CyberWire Daily - Shields Ready for attacks against critical infrastructure. These may be indiscriminate, and they may be opportunistic.
Episode Date: November 9, 2023CISA, FEMA, and Shields Ready. Ransomware operators exploit 3rd-party tools. A Bittrex bankruptcy phishing campaign. Spammers abuse Google Forms quizzes. Imperial Kitten in action against Israeli targ...ets. Iranian cyberattacks against Israel are called "reactive and opportunistic." In our sponsored Industry Voices segment, Adam Bateman from Push Security outlines how attackers are targeting cloud identities. Luke Vander Linden from RH-ISAC speaks with Target's Ryan Miller and Leah Schwartzman about the evolving fraud landscape retailers are facing with the holidays approaching. And Sandworm and Ukraine's power grid: 2022 attacks may foreshadow the winter of 2023 and 2024. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/215 Selected reading. Shields Ready | CISA (Cybersecurity and Infrastructure Security Agency CISA) DHS Unveils New Shields Ready Campaign to Promote Critical Infrastructure Security and Resilience (FEMA) US Urges Critical Infrastructure Firms to Get “Shields Ready” (Infosecurity Magazine) US launches “Shields Ready” campaign to secure critical infrastructure (CSO Online) DHS Launches New Critical Infrastructure Security and Resilience Campaign (SecurityWeek) Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools (FBI) Phishing Attack Driven by Bittrex Bankruptcy (Abnormal) Spammers abuse Google Forms’ quiz to deliver scams (Cisco Talos Blog) IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations (CrowdStrike) Microsoft shares threat intelligence at CYBERWARCON 2023 (Microsoft Security) Iran and Hamas showed no signs of cyber coordination in run-up to war, researchers say (Washington Post) Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology (Mandiant) Russian spies behind cyber attack on Ukraine power grid in 2022 - researchers (Reuters) Hackers Linked To Russian Intelligence Blamed For 2022 Ukraine Grid Disruption (RadioFreeEurope/RadioLiberty) Ukraine updates: Russia hacked Kyiv's power grid — report – DW – 11/09/2023 (Deutsche Welle) Russian Hackers Used OT Attack to Disrupt Power in Ukraine Amid Mass Missile Strikes (SecurityWeek) Energy security at forefront of NATO-Ukraine Council meeting (NATO) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA, FEMA, and Shields Ready.
Ransomware operators exploit third-party tools.
A Bittrex bankruptcy phishing campaign.
Spammers abuse Google Forms quizzes.
Imperial Kitten in action against Israeli targets.
Iranian cyber attacks against Israel are called reactive and opportunistic.
In our sponsored Industry Voices segment, Adam Bateman from Push Security outlines how attackers are
targeting cloud identities. Luke Vanderlinden from the RHI SAC speaks with Target's Ryan Miller and
Leah Schwartzman about the evolving fraud landscape retailers are facing with the holidays approaching.
And Sandworm and Ukraine's power grid. 2022 attacks may foreshadow the winter of 23 and 24.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, November 9th, 2023. This week, the U.S. Cybersecurity and Infrastructure Security Agency
and the Federal Emergency Management Agency launched Shields Ready,
a sustained national campaign to increase the security and resilience
of America's critical infrastructure. Shields Ready complements CISA's Shields Up campaign.
According to FEMA, Shields Ready focuses more broadly and strategically on how to prepare
critical infrastructure for a potential disruption and how to build more resilience into systems,
facilities, and processes by taking action before a crisis or incident even occurs.
The approach encourages critical infrastructure operators to focus on things they can do to drive down risk.
First, identify critical assets and map deficiencies.
Next, assess risks.
Third, plan and exercise. And finally,
adapt and improve. Threats to critical infrastructure aren't purely theoretical risks.
