CyberWire Daily - The US Executive Order on cybersecurity is out. Colonial Pipeline, its security and response under scrutiny, resumes deliveries. Verizon’s DBIR is out.
Episode Date: May 13, 2021The US Executive Order on Improving the Nation’s Cybersecurity is out. Colonial Pipeline partially resumed delivery of fuel yesterday evening, as its preparation for and response to the cyberattack ...it sustained receive scrutiny. The DarkSide’s extortion of the US pipeline company seems likely to prompt regulatory revision. DarkSide operators say they’ve gotten busy against other targets. Our own Rick Howard speaks with Aaron Sant-Miller, Chief Scientist at BAH, on developments in artificial intelligence. And Verizon’s Database Investigations Report is out. I check in with Verizon’s Chris Novak for highlights from the DBIR. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/92 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. executive order on improving the nation's cybersecurity is out.
Colonial Pipeline partially resumed delivery of fuel yesterday evening
as its preparation for and response to the cyber attack it sustained receives scrutiny.
The DarkSide's extortion of the U.S. Pipeline Company seems likely to prompt regulatory revision.
DarkSide operators say they've gotten busy against other targets.
Our own Rick Howard
speaks with Aaron Sontmiller, chief scientist at Booz Allen Hamilton, on developments in artificial
intelligence. And Verizon's database investigations report is out. I check in with Verizon's Chris From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 13th, 2021. U.S. President Biden yesterday evening signed his administration's long-anticipated executive order on improving the nation's cybersecurity.
Quote, it is the policy of my administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. End quote. The president says he expects the federal government to lead by example.
The order calls for bold changes and significant investments to protect and security must include systems that process data, information technology,
and those that run the vital machinery that ensures our safety, operational technology.
The executive order formalizes and enhances the Cybersecurity and Infrastructure Security Agency's responsibilities
for functional oversight of the federal civilian executive branch agencies,
but it also prescribes important roles for the National Institute of Standards and Technology,
the FBI, and defense agencies, notably the National Security Agency.
The measures prescribed are complex and organized along an ambitious timeline,
but in general the government will start with its own security
and move from there to address industry, eventually reaching as far as consumer software.
Some of the commentary on the executive order has framed it as a response to the Colonial Pipeline ransomware attack.
While that incident may well have affected its final content, the order itself has long been under preparation.
Should you wish to point to any single incident as the one that
prompted the order, look to the SolarWinds supply chain compromise. But speaking of Colonial
Pipeline, the energy company continues its recovery from the ransomware attack it sustained
last week. Colonial Pipeline restarted its pipeline operations yesterday evening at about
5 o'clock p.m. EDT,
full service will be restored, the company expects, within several days.
The AP reports that a six-month technical audit delivered to Colonial Pipeline in January 2018
found significant issues with the company's networks. Robert F. Smallwood, a principal at the consultancy iMerge, told the AP
he prepared the report and he characterizes Colonial Pipeline's then practices as atrocious.
The AP quotes Smallwood as saying, we found glaring deficiencies and big problems. I mean,
an eighth grader could have hacked into that system, end quote. The report is described as having focused on data loss prevention and smooth operations.
The AP writes,
Colonial's statements Wednesday suggest it may have heeded a number of Smallwood's recommendations.
In addition, it says it has active monitoring and overlapping threat detection systems on its network
and identified the ransomware attack as soon as they learned of it.
on its network and identified the ransomware attack as soon as they learned of it.
Colonial said its IT network is strictly segregated from pipeline control systems,
which were not affected by the ransomware.
It's still too early to reach firm conclusions about how Colonial Pipeline was hacked or how well or poorly prepared it was to defend itself.
The company itself remains tight-lipped on the topic,
but doubtless more will emerge as investigation and remediation improve.
Bloomberg reports that Colonial paid dark side operators
nearly $5 million in cryptocurrency within hours of the attack's discovery.
Their sources are two anonymous persons familiar with the transaction.
A third source, also unnamed, says the U.S. government is aware of the payment.
So, did paying up pay off?
