CyberWire Daily - The current state of Cyber Threat Intelligence.
Episode Date: July 22, 2024Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, discusses the current state of Cyber Threat Intelligence with CyberWire Hash Table guest John Hultquist, Mandiant’s Chief Analyst.... References: Andy Greenberg, 2022. Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency [Book]. Goodreads. Josephine Wolff, October 2023. How Hackers Swindled Vegas [Explainer]. Slate. Rick Howard, 2023. Cybersecurity First Principles Book Appendix [Book Support Page]. N2K Cyberwire. Staff, September 2023. mWISE Conference 2023 [Conference Website]. Mandiant. Staff, n.d. VirusTotal Submissions Page [Landing Zone]. VirusTotal. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody. Rick here.
So far this season, we've done a gut check on the current state of XDR,
Extended Detection and Response, IAM, Identity and Access Management, and the MITRE
ATT&CK framework.
Since we did ATT&CK last week, I thought it was only appropriate that for this week, we
take a look at CTI, Cyber Threat Intelligence.
If you're following along with our first principles book, you know that CTI is a key and essential
tactic to the intrusion kill chain prevention strategy.
And in order to deploy and maintain prevention controls for known adversary campaigns across the kill chain,
your CTI team will likely be using the MITRE ATT&CK wiki for a good portion of its inbound intelligence.
See what I did there?
You see how everything is connected?
We don't do random stuff here.
We got a plan.
So hold on to your butts.
Hold on to your butts. Hold on to your butts.
We're going to take a deep dive in the world of cyber threat intelligence.
My name is Rick Howard, and I'm broadcasting from N2K Cyber's secret Sanctum Sanctorum studios
located underwater somewhere along the Patapsco River near Baltimore Harbor,
Maryland in the good old U.S. of A. And you're listening to CSO Perspectives,
my podcast about the ideas, strategies, and technologies
that senior security executives wrestle with on a daily basis.
John Holtquist is the chief analyst at Mandiant, an XDR training and incident response company,
now part of the Google Cloud organization after the acquisition in 2022.
But he's been doing intelligence work for going on two decades now,
first with the U.S. government, then with a commercial cyber intelligence company called iSight Partners, and then with Mandiant, where he has been working for over seven years.
So, John and I are both cyber intel guys from way back,
and when I ran into him at the MWISE conference in D.C. last October,
he and I got to talking about the old days and how far CTI has come.
So we have a history, right, John?
Yeah.
I ran a cyber intelligence shop many years ago called iDefense.
That's right.
Founded by John Waters.
That's right.
That was owned by VeriSign.
Yeah.
And then when he left the company, he started another commercial intelligence company called EyeSight.
EyeSight.
Right.
Stole half my paper.
Loved Eye.
Kept the Eye.
Kept the Eye, yeah.
And then you joined them.
That's right.
So explain what happened after that.
So I joined out of, I guess I was working at DIA at the time.
I mostly spent most of my time at State Department
and then melted Army way back in the day.
And they were focused on cybercrime at the time,
and it was just like,
can we find anything besides cybercrime out there in the ether?
And at first, we could not.
For a long time, we could not for a long time we could not and then you know slowly we figured
out how to track certain actor you know certain espionage actors it took us a while um and i mean
it was a very you know slow process but over time we built out the ability to to hunt for
cyber espionage outside of the government which which is something, frankly, if you told me it was possible
and I was in the government, I would say that's ridiculous.
Yeah, that's exactly right.
Yeah.
So you've been involved in all the changes of hands of the EyeSight stuff, right?
Yeah.
It went from where to where to where.
So we were at EyeSight, and then we got acquired by FireEye,
which had previously acquired Manion, and then FireEye sort of became Manion.
Yeah.
Which nobody could figure out.
Yeah, it was a strange sort of thing.
And then we became Manion Intelligence within Manion,
and then Manion was acquired by Google Cloud, and that's where we are now.
I've been through all of it.
And you know where all the skeletons.
Yeah, yeah.
But we're talking today because we're at
the EMYS conference
here in Washington, D.C.,
right?
I don't know.
What would you say
the theme of the conferences
this year overall?
