CyberWire Daily - Warnings of DNSMessenger. Cyber deterrence, and cyber offensive operations. Notes on DDoS. Election surveillance allegations.
Episode Date: March 6, 2017In today's podcast, we hear about warnings from Cisco's Talos unit and others concerning DNSMessenger, a dangerous and evasive RAT. DDoS hits Luxembourg government sites and remains a threat to busine...sses. The US is said to be running a cyber campaign against North Korea's ballistic missile program. The US Defense Science Board releases its report on cyber-deterrence. Rick Howard from Palo Alto Networks explores the history of security orchestration. Mutual recriminations over allegations of election-season campaign surveillance swirl in the US. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Talos and others warn of DNS Messenger, a dangerous and evasive rat.
DDoS hits Luxembourg government sites and remains a threat to businesses. The U.S. is said to be running a cyber campaign against North Korea's ballistic
missile program. The U.S. Defense Science Board releases its report on cyber deterrence.
Mutual recriminations over allegations of election season campaign surveillance are
swirling in the U.S.
whirling in the U.S.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, March 6, 2017.
Cisco's Talos Research Unit describes DNS Messenger,
an evasive remote-access trojan that avoids detection by pulling malicious PowerShell commands stored in DNS text records.
As so often happens, victims were infected by enabling macros in a bad Word document.
Such in-memory malware can be difficult to detect and counter once it establishes itself.
Enterprises are being urged to look to their DNS defenses.
The Asia-Pacific Network Information Center's chief scientist calls failure to secure DNS pathetic and savage ignorance.
Government services in Luxembourg sustained a protracted distributed denial-of-service attack last week.
The actors and any motives remain unknown.
Before this incident, DDoS attacks against the country have largely affected financial trading
platforms. Luxembourg is a more significant economic player than its 999 square miles might
lead one to imagine, if one tended to overvalue physical size, an error that can be too easy to
fall for in other cases as well. Consider Singapore, for example, which comes in at just shy of 278 square miles,
but also disposes of considerable technical sophistication. The city-state is upgrading
its already capable cyber defenses as it becomes a target in regional cyber espionage campaigns.
DDoS has become effectively a commodity form of attack as resistant to suppression as any other endemic form of crime.
The stressor services, for example, taken down with Hackforum late last year, are back and being actively traded on the black market.
Many businesses are convinced that their rivals are behind denial of service attacks on their networks,
according to a survey published by Kaspersky Labs.
according to a survey published by Kaspersky Labs.
Business rivalry, indeed, in the surprisingly cutthroat world of Minecraft services may have been the motive behind the earlier forms of the Mirai IoT botnet.
In the U.S., an ongoing cyber offensive designed to impede North Korean missile development is revealed.
Ordered by President Obama, it seems likely to continue under President Trump.
The campaign aimed at what the New York Times described as cyber and electronic strikes against North Korea's missile program
in hopes of sabotaging test launches in their opening seconds.
There have certainly been test failures as well as successes in North Korea's recent program.
How many of the failures can be attributed to American interference is unclear.
The Defense Science Board's Task Force on Cyber Deterrence has publicly released its final report.
The report offers a standard definition of deterrence and notes the hesitant and
incremental way in which U.S. deterrence has so far evolved. Part of the difficulty in developing
an effective deterrent lies in
different adversaries' very different sensibilities and susceptibilities. Major powers, minor powers,
and non-state actors make distinctive risk calculations, so no single form of retaliation
is likely to dissuade all possible threat actors. The principles the task force argues should inform
cyber policy are familiar from other earlier forms of deterrence,
a mix of denial, that is, defenses that would reduce vulnerabilities and dissuade attacks by convincing adversaries of their futility,
and cost imposition, the credible, assured prospect of retaliation that would impose unacceptable costs on an attacker.
The task force discounts cyber arms control as not viable in the real world, although
it does see some utility in what it characterizes as rules of the road in cyberspace.
In this respect, cyber weapons are more difficult to contain than nuclear weapons.
They're relatively easy to acquire, they don't take a large industrial plant to develop or
produce, and they are also easy to deliver. Among the more interesting recommendations in the report are its fairly
hawkish calls for more work on credible cyber offensive capabilities, with the clear
understanding that such capabilities should be pushed into U.S. combatant commands and not
necessarily held at a national level. The task force recommends that priority be given to hardening strategic strike capabilities.
The report envisions an extensive technology scouting program
to find new, more capable ways of achieving cyber resilience,
and it also advocates establishing technology accelerators to prompt development among such lines.
Another key recommendation is easy to state but hard to implement.
Develop effective, reliable means of attribution.
The task force sees three areas in which work could improve attribution.
First, improving identification and authentication of the users of our systems.
Next, sharing situational awareness between adjacent systems.
And finally, conducting behavioral analysis, tying actions to actors,
rather than just depending upon transaction analysis, looking principally at tripwire events.
These, at least, suggest the lines along which future development might proceed.