Yes and no.
The DarkSide operators did deliver a decryptor to Colonial Pipeline,
but sources say that the tool was so slow that the company continued using its own backups to help restore
the system. So they got the decryptor, but may not have found it particularly useful.
Other outlets reported earlier that Colonial Pipeline had decided not to pay the ransom
demanded, and today's Bloomberg story is the first we've seen that offers the contrary.
If Bloomberg's account proves true, the payment of ransom is likely to lend further
impetus to developing effective laws and regulations governing response to ransomware
attacks. There's a growing movement among insurers announcing their decision not to cover ransom
payments, and governments are likely to make it more difficult for victims to pay up. Doing so
fuels a bandit economy, and there's a growing consensus among legislators and
regulators, and in industry as well, that only disrupting ransomware's business model will clap
a stopper over this corner of the criminal market. That the ransom is said to have been paid in
cryptocurrency will also lend momentum to government attempts to regulate altcoin generally.
lend momentum to government attempts to regulate altcoin generally.
The ransomware attack has, the Wall Street Journal notes, drawn scrutiny by Congress and others of how well the Transportation Security Agency, the TSA, familiar to anyone who's transited a U.S.
airport over the last decade and a half or so, is actually overseeing pipeline security. Many have fastened on TSA's voluntary assessment program as particularly worthy of review.
Officials at the Federal Energy Regulatory Commission, that is, FERC,
think there are security lessons the electrical power grid could teach the pipeline industry.
FERC Chair Richard Glick said this week, quote,
For over a decade, the Federal Energy Regulatory Commission,
in coordination with the North American Electric Reliability Corporation,
has established and enforced mandatory cybersecurity standards for the bulk electric system.
However, there are no comparable mandatory standards for the nearly 3 million miles of natural gas,
oil, and hazardous liquid pipelines that traverse the United States.
It is time to establish mandatory pipeline cybersecurity standards similar to those
applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt
best practices is an inadequate response to the ever-increasing number and sophistication
of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the DarkSide, the Russia-based criminal group that's by consensus responsible for hacking Colonial Pipeline,
hasn't pulled in its horns.
Reuters reports that the gang has claimed three more targets,
a Brazilian battery firm, a Chicago-based tech company, pulled in its horns. Reuters reports that the gang has claimed three more targets,
a Brazilian battery firm, a Chicago-based tech company, and a British engineering firm. Reuters says it hasn't been able to verify that the attacks actually succeeded, but DarkSide has
threatened to dox its targets by publishing stolen sensitive information if they're not paid.
sensitive information if they're not paid.
Verizon's annual data breach investigations report is out.
In brief, ransomware is up, as are social engineering in general and misrepresentation in particular.
Verizon found 85% of breaches involved the human element.
Phishing was present in 36% of breaches, up from 25% last year.
Business email compromise were the second
most common form of social engineering. And there's a good news, bad news story here too.
The report says, the good news, 14 percent of simulated breaches had no impact, but don't count
on that for your organization's security plan. The median for incidents with an impact was $21,659, with 95% of incidents falling between
$826 and $653,587. As they say, read the whole thing. It's only 19 pages long, and there's not
a dull one among them. And stay tuned for my conversation with Chris Novak from Verizon.
We'll be discussing the DBIR.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents, winning with
purpose, and showing the world what
AI was meant to be.
Let's create the agent-first future
together. Head to salesforce.com
slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire's Chief Security Officer, Rick Howard,
recently checked in with Aaron Sontmiller from Booz Allen Hamilton
on the latest developments in artificial intelligence.
Here's Rick.
If you've been listening to the Cyber Wire for any length of time, you know that many practitioners have been trying to build machine learning systems using artificial intelligence concepts in order to automatically discover and prevent the success of cyber adversaries.
I thought it was time to level set on just where we are in that regard.
I asked Aaron Santmiller, the chief data scientist at Booz Allen Hamilton, to tell us just exactly
what he is trying to accomplish with his machine learning research efforts.
How do we detect attacks and detect adversaries in an intelligent way that fuses tradecraft with AI and analytics.
