CyberWire Daily - Vault 8 and false-flag allegations. Mole hunting. Equifax breach costs. ISIS returns to WordPress defacements. RoK domestic political influence scandal.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Vault 8 succeeds Vault 7 among WikiLeaks dumps, but it's still all CIA all the time from Mr. Assange and company. GCHQ expresses concern about Kaspersky antivirus products. Media reports suggest that NSA is in the middle of a big mole hunt.

Starting point is 00:02:12 Equifax begins to tally up the costs of its breach. The U.S. intelligence community reiterates its conclusion that dog bites man, or rather that Russia wants to work mischief with the United States. ISIS defaces school websites, some notes on South Korea's domestic influence investigations, and a look back at the Sinet showcase. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, November 13, 2017. Last week's WikiLeaks dump from Vault 8 are drawing attention.

Starting point is 00:02:49 They are the successor to the Vault 7 leaks, on which WikiLeaks has dined out for much of 2017. Vault 8 is, like Vault 7, concerned with alleged CIA cyber operations, but with a difference. The contents of Vault 7 were ancillary materials, like manuals and presentations that purported to deal with offensive cyber operations, implants, and so on. Vault 8 includes the source code associated with the alleged operations.

Starting point is 00:03:17 This represents an escalation of sorts because leaked code can of course be repurposed, as the exploits released by the shadow brokers were. The Hive Code, as it's called, isn't thought to pose an immediate threat to most internet users. It's thought to be most likely useful as a way of staging infrastructure that could be used in further attacks. Of greatest interest is the appearance among the leaks of material that suggests the CIA allegedly used a false flag operation to disguise its own activities as operations conducted by Kaspersky Lab. This hasn't served to remove the cloud of suspicion under which Kaspersky finds itself,

Starting point is 00:03:55 certainly not in the US, where there's no sign at all that the government is retreating from its determination to remove the Moscow-based company's security software from its systems. determination to remove the Moscow-based company's security software from its systems. And in the UK, GCHQ adds its voice to the other Kaspersky skeptics. The intelligence agency over the weekend deplored Barclay Bank's deployment of Kaspersky antivirus to help secure its customers. Their reasons are essentially the same as those advanced by the US Departments of Defense and Homeland Security. Kaspersky's intrusive inspection of files can reveal too much about the systems it's installed to protect. Barclay says it's decided to remove the Kaspersky offering from its services for commercial reasons and that it's neither discussed the matter with nor been influenced by GCHQ.

Starting point is 00:04:42 NSA and its partners in counterintelligence continue to struggle through its investigation of leaks that wound up in the shadowbroker's hands. Three people have been taken up by the investigation, two of whom, Hal Martin and Reality Winner, are awaiting trial. The third individual was the first one fingered back in 2015 and shortly before the shadowbrokers began their damaging publication of alleged NSA documents. That person has yet to be publicly identified, but the New York Times at least regards NSA as being in the throes of a full-blown mole hunt. Those interested in the costs a breach can exact from a company

Starting point is 00:05:19 may wish to take a look at what Equifax reported to its investors late last week. Third-quarter expenses related to the breach the credit bureau sustained included $55.5 million in product costs, $17.1 million incident response and other professional fees, and $14.9 million in customer support. The company's managers also reported that they expect additional costs to reach somewhere between $56 and $110 million in the coming months. These don't include estimates of losses from class action lawsuits, many of which are pending in several U.S. states.

Starting point is 00:05:57 The U.S. intelligence community reiterates its conclusion, despite denials by President Putin, that Russian agencies indeed sought to influence U.S. elections. That influence seems largely to have been designed to reduce trust in American institutions. ISIS shows itself capable of defacing poorly defended school websites with slogans, but little more. About 800 schools in the U.S., all of whose sites were operated by the school desk service, were affected. The defacement included audio in the Arabic language, the displayed text, I love Islamic State, and, oddly, pictures of the late Iraqi dictator Saddam Hussein. The skids behind the hack are thought to be a bunch of ISIS-sympathizing hacktivists known as Team System DZ.

Starting point is 00:06:46 They've been on security researchers' radar since they cut their teeth on defacing poorly protected websites with pro-Palestinian messages in 2013. This activity, it's worth noting, predates the formation of ISIS. The Cryptosphere notes that Team System DZ is basically a one-trick pony. They hit vulnerable WordPress sites. Such puerile vandalism has had little evident effect in the past, but it has come to define the style of jihadist hacking. Atlanta-based School Desk has turned its servers over to the FBI for inspection and has retained the assistance of security firms in responding

Starting point is 00:07:23 to the incident. A more serious campaign of inspiration appears to be in progress from ISIS rival al-Qaeda, where Hamza bin Laden takes up his late father Osama's cause, posting audio files that urge the Ummah's faithful to rebel against tyrants. Hamza's rhetoric tends toward unlikely insistence. He credits his father, for example, with bringing down the Soviet Union, but implausible inspiration has found its audience before. Last week's SciNet showcase in Washington, D.C. brought together its customary array of experts from government and industry. It also placed the SciNet 16 on display, 16 companies selected for

Starting point is 00:08:03 their success not only at innovation, but at successfully bringing that innovation to market. Those attending the conference heard a great deal about resilience, by consensus a possible goal in a way that complete security is not, the central role artificial intelligence plays in cyber R&D, identity management, policy enforcement, and browser isolation, and the dangers of regulatory overreach. They also received some realistic perspective on threat intelligence, and a warning against taking too seriously the would-be cyber-privateers out there,

Starting point is 00:08:35 those eager to hack back and board the enemy in their own digital smoke. We have extended coverage of the SCinet showcase on our website, thecyberwire.com. South Korean investigation of alleged political meddling by intelligence services takes a sharper turn, as a former defense minister is arrested on charges related to domestic cyber operations alleged to have been undertaken by that country's intelligence services. And finally, thanks to Top10VPN's Privacy Central, which is named the CyberWire, one of the top 50 best InfoSec blogs. Right back at you. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of

Starting point is 00:09:23 technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer Thank you. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.