What were you trying
to get across?
You know,
I've spent a lot of time
with customers
and that's honestly
super enlightening
because I have my thoughts on what I think matters.
And then you go into the room and they're like, this is what actually matters to me.
And it's always great to sort of find where those two parts kind of connect.
And, you know, I think obviously the situation with the casinos in Las Vegas is like the talk of the town or whatever you want to call it right now.
Which is crazy, right?
I mean, okay, it's a big deal for them,
but why is that more important than, I don't know?
I think those actors are sort of challenging
a lot of the ways that we do security, right?
What John and I are talking about
are the ransomware attacks against two Las Vegas hotel chains in September of 2023, just prior to this conversation by the hacking group Wicked Spider.
The group compromised Caesars and the MGM resorts, including the Bellagio and the Cosmopolitan, and sent them back to the Stone Age.
MGM had to stop using their computers for 10 days entirely and instead checked in hotel guests manually
and provided customers with cash payouts from the casino.
Caesars reportedly paid Wicked Spider a $15 million ransom,
and MGM estimated that the total recovery cost for them was about $100 million.
According to Josephine Wolfe at Slate Magazine,
casinos have a reputation for excellent security,
but it seems that security may be more focused on physical vulnerabilities than online ones.
And I will tell you that casinos, I've spent a lot of time working with casinos of the years,
and they are mature players, right?
I know what they're doing.
They have been doing security since day one at casinos, right?
It's not an afterthought.
It never was.
day one at casinos, right?
It's not an afterthought.
It never was.
And so, you know,
it's really interesting to see,
you know, an actor,
you know, hated more than one of them.
And, you know,
we've been essentially trying to distill some of the lessons learned from that actor.
Is there something we can just point to here?
Like, you know,
we've been doing cybersecurity for 30 years.
They took advantage of something
that we have not been paying attention to?
Well, you know, it's funny.
It's like everything old is new again, right?
There are things that I think we thought about a long time ago that maybe we didn't keep
watching because adversaries change and we maybe not have kept our eye on the ball on
certain things.
Just like, by the way, there was a talk about USB malware, right?
Which was like the bait of my existence when I was in the government with the agent BTZ
situation.
So everything old is new again.
I think these are things that we've thought of before,
but they've sort of refreshed our memory on a lot of these problems,
and it's good because we're going to start attacking some of these problems.
So the biggest one is their ability to social engineer.
It's exceptional.
They're English speakers. I keep talking about, it's not just that they're English speakers, they're native
English speakers. They're able to sort of develop a real familiarity with the people they talk to
and sort of emote in the language, right? There are differences between how people in Western Europe
discuss things, right?
You know, like there are very,
and how they emote on the phone, right?
And these guys are locked in
and able to really convince somebody to help them.
And what that means is that your help desk
will not only sort of, you know,
allow them to get through these gateways that we've
set up, but they'll almost pull them through because I think they like them.
You know, they want to help them.
So kind of we've gone back to more social engineering as a skill set, right?
It's a huge skill set.
And I think that it exposes the vulnerability in just, you know, the way that we set up
these help desks.
Probably how we incentivize them, right?
They're incentivized to be helpful.
That's how they're reviewed, I'm sure.
Yeah, that's right.
Telling somebody no may not actually be in their interest, you know, economically, you know, if you work on the floor.
And we've got to make sure that's not the case.
I heard a story about Mitnick.
You're talking about help desk, right? The Mitnick I'm referring to here is the late, great Kevin Mitnick,
the infamous world-class social engineer,
author of two wildly popular books on this subject,
The Art of Deception and Ghost in the Wires,
and who you could reasonably say put the skill set of social engineering on the cybersecurity roadmap when he went to prison for five years
back in the mid-1990s for, quote,
various computer and communications-related crimes,
unquote. When he got out of prison, he went straight, set up a consulting business, and
became a beloved character in the InfoSec community. Sadly, in 2023, when he was just 59,
we lost him to pancreatic cancer. He was saying that the way he would social engineer a target
was that he would call in and help the
help desk solve a problem, like a contractor, like you fake to be a contractor. He'd solve the
problem. And then a week later, he would call the help desk again and say, hey, I need you to fill
out this paper. Remember me? Oh, wow. Yeah. And it's like, yeah, so maybe we're coming back to
those kinds of things. Yeah. I mean, the long play, by the way, is something we actually
seen from the other players, more in the text, email, message situation.