A bit later, we'll see how they've played out in one of the hybrid wars currently troubling
an unhappy world. The FBI has issued a private industry notification outlining recent trends in ransomware attacks,
specifically ransomware actors exploiting vulnerabilities in vendor-controlled remote
access to casino servers and companies victimized through legitimate system management tools
to elevate network permissions. The Bureau says the FBI continues to track reporting of third-party vendors and
services as an attack vector for ransomware incidents. Between 2022 and 2023, the FBI noted
ransomware attacks compromising casinos through third-party gaming vendors. The attacks frequently
targeted small and tribal casinos, encrypting servers and the personally identifying information of
employees and patrons. Scammers are using the bankruptcy of the crypto trading platform
Bittrex as fish bait, abnormal security warns. The phishing emails targeted former customers
of Bittrex, informing them that they still have more than $1,000 stored on the platform that they'll need to withdraw before Bittrex shuts down.
The researchers think the timing of the phishing campaign was no accident.
The bankruptcy court approved Bittrex's requests to shut down its U.S. operations on Monday, October 30th.
That action and the date were foreseeable and probably appeared in the court docket.
Crooks can read dockets as well as anyone, and they probably used that information to determine that October 23rd was the best day to begin their criminal campaign.
As always, fear, uncertainty, dread, and urgency make the best chum for fishing.
make the best chum for phishing.
In another case of phishing, Cisco Talos researchers report a spike in the abuse of the release results feature of Google Forms quizzes.
It's a way of getting spam sent from trusted Google servers,
and so increasing the likelihood that the spam message will find its way through many screens and filters that would have otherwise flagged it as
suspect. Turning to the hybrid war in Israel and Gaza, CrowdStrike describes a series of cyber
attacks that targeted Israeli organizations in the transportation, logistics, and technology
sectors last month. CrowdStrike's researchers attribute the campaign to the Iran-aligned
threat actor Imperial Kitten.
Imperial Kitten is believed to be associated with Iran's Islamic Revolutionary Guard Corps
and likely fulfills Iranian strategic intelligence requirements associated with IRGC operations.
In this case, Imperial Kitten used spear phishing emails to deliver several strains of malware via malicious Excel documents, including IMAP loader and standard keyboard.
It's beyond dispute that Tehran supports Hamas and that Iran acts against Israel in cyberspace.
But support, a coincidence of interests and even sponsorship doesn't guarantee or amount to coordination
in cyberspace. A study by Microsoft finds that Iranian cyber attacks against Israeli targets
have been reactive and opportunistic, not forming part of an integrated campaign developed in
cooperation with Hamas. There have been many suggestions in the media and elsewhere that
Iran's government was involved with the planning and even execution of Hamas's attacks on October 7th.
At least insofar as cyber support for the operation is concerned, that seems not to have been the case.
Microsoft says,
We do not see any evidence suggesting Iranian groups had coordinated pre-planned cyber attacks aligned to Hamas's plans on the start of the Israel-Hamas war on October 7th.
In fact, Iranian operations took a week and a half before they began cyber attacks that can be construed as support for Hamas.
Microsoft says,
Observations from Microsoft Telemetry suggest that, at least in the cyber domain,
Iranian operators have largely
been reactive since the war began, exploiting opportunities to try and take advantage of events
on the ground as they unfold. It took 11 days from the start of the ground conflict before Microsoft
saw Iran enter the war in the cyber domain. Redmond also notes that Iran has remained true
to its familiar playbook,
which always includes influence in its calculus of effects, stating,
Microsoft observes Iranian operators continuing to employ their tried-and-true tactics,
notably exaggerating the success of their computer network attacks and amplifying those claims and
activities via a well-integrated deployment of information
operations. This is essentially creating online propaganda seeking to inflate the notoriety and
impact of opportunistic attacks in an effort to increase their effects. Mandiant has released a
study of Sandworm's cyber attacks against Ukraine's electrical power grid last year.
Sandworm's cyber attacks against Ukraine's electrical power grid last year.
Sandworm, also known as Voodoo Bear, is a threat actor operated by the GRU's Unit 74455.
Mandiant wrote,
While we were unable to identify the initial access vector into the IT environment,
Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition management instance for the victim's substation environment.
Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months.
culminated in the exploitation on October 10, 2022, of end-of-life Hitachi Energy micro-SCADA control systems that brought the affected systems under Sandworm control, and which enabled the
attackers to issue commands that tripped breakers in electrical power distribution substations.
Two days later, Sandworm deployed a new variant of Caddy wiper, discovered in Ukraine the previous March by ESET,
which served both to damage the associated IT networks and to obscure its own operations.
The attack was marked by living off the land techniques,
significant because they decreased the time and resources required to conduct a cyber-physical attack,
and because they reduced the likelihood of detection.
The Russian campaign stands out for several reasons.
First, it was a successful attack against a widely deployed OT system.
Such attacks have been rare and have proven difficult to execute.
Second, the cyber attacks coincided with a kinetic Russian missile campaign
designed to cripple Ukrainian infrastructure
as winter approached. Such coordination of cyber attack into a combined arms operation has also
been rare and difficult for Russian forces to achieve. Third, the attack showed both careful
preparation and an ability to develop offensive tools quickly. Finally, the attacks showed what Russia is likely to attempt
in its infrastructure disruption campaign during the winter of 2023 and 2024.
And of course, there's no reason to think any campaign against infrastructure
will be entirely confined to Ukraine.
Russia's cyber auxiliaries have shown a willingness to pester any country
they perceive as sympathetic to Ukraine,
and there's no reason to assume that the GRU's regulars will constrain their operations to the combat zone proper.
No reason to panic, but as CISA would say, shields up and shields ready.
shields ready. Coming up after the break, Adam Bateman from Push Security outlines how attackers are targeting cloud identities. Luke Vanderlinden from the RHI SAC speaks with targets Ryan Miller
and Leah Schwartzman about the evolving fraud landscape retailers are facing with the holidays approaching. Stay with us. Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Cloak. Learn more at blackcloak.io. We've seen an uptick in attacks against organizations in the cloud with notable targets like MGM, 23andMe, and even Okta themselves. Adam Bateman is co-founder
and CEO at Push Security. And in this sponsored
industry insight segment, he explains how attackers are targeting cloud identities
and what it means for the industry. We talk a lot about the identity perimeter,
which has become a very, very hot topic, which is really any identities, really online accounts,
Hot Topic, which is really any identities, really online accounts, but anywhere that's internet facing. And that's now the new company attack surface. And attacks here,
they've really been happening for quite a long time. But because of the fact that
awareness of these types of attacks and detection capability for these types of attacks
have not been as strong
as they are in other places.
It's been happening a little bit more under the radar.
And I think much more recently,
and even in the last three months,
we've seen a real spike in much more publicly facing
kind of attacks, things that have happened.
So we saw obviously MGM Resorts,
recently saw Retool, the automation application,
even Okta themselves,
and there's not as much detail around that, but
it looks like it was a target
attack against a support system
which could well be SaaS.
Yeah, and different things like that.
So we've noticed attackers
really trending in this direction
and targeting not just
SaaS applications and using the information
inside those SaaS applications to gain deeper access into company networks, but also targeting
just directly the SSO logins themselves, which once you gain access to, then gives you downstream
access to all of the company's most sensitive applications behind that.
Can you walk us through how these attacks are typically carried out?
Yeah, sure.
I mean, for the most part,
it's not to do with vulnerabilities in the platforms themselves.
So it's not an exploit against a patchable bug
that's happening in a SaaS application or in an SSO provider.
Even though those things do happen,
the ones that have been more grabbing the headlines
have just been attacks that result in the attacker logging in.
So social engineering, phishing, the classic things you've seen,
but also password-based attacks like credential stuffing
or brute force attacks and password spraying
and those sorts of things.
And I think in the last part, we recently saw the breach against 23andMe, which obviously
had sensitive information on lots of individuals.
And the attack there, the attacker took a leaked password from a prior breach and just
sprayed that across all the different accounts against
23andMe and managed to gain access to those attacks over time. And that was against a B2C
app. So it hit the headlines because of personal data and because of massive account compromise.