A great deal of that work remains to be done.
Over the weekend, U.S. President Trump said that his predecessor
engaged in surveillance of the Trump presidential campaign. The former president's spokespeople
retort that any surveillance would have been pursuant to FISA warrants. So there's a great
deal of mutual hollering about a second Watergate, with the two sides disagreeing over who exactly
was the Nixon figure this time around. The president's partisans
argue that the surveillance was either entirely illegal or, at best, an illegitimate exploitation
of the FISA process for a political end. The former president's partisans retort, essentially,
that no one could actually abuse FISA, and that if there was surveillance, then there was lots of
smoke that convinced the judges that there was probable cause of some espionage fire. Despite the predictable degree to which mines appear to be made up,
this story is, as they say, developing.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges
faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Together, head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. We'll be right back. January 24, only on Disney+. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
and compliant. And joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks, where he also heads up Unit 42. That's their threat intelligence team.
Rick, you and I have talked about orchestration before, security orchestration,
but you wanted to take a little time today to give us a little background,
a little idea of how we got to where we are today.
Sure, I'd love to do that.
As you know, automatic orchestration is this idea with all the security tools that we have deployed in our environments.
How can we automate the process of converting newly discovered indicators of compromise into new prevention and detection controls across all the tools?
Especially since most of us use a different vendor for each of those tools.
And you know what? Security vendors don't like to talk to each other.
So in order to understand how we got to this problem, it's useful to go back in history a little bit.
And when I started doing this back in the 1990s,
the prevailing security philosophy was something called defense in depth.
You've heard of this.
Deploying multiple defensive controls in front of the adversary in an effort to stop the
adversary's advance. Now, the military has been using this idea forever, and some say
since the time of the Romans. The nuclear facility architects have been using that same idea to build
their structure since the 1960s. I was curious about who came up with the
term for using it in cybersecurity space. So I looked around, looked around, couldn't find the
source. So I put the question out on social media and said, anybody know who came up with the idea
of defense in depth for network defenders? All the military people came out of the woodworks
and said they had captured that phrase
in their doctrine in the early 2000s. But I knew that was too late. So I kept looking.
I finally found a paper written in 1991 by a malware researcher named Fred Cohen. Now,
in this paper, he didn't say that he invented the idea. He just said that network defenders
should be using the concept. So it didn't really prove that he was the originator, but I couldn't find anything else.
So I got fed up and I called him.
I said, hey, Fred, are you the guy that invented, I know, network defense or defense in depth for us?
And he said, no, no, no.
He said, who is this and how did you get my number?
Have a stalker.
He said, no, he wasn't the guy that invented it but he was probably the guy that
wrote it first wrote it down in a paper so there you go i'm giving him credit brode cohen is the
guy that invented defense in depth all right so um i'm sure he'll be amazed that i've done that for
him so defense and depth were great in the 1990s but you know as the adversary matured it started
to not work so well. The bad guys
regularly found ways to sneak through the seams. And so but it was the only philosophy while we
all had. So we all still used it. That changed back in 2010. You know, Lockheed Martin published
their now famous kill chain paper. And that really disrupted the the entire industry.
And I always assumed that kill chain came from the Lockheed Martin guys,
but I found out that that is not true.
They are not the ones that originated the phrase.
It comes from a guy, Air Force General by the name of John Jumper.
And the reason he came up with the phrase was,
do you remember back in the Gulf War what we were all worried about?
The first Gulf War now.
It was the Iraqi Scud missiles.
Right.
Right?
Saddam Hussein was launching these things into civilian populations.
And the Air Force, the U.S. Air Force and the U.S. Navy had a really difficult time finding them and destroying them before Saddam Hussein could launch them.
So after the war, General Jumper was given the task to fix this problem. So he told his staff on the Air Force that we need to be much more quicker at finding targets on the battlefield and destroying them.
He told his staff that he needed to, get this, reduce the kill chain from weeks down to minutes.
All right. So he's the guy.
So when Lockheed Martin wrote their paper, they took the idea from the Air Force and tried to apply it to cyberspace.
So, like I said, the paper revolutionized the industry.
In the old defense in depth days, people like me, network defenders, you know, we managed, you know, three to four tools.
But in the post-Kill Chain Paper days, small organizations, I mean small businesses, right, typically have 10 to 15 tools deployed.
Medium-sized organizations have 50 to 60 tools.
And large organizations, you know, like the Goldman Sachs of the world, they have over 150.
And, oh, by the way, nobody's InfoSec staves increased.
The staves are the same size.
So the result is that most organizations do not have time to correctly manage all the tools that they have.
And the network defenders have started to demand from their vendors that we manage the orchestration
for them. So the whole point of this is the reason we need orchestration is because we're trying to
fix the problem we caused ourselves when we all said that the kill chain was the right philosophy
to adopt. All right. All that and a little history professor thrown in there,
huh, Rick? Thank you, sir. All right. Thanks for joining us as always.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.