That's always going to be the place where we're investing a lot of our energy.
Machine learning thinking has been around for a while now, but many of us practitioners have
yet to deploy anything meaningful. There hasn't been a lot of progress. Aaron thinks that some
of this friction is caused by the same issue
that is preventing the community
from more speedily adopting the DevOps model.
Namely, the security people and the developer people
are staying in their silos
and not working as a combined task force team.
According to Aaron,
that's exactly what's going on
between the security people and the data scientists too.
It has to start with the domain expert
and the person who knows cyber well
saying this is what we need to detect
and here's how I think we detect it.
They need to then sit in a room
with the data scientist or AI developer
who can say, all right, here's where I can help you
and here's where I can't
and here's what I need to help you the right way.
And what are the things that you want me to find for you?
That conversation
needs to happen. And I think that's sometimes where it breaks down because the data scientist
thinks about data and the cyber analyst or cyber expert thinks about threats and tactics.
They need to find a common ground to talk about those things. One popular myth in the security
community today is that somehow somebody is going to build a giant monolithic AI system
that will magically sift through the mountains of telemetry that we are all collecting and storing
in the cloud somewhere and miraculously prevent the next solar wind's attack. Kind of like the
architect AI in the Matrix movies trying to fend off Neo and his gang of red pills followers.
But I'm pretty sure that's not how it's going to work. More likely,
the AI system we will get in the future will be a collection of very small and independent
machine learning algorithms forecasting answers to tiny problems and delivering the result to
larger machine learning systems who will try to make sense of it all in a meta kind of way.
For the nerds out there, a better example from pop culture than the Matrix movies
is the sub-program AI called Winter Mute
that is part of a larger AI called Narrowmancer
in the sci-fi classic of the same name.
There's a growing area of work around tiny AI,
which is packaging models into their smallest form factor
to get them closer to the sensor.
There's that trade-off of,
do we make the AI super small and specific,
or do we keep it a little bit more broad and probably more robust?
But then there's the engineering question, where does this live in our overall data pipeline
when we're pulling data feeds from the endpoints, from the network level, bringing them together?
And then it all needs to end up in a tool that an analyst likes and is comfortable using.
It all needs to end up in a tool that an analyst likes and is comfortable using.
You might deploy the smaller AI model or packages as small as you can to analyze files on endpoints to detect whether or not there's malware on a specific endpoint.
And then that risk score of, hey, there is a malicious file gets fed up through a data pipeline to a larger model of doing some contextual learning around, hey, was there a network intrusion or was there some type of spear phishing attempt that caused this particular endpoint to go
out and get malware?
It's not like we just saw a file that we think is bad.
It's like we saw a file that we think is bad.
And we also, based on a larger contextual analysis, think this is how the adversary
got in, got that file onto the host and caused this action.
adversary got in, got that file onto the host and caused this action.
For the past year or so, the big buzzword in artificial intelligence circles is adversarial AI.
In other words, once you have a narrowmancer AI running in your sock, how can you protect
it from adversaries who attack its blind spots?
And then the final piece that we're looking at is obviously a hot button topic that's
talked about a lot now, which is adversarial AI, which is in the cases that somebody is attempting to poison or disrupt your AI model, how do you harden your capabilities against those types of attacks?
the right way in the right pipeline to the analyst in the right way that you're robust against the more advanced activists.
It's not necessarily trying to hack your system, but maybe trying to disrupt your model from
detecting it based on something the adversary knows about the model you're using.
Make no mistake, we will be using machine learning algorithms even more than we already
are in the very near future.
We have some hurdles to get over for sure,
but however this goes, it's definitely going to be interesting. That's our own Rick Howard.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your And I'm pleased to be joined once again by Chris Novak.
He is the Global Director of Verizon's Threat Research Advisory Center.
Chris, it's always great to have you back.
It is that time of year, what I think is a lot of people's favorite time of year.
It's time for the annual Verizon DBIR report. Let's touch
base. What are we in for this year? Yeah, so always great to
be on the show, Dave. Thanks. So yeah, you're absolutely right. It's that time.