But exactly the same is possible for any B2B app. Arguably, it's kind of more high impact against a B2B app
because with a B2C app,
you're in a position where the vendor hosts that,
but each person or each individual
has their own account with their own data in it.
And so in order for you to get access to lots of data,
you need to compromise lots of accounts.
But with a B2B app, generally speaking,
the company has a tenant. And so for the attacker doing that kind of password-based attack,
you only actually often need one valid account and you gain access to the entire tenant.
Sure, there are different access levels in it. You could be admin or not. But generally speaking,
if your goal is to get access to sensitive data, you can stop once you get access to one credential, and then you can use that from there. So those sorts of attacks
are super easy to conduct. What are your recommendations then? I mean, how can defenders
best protect themselves against this? For the industry in general, I think it's important to
recognize that this is kind of an era change. I talk about this quite a lot. I think the first era change was when people said
the perimeter is dead. And really what they meant was it was marking the change between
attackers targeting your traditional infrastructure perimeter through to then instead targeting
endpoints. And we're now in a position where people have the new phrases, identities are the new perimeter, and that's marking the shift from attackers shifting from endpoint to attacking the cloud.
And so at the moment, all of the effort has gone into network and endpoint monitoring.
And defensive controls for this particular area is just much thinner, which is why we're seeing attackers go there.
And the attacks are much less understood.
So I think as an industry, we really need to start paying attention to this.
Like we are doing a lot of research and pushing out all the novel ways that we're seeing these
attacks can happen to help open and shine a light on this so that people can be prepared.
But I think the other thing is that actually it lowers the barrier to entry for these adversaries.
Now, I'm not saying by any means that these attackers aren't skilled.
They are very, very skilled.
But what I mean is if I was going to go and attack in a company
like I did in my red team days,
you used to have to go to a lot of effort
to set up custom command and control server
and then set up clever malware that you could use,
which would evade EDR,
and clever ways to tunnel traffic
back out of the network. You need to understand a lot. And if you're really getting advanced,
you need to write custom exploits and understand about Windows internals and those sorts of things.
And the thing is about these SaaS-based attacks is really what you need is very,
very good sysadmin skills and the ability to think outside the box. I mean, it attacks a novel,
but you're not sort of
going deep into the Windows kernel to make them happen, right? It's phishing, social engineering,
password attacks, and then knowing how to configure and leverage the functionality of
those applications you go in. So I think really the lack of understanding of the industry,
plus the lowering of the barrier to entry is a recipe, is something that we need to pay attention
to. I think finally, the attacks that we need to pay attention to.
I think, finally, the attacks can become more opportunistic. If you think about things like credential stuffing
against 23andMe, you'll find that more companies
were just caught in the crossfire.
They became, rather than being targeted,
you can just sort of spray across lots of people's
SSO login pages or lots of people's SaaS applications
to see what you find.
And then once you've gained access, you can go deeper into the network there.
So as an industry, I think it's just an area that we need to continue to focus on
and help develop our understanding of this area.
In terms of technical controls, I mean, all these novel attacks are interesting,
but most of our customers are finding the most value from our platform, at least, and the data
that we're seeing because of the fact that they know how to configure their identities
so they're secure with unfishable MFA and with strong passwords and everything else.
But they sort of think they're in a secure state, but they're not.
So often they'll deploy the platform and we'll just suddenly go, oh, wow, because of this
configuration error or because someone had just disabled a control temporarily for testing
or for compatibility, that actually there's an exposure.
And so I think one thing is just really understand the state of your current identities,
make sure they are at the right level of control.
And really what you want to be aiming for is MFA, but phishing-resistant MFA.
So hardware-based if you can, and if you
can afford it, both in terms of the cost required to actually implement that, but also the time,
and making sure that people are continually trained around social engineering attacks.
