RASPITE noses around the US power grid. Cisco will buy Duo Security. Sandworm afflicts lab investigating Novichok attack. Influence ops can be no-lose proposition.Crytpojacking and malspam.

Dave Bittner: [00:00:03] Cisco plans to buy Duo Security. Dragos warns of the RASPITE adversary actor. Russia's Sandworm group is phishing people connected with a Swiss chemical forensics lab. How influence operations can be a no-lose proposition. A cryptojacking campaign is discovered and stopped. Malspam is using GIFs to carry a keylogger payload. And Facebook CSO Alex Stamos has fixed a date for his departure for Stanford.

Dave Bittner: [00:00:37] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And, like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at The CyberWire, and we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:38] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 2, 2018.

Dave Bittner: [00:01:47] Some major industry news broke overnight. Cisco has announced its intention to acquire Duo Security for $2.35 billion in cash. Cisco believes that Duo's adaptive authentication will be a good fit.

Dave Bittner: [00:02:03] Dragos this morning reported that threat actor RASPITE, which Symantec has tracked as Leafminer in the Middle East, is operating against targets in Europe, East Asia and North America. Operations against electrical utilities seem focused on the U.S. For now, it seems that RASPITE, in Dragos' estimation, is capable of probes only and not of disruptive or destructive attacks on industrial control systems. As usual, Dragos won't go farther in attribution to a nation-state, but Symantec, in its account of Leafminer, noted circumstantial evidence pointing to Iran.

Dave Bittner: [00:02:41] The Sandworm group, a less famous but still familiar relative of Cozy Bear and Fancy Bear, is working against the Spiez Laboratory in Switzerland. Spiez is the chemical agent analysis facility that's performing forensic work on the Novichok attack against a former GRU officer who'd spied for the British, Sergei Skripal, and his daughter in the U.K. A few first responders were also infected in that initial attack. The attack has since claimed two additional victims, including one who lost her life through what appear to be residual samples of Novichok agent staged in England and probably simply abandoned.

Dave Bittner: [00:03:20] The incident has prompted considerable international dispute. Russia has denied involvement in the chemical attack, but few believe this. Moscow's claims have been fairly opportunistic and far-ranging, but the basic line from the Kremlin is that the attacks were a put-up job by British and American intelligence services, probably abetted by someone like Czech intelligence. It's all aimed at framing Russia and sullying her good name, says they. As we've noted, few are convinced by this, but such is the information ops narrative being peddled.

Dave Bittner: [00:03:55] The forensic investigation at Spiez is in service of an international inquiry into the incident. Sandworm used phishing emails spoofed to appear to come from Spiez laboratory accounts. The emails carried maliciously crafted Word documents. Swiss authorities are investigating. Many of the bogus emails went to people who plan to attend an international conference on chemical and biological weapons near Bern this autumn. The lab itself seems to have deflected the attack and warned the conference attendees. Sandworm is the same outfit believed to have used phishing against the Ukrainian power grid.

Dave Bittner: [00:04:33] IBM recently published the results of their 2018 Cost of a Data Breach Study. Wendi Whitmore is the director of IBM's X-Force threat intelligence team. She shares the results.

Wendi Whitmore: [00:04:44] First and foremost is the average cost of the data breach, which this year averaged at 3.86 million. That's a global cost. So when we look at that, that's a wide variety of countries throughout the world that are included in that. That is a slight change over the numbers from last year.

Wendi Whitmore: [00:05:02] One of the things I think we also see that's interesting is that different regions throughout the world continue to have much higher costs. So in places like the United States, the average cost is over 7.8 million, so it's nearly double, you know, the cost of the global average. And then in the Middle East, we see costs averaging about 5.3 million - so again, much more significant than the global cost. Also, one of the new things that we did this year, which was very interesting and hasn't been done before, not only in this study, but in others, was the focus on analysis of megabreaches. So in particular, with that, we're focused on breaches that are an exposure of over 1 million records. And the cost of those and the difference between those and a smaller-scale breach would be - say, for example, under 100,000 records - is staggering, where the average on the megabreaches is between 40 million and 350 million in cost to respond.