Like the Iranians and the South Koreans.
You'll see them social with somebody for like a month now
before they ever bother to send that link or that attachment.
But they're pulling people through.
They're hitting these business process outsourcers
that are like third parties that
manage a lot of our data and sort of going after third parties to get into their targets.
And the other thing that's really important that they're doing is there's a focus on telecoms
and SMS and particularly the ability to overcome second,, two-factor, right?
Or the ability to get somebody to send a reset code or something directly to a phone that they control.
And it really proves that we have to really rethink, you know,
how much we rely on phone numbers as a reliable way to sort of authenticate somebody.
Because we're still trying to get people to use two-factor on phones, right?
We're still on this journey.
And I will say
that I still,
you know,
I still think it's
a speed bump, right?
Yeah, yeah.
But it's just not
an enterprise,
like,
a speed bump
is not like a doorway,
right?
Like,
it's not enough
for an enterprise.
Maybe for certain,
for certain things
it's enough.
But,
if, you know,
if you are trying to protect an enterprise, it's just, it trying to protect an enterprise, it probably won't do it.
So you're on this panel at the MWIS conference.
It's called Cyber Intelligence in a Rapidly Changing World.
And some big-time luminaries on that panel.'m not saying you are but you know other people there are
other people there right yeah uh did this kind of stuff come up on the panel or what was the what
were you talking about in all of that well you know we had some really interesting people on
the panel who had spent a lot of time uh looking at crime from very from various aspects um jackie
from chain analysis i thought had a really really interesting sort of view into the problem.
She looks at the blockchain
and she watches a lot of this movement.
For those of you not familiar with the company Chainalysis,
it figures prominently in the Cybersecurity Canon
Hall of Fame book, Tracers in the Dark
by Wired journalist Andy Greenberg.
In my opinion, the best cybercrime book in the
last decade. If you had any lingering doubts about whether Bitcoin's blockchain technology
would protect your identity, Greenberg completely blows that out of the water. And Chainalysis,
along with a feisty IRS agent and a university grad student, are the ones that figured out how
to do it. The Jackie that John just mentioned is Jacqueline Coben,
the head of cyber threat intelligence at Chainalysis.
And one of the things she said is she's seen sort of a drop-off
in some of the many criminal actors,
and she attributes this to maybe some success.
And, you know, we're seeing zero days in the crime space now,
and there's a thought that maybe some of the— there you know, we're seeing zero days in the crime space now.
And there's a thought that maybe some of the,
there is actually an increasing barrier to entry.
So some of our defenses may actually be working.
That's why we're talking about innovations here, right? Or like...
And that's our show.
Well, part of it.
There's actually a whole lot more,
and I have to say, it's pretty great. So here's our show. Well, part of it. There's actually a whole lot more, and I have to say, it's pretty great.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity.
If you want the full show, head on over to thecyberwire.com slash pro and sign up for an account.
That's thecyberwire.com.
For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing.
Plus, you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level-up resources like practice tests.
With N2K Pro, you get to help me and our team put food on the table for our families,
and you also get to be smarter and more informed than any of your friends.
I'd say that's a win-win.
So head on over to thecyberwire.com slash pro and sign up today for less than a dollar a day.
Now, if that's more than you can muster, that's totally fine. Shoot an email to
pro at n2k.com and we'll figure something out. I'd love to see you over here at N2K Pro.
One last thing. Here at N2K, we have a wonderful team of talented people doing
insanely great things to make me and the show sound good. And I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman, Executive Director of Sound and Vision.
I'm Jennifer Iben, Executive Producer.
I'm Brandon Karf, Executive Editor.
I'm Simone Petrella, the president of N2K.
I'm Peter Kilpie, the CEO and publisher at N2K.
And I'm Rick Howard.
Thanks for your support, everybody.
And thanks for listening. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.