And finally, I would say in terms of technical controls to extend detection and response
that we do on the network world into this
SaaS world and make sure that we're actually able to discover and get visibility into some
of the attacks that are happening there.
That's Adam Bateman, co-founder and CEO at Push Security. Luke Vanderlinden is host of the RHISAC podcast.
And in his most recent episode, he spoke with Target's Ryan Miller and Leah Schwartzman
about the evolving fraud landscape retailers are facing with the holidays approaching.
We are joined by two members of Target's cybersecurity team, Ryan Miller and Leah
Schwarzman. Can you talk to us a little bit about the evolving fraud landscape that retailers are
facing these days? Yeah, so I'm sure a lot of people have heard on news ORC, we're seeing,
you know, stores getting hit with these organized attacks across the country at this point.
And so that's not a victimless crime in that sense.
Us, we want to protect our guests.
And that goes beyond just the in-store fraud that we're seeing.
Threat actors are evolving.
These rings are organized.
And so there's a cyber approach to investigating and mitigating this type of fraud.
And so threat actors, they are organizing across mainstream social media.
A lot of people might come across on TikTok or Instagram or Facebook, these groups that look
suspicious that are advertising, recruiting, or selling different fraud methods. And that's really
escalating these threat actors in communicating with one another. Similar to how we are communicating
via social media with our friends and family, threat actors are doing the same. And that's
taking what used to be a very central organized group where they may have to go to their
local pawn shop to sell the merchandise to this global economy that they can buy and sell
merchandise online. And with sites like eBay, Facebook Marketplace, Craigslist, the ability
to monetize stolen goods in a very quick way, very anonymously, has led to this increase in crime
opportunities for these threat actors. We just took a holistic approach to fraud within our
organization. And, you know, the decision was made to bring fraud under our security umbrella. And so
with that was the evolution of threat intelligence and specialization to focus on fraud intelligence.
intelligence and specialization to focus on fraud intelligence. You know, and really it became a need for us to understand that threat landscape, right? We need to understand what the threat
actors are doing so we can defend against what those threats are doing. With the same concepts
of how we track phishing and malware and, you know, APT groups, we need to apply that to fraud.
So if you don't have dedication there, right, it becomes this secondhand approach, which a lot of, you know, Intel teams, I think, are initially set up like that.
So as the landscape evolved, as fraud became more prominent, as we decided to take a stronger look into that from a security perspective, we had to dedicate fraud analysts to Intel analysts to really look at that Intel and pull it into the organization.
Yeah, we really aren't reinventing the wheel here.
We are using that standardized collection methodology that traditional CTI teams are focusing on and just mapping that to fraud.
And that's going to look very different dependent on your organization, what experience that you have for your guests.
Nowadays, with all these omni-channel experiences, guests pick up, drive up, same-day delivery. Although that's great for our guests, it's also exposing us to opportunity for
threat actors to abuse those systems. And so leveraging what you know about your own internal
environment, we know our environment better than anyone else. So leveraging those business partners
outside of security to really understand how their systems flow, what point are our guests
seeing this, how are guests impacted
by different decisions that we make, and then taking that externally to say, okay, are we seeing
any discussion of threat actors talking about these bypasses, these abilities to commit fraud
against us in these variety of different ways? And that really is standard intelligence collection
that can be applied to fraud. And once you gain that initial collection, it'll start flowing in.
There's an endless pool of chatter out there of methods being sold, guides, threat actors talking about it.
So once you establish that initial collection from a fraud perspective, you're going to start to get that actual intelligence to share with your business teams.
And I'll just chime in that, you know, within the threat landscape, we're seeing the lines being blurred, right?
Like cybercrime is crossing over into fraud, vice versa, right?
Like the handoff is not, you know, it's not separate anymore.
share the same platforms, the same tools, the same services,
and we're ingesting all that data.
The correlation of that data from what we might say is only fraud is not turning out to be only fraud, right?
You have broader visibility.
And so you might see some of the tools that are used for DDoS,
a botnet or something, right?
That might also be leveraged to launch ATO attacks, right?