Dave Bittner: [00:06:00] So it's not necessarily a linear scale there. As the size of the breach goes up, the costs go up quite a bit.

Wendi Whitmore: [00:06:08] That's correct, yeah. It's a bit more on the exponential scale, I would say. You know, I think one of the biggest factors we see there is when you have these megabreaches, you also have, typically, a much longer time exposure where an attacker - and, for a megabreach, we're typically talking about, you know, a determined attacker who's got a strategic objective to either obtain, you know, data and records from an environment, or to at least obtain intellectual property. And when we see that, that time then increases.

Wendi Whitmore: [00:06:40] And so, on average, we see almost one year - so nearly 365 days - that it takes an organization to detect a megabreach and to respond to it, which includes getting the attackers out of their environment. And that's nearly a hundred days longer than it takes for some of these smaller-scale breaches - so pretty fascinating statistics, I think, there in terms of just the length of time that a determined attacker can be within an environment.

Dave Bittner: [00:07:07] Now, you all discovered also some interesting impacts that affect the average cost of a data breach. Can you take us through some of those?

Wendi Whitmore: [00:07:15] Absolutely. So there's a number of direct costs, which I think organizations think of, which are things like, how much is it going to cost to hire a response firm, for example, or to conduct the investigation? But there's a tremendous amount of indirect costs, which I think get a little bit less airtime - you know, the kind of public sector and the discussion around breaches. And so those are things like, how much are we spending to notify either customers or clients or work with regulators? How much is the cost of lost business for, you know, reputational loss as an outcome of the breach? How much are we spending for our employees who, during the response - you know, that are focused on responding and not actually doing their day job? So there's a tremendous amount of cost there.

Wendi Whitmore: [00:07:58] We continue to see, though, year over year, that the No. 1 factor in cost reduction is having access to an incident response team. And, you know, what that means is it could be an internal team. It could also be an external team that an organization works with. But, ideally, if that organization and that team has visibility into the environment, they can do things like detect an attack faster, limit the impact. And when we get into a win of breach response, it really is about limiting the impact, right? It's about limiting the amount of time an attacker's in because that has a direct correlation to the cost to the organization. And it's really not about preventing the breach from ever occurring. That's generally an unrealistic goal. But it's more focused on, how do we detect quickly an attacker's actions, and how do we limit the impact of that within our environment?

Dave Bittner: [00:08:50] That's Wendi Whitmore from IBM.

Dave Bittner: [00:08:54] As analysts continue to work through the implications of Facebook's recent takedown of inauthentic accounts, one thing seems clear - for the attackers, it's no-can-lose proposition. If they go undetected and succeed in inciting direct animosity, confrontation and even violence, that's a win. If they're discovered and exposed, that's a win, too, because they've undermined people's trust in online conversations, news, institutions and so on.

Dave Bittner: [00:09:22] Graham Brookie, director and managing editor at the Atlantic Council's digital forensics research lab, put it this way to Motherboard. Quote, "if they're not caught, it leads to action in the real world - in this case, a counterprotest that might lead to violence, based on what we saw last year in Charlottesville. If they're exposed, they've already undermined trust in the conversation we're having right now. So in both those scenarios, they win," end quote.

Dave Bittner: [00:09:51] A recent cryptojacking campaign swirled around GitHub. Researchers at security firm Sucuri say that the criminals aren't abusing GitHub itself, but rather the unofficial related service RawGit, which caches GitHub files indefinitely. Sucuri also notes that the problem is solved. RawGit's security team, they say, was very quick to respond and fix the problem.

Dave Bittner: [00:10:16] The SANS Institute has a description of a DHL-themed malspam campaign that's using malicious GIFs to spread the Agent Tesla keylogger. Beware of emails bearing GIFs.

Dave Bittner: [00:10:30] Facebook's CSO, Alex Stamos, has set a date for his departure from the company in a move planned for several months. Facebook has no plans to replace him. Stamos' last day at Facebook will be August 17. He has accepted a teaching and research position at Stanford University. Stamos and Facebook part with mutual expressions of esteem, goodwill and expressions of intentions to continue to work together.