We've got some new exciting elements to share about the report.
Kind of fresh, hot off the press. One,
I'll say that the data continues
to be extraordinarily strong.
Every year we're looking to see
how we can add more partners,
add more geographic coverage.
And I'm happy to say that we're seeing
exactly that same kind of contributor success
again this year.
So we have more countries covered
than I think ever before.
I think we're up to 88 countries covered.
And I guess you can look at that as a positive or negative.
We're seeing breaches in more parts of the world.
But I think the reality of it is they were happening there already.
It's just a question of whether or not we were investigating them.
And so now I think we've got a good kind of, you know, the way I put it is a broader aperture on it.
And increased breaches being analyzed.
We've seen roughly a 2x increase in the amount of breaches in the data set.
And one of the things I always kind of caveat that with is that's not to indicate that breaches have doubled year over year.
It's just a matter of the sample size of what we're looking at has doubled.
And so generally my takeaway from that is it generally means we can produce better and more detailed findings because we have
more that we can really kind of churn through. I think it's fair to say that last year was
atypical dealing with the global pandemic and all of that. I mean, how much did that play into
the approach to this year's report? Yeah, actually, that's a great point. It did actually
quite a bit. In fact, you know, last year when we were looking at the report, one of the challenges
we had was, you know, you know that these typically come out kind of a bit in arrears.
So we take the data from the prior year, analyze it, produce a report. So it's kind of a bit of
a retrospective a little bit. And the last report came out right as kind of we were walking into
kind of the heavy peak of COVID around the
world. And so it was kind of interesting because we looked at it at the time and there was not a
lot of COVID data in it because COVID was just starting at the time the report was being released.
Now we kind of have an entire year of COVID kind of in the report. And, you know, as you probably
would imagine, we're seeing a lot of the things that we were starting to see back then. But,
you know, now we actually have metrics on them in terms of the amount of social engineering campaigns that are happening around everything from testing to vaccines to distribution of PPE to return to office scenarios.
We're seeing that pretty much wherever there is chaos in the world, that is typically where the hackers like to plant themselves. And they have not disappointed with this as well. They're trying to land
themselves right in the middle of a lot of what's going on in COVID as well. Yeah. What were some of
the highlights for you? I mean, what are some of the things that stand out in this year's report?
Yeah. So I'd say there's some, I always like to kind of give a little bit of a balanced view as
much as I can in terms of some positives and some negatives or maybe some areas where things have improved and areas where we could improve more.
But when we look at that, we see, you know, some small decreases or improvements, I guess, in things like misconfigurations.
That's gone down a couple of percentage points.
And a lot of that, honestly, previously revolved around organizations migrating from, you know, on-prem to cloud-based environments.
Historically, they'd have misconfigurations on the way, and things would fall apart after they've
landed in some cloud-based environment. Not because cloud is in any way specifically insecure,
but that their migration was maybe not necessarily well planned out or thought out.
And I think we saw some improvements in that over the course of the
last year. We've also seen a decrease in things like misdelivery of information. We've just seen
some tighter controls get wrapped around a lot of those things. But areas where I'd say we've seen
kind of an uptick or areas where we probably need to crack down a little bit more still
is in the areas of social engineering. We've seen phishing increase yet again by 11 percent,
social engineering. We've seen phishing increase yet again by 11 percent, ransomware increased by 6 percent. The variants of ransomware are also continuing to evolve. You know, we're seeing a
growth in ransomware variants that also have data exfiltration components to them. So, you know,
like we're seeing kind of in a lot of places, it's not now just about can you pay the ransom to get
your data back? It's, you know, you pay the ransom and maybe get your data back. If you don't pay the ransom,
we publish the data. And that's obviously a whole new other kind of, you know, concern.
And we're seeing that continuing to be absolutely on the rise.
Yeah. All right. Well, plenty to see as always every year, as I say, it's one of the reports
that everybody in the biz looks forward to checking out.
It's the Verizon 2021 DBIR report.
Chris Novak, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.