And so if you have these indicators from that,
you can see that if they were completely separate,
you know, you're going to miss some of that visibility.
Same concept as like when fraud sits
in some other corner of the organization
than security does,
you're not going to have that collaboration
that you need to combat the threat.
You know, like again,
you mentioned all the different ways now
that retailers serve their customers
and even smaller organizations, smaller retailers also have to do those things, but they might not have the resources as a target.
Do you have any advice for a smaller company that wants to get involved in this?
Yeah, start with that first area of focus.
And, you know, a lot of the help of the RHI SAC, you know, people share information.
People are sharing trends that could be out there in regards to how threat actors are operating. So take that information back to your organization
and build out what we call a kill chain. And so that's, once again, applying your traditional
cybercrime to fraud and map out, okay, if I was a threat actor hitting my organization or a specific
process within my guest flow, how would they be able to bypass the controls that we might have
in place? And really visualizing in that kill chain flow is going to help you as a one analyst
to say, okay, who are the business partners within the organization that I need to basically
make friends with to say, hey, your system is allowing threat actors to abuse X, Y, and
Z.
Maybe we need to have discussion around changing that process or flow without impacting the
guests.
And so all it takes is one analyst to begin to dive into that data.
And once you have that key fraud focus area, it's really going out and getting that collection. So scraping those Telegram, the Discord, the social media channels, where these threat actors are living in that ecosystem that they're communicating within, leveraging that, pulling that pre-established collection and visibility, it'll start to flow and it'll become very clear where you need to prioritize your
efforts within your own organization as well. So all this being said, we are about to enter
the busiest season of the year for retailers. How is Target preparing for the holiday season?
I love this question. We get asked this every year, but we don't do a lot different, right?
We take the approach of like, let's just see as much as we can all year long, right?
Because the way that the fraud landscape has shifted, really the cybercrime landscape has shifted, is they don't stop, right?
So, yes, they ramp up a little bit, but really for us, it's just really scrutinizing data a little bit more, right? So things that might have been a lower threshold in March and April
are now going to be, hey, let's scrutinize this a little bit. What activity is really going on
here, right? So, you know, take ATO, for example. We're probably going to start to see an increase
in that. Actors are preparing for the holiday season, but that doesn't happen in December
when, you know, you would think it would happen.
That happens in September and October.
They're trying to compromise those accounts ahead of time.
So when they start to see people add credit cards or add gift cards that they get for the holiday, they already have access and can leverage that.
They need to prepare, too.
Yeah.
So for us, it's just it's, you know, it's kind of status quo.
But like being more vigilant, being more aggressive in the approach we take at our collection efforts and the analysis that we do on the alerting that we get.
And just looking for these anomalies or, you know, in the fraud case, right?
Like what are the threat actors interested in?
And that can change on a weekly basis, but during the holidays, right, it's going to be gift cards.
It's going to be washing gift cards or leveraging gift cards to purchasing. What are
the hot items, right, that sell really great around the holiday? And how are they trying to
hide in the mix of the heavy volume of traffic, right, that comes to our organization during the
holiday season? And they're trying to kind of fly below the radar. So those are really the things
that we're focusing on to get ahead of the holiday. And part of Intel Collection on that is knowing what items are being launched across the industry.
So whether it be like the hot commodity items for the resale value, so getting ahead of what
those trends could look like to pre-establish that visibility internally can help mitigate
it before it becomes a fire drill during the busiest season. Excellent. Leah, Ryan,
thank you very much, both of you from Target's terrific
CTI team. Amazing. Thank you very much for joining us on the RHI SAC podcast.
Luke Vanderlinden is host of the RHI SAC podcast, which you can hear
right here on the Cyber Wire podcast network. Do check it out. It is a show worth your time. Thank you. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant. brings the story to you live. Hundreds of wildfires are burning. Be the first to know what's going on
and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many
of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce
Intelligence optimizes the value of your biggest investment, your people. We make you smarter about
your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. the product's platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.