Dave Bittner: [00:11:02] And now a word from our sponsor, ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #ThrowbackThursday technology should stay in the past. It's time to go back to the future with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, "Tron" or Egon from "Ghostbusters," you're a pretty righteous dude. Visit observeit.com/cyberwire and take that quiz today. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:12:23] And joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back. You wanted to touch today on how people categorize threat actors versus APTs, things like that. You had some good points you wanted to make.

Robert M Lee: [00:12:38] Yeah, absolutely. And so when we as a community want to analyze out intrusions of adversaries and collect it into some sort of clustering of data, we try to assign a value to it. And historically, a lot of the way that's been done is on threat actors. You know, we come up with various names. We have - FireEye's done good in this field with like, APT28, APT29, CrowdStrike with their Cozy Bear and Fancy Bear and - you know, name your vendor; they've been tracking threat actors for a very long time.

Robert M Lee: [00:13:07] And it's an interesting concept and I think one that we have to question sometimes, too, on what are we trying to get out of these groups? And are our naming conventions and our clustering of intrusion data useful to the challenge that we have? And what I mean by that is, if we're trying to track this group, if we're trying to track that team and see all the different operations they do and have sort of this strategic insight into who, then threat actors are perfect. It's a great collection of data to say, you know what? Over the last 10 years, their tools, their tradecraft, everything has changed; we've still been tracking that team, and that team has been active the last 10 years doing these things.

Robert M Lee: [00:13:47] But the challenge in that is one of defense. It's a great thing for attribution, but it's very challenging, actually, for defense because if I told a defender, I want you to defend against, you know, Fancy Bear, you would have to ask me a lot of follow-on questions because Fancy Bear has been tracked very well for, you know, five years at least. So you would have to ask, well, what do you mean by Fancy Bear? Do I mean Fancy Bear of 2013? Do I mean 2015, when their tools changed? Their tradecraft and their infrastructure and their capabilities changed against banking victims. It was different than it was against political victims. What do you want me to focus on to defend?

Robert M Lee: [00:14:30] And so it's not necessarily the best. I mean, it's a good tool to have, but it's not necessarily the best for actually doing defense. And instead, it would offer up - there's an alternative way. It's called activity groups. For those of - anybody that sort of remembers the "Diamond Model" paper, it's highlighted in there. And one of my analysts, Joe Slowik, did a really good couple of presentations on it recently and talked about clustering data based off of how the activity was done. So here is the victimology of it. This is relevant to banks. Here's the infrastructure choices they have, and here's the capability or tradecraft choices they have. And I think the natural question is, well, what if it changes? You know, how do we track it? And that's actually great. When it changes, it's no longer that activity group because that activity group is bound to that victimology, that infrastructure or to that capability and tradecraft aspect. But that's exactly what makes it useful for the vendors - is when I tell you, defend against, you know, DYMALLOY as the activity group, you know exactly what that means at any point in time.

Dave Bittner: [00:15:35] I suppose it could be a communications issue because I think there's a natural human tendency to want to know, who did this to me? And I could see that coming down from the boardroom in particular. I could see it being a hard case to make that who did it doesn't matter, it's what they did.

Robert M Lee: [00:15:51] Absolutely. I think there are people out there and there are organizations out there that have intelligence requirements for who. And they really need to get that attribution, and that's fine. And, I mean, I think, again, if we look at specifically the, you know, weird period we had with the election - sort of discussion of the different adversaries trying to influence the election, the who was pretty important. And being able to track those groups over those - almost decade of time was extremely important to that national understanding.

Robert M Lee: [00:16:20] But yeah, I think it's - I think we overvalue attribution, for sure. While there are some intelligence requirements to be able to support it, there are far fewer than folks try to position. And your defender, who's going in the network and trying to actually defend against an adversary, it doesn't really matter the who. It matters the how.

Robert M Lee: [00:16:38] And you're right. We as people, we as humans, we have this desire to know who and to think that that's going to be useful for us. And it is most certainly one of the first questions that executives ask. But I think we can train them and influence them to be a little bit better and ask a little bit better questions.

Dave Bittner: [00:16:55] Robert M. Lee, thanks for joining us.

Dave Bittner: [00:17:01] And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:17:09] Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire.

Dave Bittner: [00:17:27] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:17:36] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.