Starting point is 00:10:11 Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.

Starting point is 00:10:56 In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?

Starting point is 00:11:36 Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks,

Starting point is 00:12:10 and he also heads up Unit 42, which is their threat intel team. Rick, welcome back. Today, you wanted to take aim at a couple of network defender best practices, vendor in-depth and best of breed. Why don't we start off by talking about what are these things? Yeah, these things have been around since I started doing this back in the early 90s, right? And they kind of emerged as best practice for all network defenders. And let me just explain what they are. Vendor in-depth is the best practice of we would never choose a

Starting point is 00:12:41 single vendor to do all of our security technology because we don't trust those guys you know so if one failed i would still have my other vendors that were doing other things so we would always our philosophy was to buy as many vendors as we possibly could don't put all your eggs in one basket exactly and it made sense back in the 90s right uh back then we didn't have that many tools, right? We only had three or four tools. But today, okay, we have, you know, even small organizations have 20 security tools deployed. Medium-sized have around 60. Big organizations like big banks, they have over 150. And I was talking to a big bank CISO a couple months ago. he claimed to have 300 security tools deployed in his network. It's not a contest, right?

Starting point is 00:13:30 Yeah, exactly. And his big task of the year was to reduce that by half just to get it down to 150. And we call these things point products for a reason, because they don't talk to each other. Every new tool that you bring on the network, you have to manage yourself, okay? And it is my experience that you pay for a point product four times. You know, you got to buy the box. You got to buy someone who can maintain it,

Starting point is 00:13:53 you know, keep the blinky lights going. You got to have someone who can understand the data coming off the box. And then you need a team of people back in the sock who can put all the data from all the tools that you have into some coherent threat picture. And that gets really expensive really fast with the more tools you have. So that's vendor in depth. Best of breed is this idea that popped up in the early days that said,

Starting point is 00:14:17 when we buy a single vendor, we're going to find the very best one. And the way that most people do this is they bring all the vendor tools in for whatever capability you are trying to buy this year. Let's say you're buying a new intrusion detection system. So you're going to bring all the vendors' intrusion detection systems into your lab, hit them over the head with a hammer for six months to find the best thing. And it's usually based on performance and whatever the latest shiny object is in the security community, right? And then if you pick a tool and replace the vendor that you currently have, you're going

Starting point is 00:14:51 to spend the next six months to a year forklifting the old technology out of your network and forklifting the new technology in, all to get to almost exactly the same spot you were when you started the project two years ago, right? This does not improve the situation, and it doesn't help you manage that vendor in-depth problem we were just talking about. It's just churn. It makes us look like we're busy, but we're really not getting any better. All right. I'm making the case right now that we should jettison those two best practices, vendor in-depth and best of breed, and seek a new best practice. And here's

Starting point is 00:15:25 the one I think we should pursue. Seek vendors who integrate. You need to find a partner, a security, a vendor that you like that is already integrated with the tools you already have deployed, okay? Therefore, you don't have to do the work when you actually put them in place. You're going to have to decide to trust a vendor, okay, that they're going to keep up with the latest technology. And so choose wisely, but choose ones that already integrate with what you have in place. I think that's the secret to success as we go forward. So you're saying, find yourself a platform that can kind of reach out across the various products and have them talk to each other? Yeah, and that's the key. And this is

Starting point is 00:16:05 really hard for people like me, all right, because we've been trained for 25 years that that's a bad idea, right? But I'm telling you, I can make the case that a platform that does most of the work for you and integrates with the tools that it doesn't do, and it does all that automatically, okay, that's going to be way more secure than you trying to manage you know 300 tools in your network but what about the notion of redundancy i mean everybody wants to have a backup plan how does that fit into this notion i think uh i don't think we can afford backup plans if you have 60 tools in your network all right that are all doing specific things are you going to buy another 60 tools to have backups for all those i just don't think it's possible to do that anymore.

Starting point is 00:16:45 I think the key for securing our enterprise in order for us to prevent material impact to our organization is to make sure that whatever we deploy is almost automatically running, right? That in order to do that, it has to integrate seamlessly with all the tools that are in your environment. All right. That's an interesting point of view, Rick. I have to wrap my head around that one, but as always... Yeah, I'm not the only one. Well, thanks for sharing it. We'll talk again soon. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.

Starting point is 00:17:30 That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.

Starting point is 00:18:52 Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Vault 8 and false-flag allegations. Mole hunting. Equifax breach costs. ISIS returns to WordPress defacements. RoK domestic political influence scandal.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.