust in the conversation we're having right now. So in both those scenarios, they win, end quote.
A recent crypto-jacking campaign swirled around GitHub. Researchers
at security firm Sucuri say that the criminals aren't abusing GitHub itself, but rather the
unofficial related service RawGit, which caches GitHub files indefinitely. Sucuri also notes that
the problem is solved. RawGit's security team, they say, was very quick to respond and fix the problem.
The Sands Institute has a description of a DHL-themed mouthspam campaign
that's using malicious GIFs to spread the agent Tesla keylogger.
Beware of emails bearing GIFs.
Facebook's CSO Alex Stamos has set a date for his departure from the company in a move planned for several months.
Facebook has no plans to replace him.
Stamos' last day at Facebook will be August 17.
He has accepted a teaching and research position at Stanford University.
Stamos and Facebook part with mutual expressions of esteem, goodwill, and expressions of intentions to continue to work together. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back.
You wanted to touch today on how people categorize threat actors versus APTs,
things like that. You had some good points you wanted to make.
Yeah, absolutely.
And so when we as a community want to analyze our intrusions of adversaries and collect it into some sort of clustering of data, we try to assign a value to it.
And historically, a lot of the way that's been done is on threat actors.
We come up with various names.
A lot of the way that's been done is on threat actors.
We come up with various names.
We have FireEye has done good in this field with like APT28 and APT29, CrowdStrike with their CozyBear and FancyBear.
And name your vendor.
They've been tracking threat actors for a very long time.
And it's an interesting concept. And I think one that we have to question sometimes, too, on what are we trying to get out of these groups?
that we have to question sometimes too on what are we trying to get out of these groups and are our naming conventions and our clustering of intrusion data
useful to the challenge that we have? And what I mean by that is
if we're trying to track this group, if we're trying to track that team
and see all the different operations they do and have sort of the strategic insight into the
who, then threat actors are perfect. It's a great
collection of data to say, you know what, over the last 10 years, their tools,
their tradecraft, everything else changed, but we've still been tracking that team.
And that team has been active the last 10 years doing these things.
But the challenge in that is one of defense. It's a great
thing for attribution, but it's very challenging actually for defense.
Because if I told a defender, I want you to defend against
Fancy Bear, you would have to ask me a lot of follow-on questions.
Because Fancy Bear has been tracked very well for
five years at least. So you would have to ask, well, what do you mean
by Fancy Bear? Do I mean Fancy Bear of 2013?
Do I mean 2015, when their tools changed? Hey,
their tradecraft and their infrastructure and their capabilities changed against
banking victims. It was different than it was against political victims.
What do you want me to focus on to defend? And so it's not necessarily the best. I mean,
it's a good tool to have, but it's not necessarily the best for actually doing defense.
And instead, it would offer up, there's an alternative way.
It's called activity groups.
For those of you, anybody that sort of,
remember the diamond model paper, it's highlighted in there.
And one of my analysts, Joe Sloak,
did a really, really good couple of presentations on it recently
and talked about clustering data based off of how the activity was done.
So here's the victimology of it.
This is relevant to banks.
Here's the infrastructure choices they have.
And here's the capability or tradecraft choices they have.
And I think the natural question is, well, what if it changes?
How do we track it?
And that's actually great.
When it changes, it's no longer that activity group, because that activity group
is bound to that victimology, that infrastructure, that capability
and tradecraft aspect. But that's exactly what makes it useful for defenders
is when I tell you defend against, you know, Dymalloy
as the activity group, you know exactly what that means at any point in time.
I suppose it could be a communications issue, because I think there's a natural human tendency
to want to know, who did this to me? And I could see that coming down from the boardroom in
particular. I could see it being a hard case to make that who did it doesn't matter. It's what
they did. Absolutely. I think there are people out there and there are organizations out there
that have intelligence requirements for who, and they really need to get that solution. And that's fine. I mean, I think, again, if we look at specifically the weird period we have with the election sort of discussion of the different adversaries trying to influence the election, the who was pretty important. And being able to track those groups over those almost decades of time was extremely important to that national understanding.
But, yeah, I think we overvalue attribution for sure.
While there are some intelligence requirements to be able to support it, there are far fewer than folks try to position.
And your defender who's going in the network and trying to actually defend against an adversary, it doesn't really matter the who, it matters the how. And you're right, we as people,
we as humans, we have this desire to know who and to think that that's going to be useful for us.
And it is most certainly one of the first questions that executives ask.
But I think we can train them and influence them to be a little bit better and ask a
little bit better questions. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.