Sri Lanka bombing investigation update. Christchurch call. ShadowHammer moves upstream. Carbanak in VirusTotal after all. Spoofing banks. Bots vs. Mueller Report. ASD’s best practices.

Dave Bittner: [00:00:03] Sri Lanka investigates a homegrown jihadist group with possible international connections for the Easter massacres. New Zealand is preparing the Christchurch Call to exclude violent terrorist content from the internet. ShadowHammer moves its supply chain attacks upstream. Carbanak source code seems to have been in VirusTotal for two years. Someone's spoofing financial institutions. Bots surged upon the release of the Mueller report. And ASD offers a counsel of perfection.

Dave Bittner: [00:00:39] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today, and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 24, 2019.

Dave Bittner: [00:01:43] The death toll in Sri Lanka's Easter massacres has now risen above 350. The country's intelligence services have identified Moulvi Zahran Hashim as the leader of the coordinated attacks against Christians at worship and foreigners in tourist hotels. Hashim is generally being described as a radical Islamic cleric known for his online sermons calling for the extermination of unbelievers. He's been delivering this message over several years, often using imagery of the burning Twin Towers as a backdrop for his homilies.

Dave Bittner: [00:02:17] ISIS has, of course, claimed responsibility for the murders. And Hashim has over the years spoken with approval of the caliphate and its commitment to jihad. As ISIS enters its diaspora phase, without control of any territory worth mentioning, observers think the jihadist group will increase its online presence. The bombings in Sri Lanka weren't instances of the now sadly familiar pattern of lone wolves being inspired to kill by example and exhortation. Those, indeed, remain a threat. But the Sri Lanka attacks were organized, coordinated and centrally directed. The operational style is closer to that which al-Qaida demonstrated during the 9/11 attacks.

Dave Bittner: [00:02:57] The suspects in the bombing, including all of those arrested, are Sri Lankan citizens, not foreigners. It's believed that some of those involved had returned from abroad, where they had fought for ISIS. That's a relatively small group. Sri Lanka's Muslim minority population hasn't contributed a large contingent to ISIS jihad. Unfortunately, a small contingent is all that's necessary.

Dave Bittner: [00:03:22] Security organizations responded quickly to the attacks, rounding up bomb-making material and taking a large number of people in for questioning. But poor interagency coordination seems to have led them to miss warnings of coming attacks, even when such warnings were issued by national authorities and even went so far as to name the group thought likely to conduct attacks and its probable ringleader. There's always a lot of signal lost in the noise, even when intelligence services have a good idea that something's up. But in this case, the failure to heed the warning seems to have been a more serious matter of poor coordination, and even alleged political infighting, of the bureaucratic, as opposed to the ideological variety. Sri Lanka's president seems to think so. President Sirisena has asked for the resignation of both the defense secretary and national police chief.

Dave Bittner: [00:04:13] Some 60 arrests have been made so far. The attackers have been characterized as well-off and well-educated, with some of them having been educated in the U.K. and Australia. This would fit a long-standing pattern of an educated and relatively prosperous class seeking transcendence through a leadership role in revolutionary violence. But the investigation is still young. And the state of emergency remains in effect.

Dave Bittner: [00:04:39] New Zealand's prime minister, Jacinda Ardern, has issued a Christchurch Call inviting other countries to join in restricting the distribution of extremist content through social media. The text of the Christchurch Call is still being finalized, but in outline, its goal is to eliminate terrorist and violent extremist content online. She acknowledges the difficulty of doing so but thinks the killer who murdered Muslims in their mosque on March 15 did one thing that was unprecedented - he livestreamed the massacre as he was committing it. This is the model of violent extremist content she has in mind. She's enlisted the support of France initially and hopes other countries will join once the Christchurch Call is complete. It will be, the prime minister says, actionable and not aspirational.

Dave Bittner: [00:05:28] Kaspersky Lab has linked the ShadowHammer supply chain attack to the ShadowPad threat actor. The attackers successfully backdoored widely used developer tools. Among the products affected were online games. These are thought to be the same actors who earlier this year targeted Asus and its software update process. But this time, they seem to have moved farther upstream. They are now believed to have meddled with versions of the Microsoft Visual Studio development tool used by various video game companies in developing their wares. The attackers used the corrupted development tool to insert malware into the finished games, backdooring the gamers who purchase and play them.

Dave Bittner: [00:06:06] You'd think if it was up on VirusTotal, someone would notice, right? Well, not so fast. The Carbanak source code has apparently been there for about two years, and everybody overlooked it until FireEye researchers found it. We thought this must mean that VirusTotal is like that big government warehouse at the end of "Raiders of the Lost Ark," where FDR's administration sends the ark to reside in perpetual obscurity with an unimaginable quantity of other precious, dangerous, embarrassing or curious things. But one of our team pointed out that, no, that warehouse was designed to conceal things quietly, not make them available to those who wanted them. He's probably right. So maybe VirusTotal is more like a teenager's bedroom.

Dave Bittner: [00:06:50] There's a popular notion that more and more, we are heading toward a gig economy, with workers moving from job to job rather than taking on a full-time position with a single organization. There are opportunities and challenges associated with this sort of approach for both those doing the work and those doing the hiring. Topcoder is a company that set out to make it easier and more secure for both sides of that equation, offering a platform that connects and manages gig coders and the people who need them. Michael Morris is CEO at Topcoder.

Michael Morris: [00:07:21] You can still go down and do background checks and do contracts and NDAs in the same type of - call it paper-based security models that companies use today. That can still be done. But frankly, it's really kind of as worth as much as the paper that it's written on in many cases because you're subject to whatever the human behavior is of the person on the other side of that. But we still can enforce all of those types of requirements, like the person has to be a resident of this country. They have to have the past work experience that is X or not Y. They have to agree to certain terms and conditions and sign documents. So all of those things can be tracked.

Michael Morris: [00:08:06] But the things that we feel are more important is really getting down to a granular level of tracking security. You know, when I say security, I'm kind of right now combining together not only the security of the code or the deliverables that come back, but also the security of the IP that goes out and the IP that comes in. So you can track security on an extremely granular level.

Michael Morris: [00:08:33] We require that every time an interaction happens, we are tracing back who has access to that data, where is the data being put, how do I ensure that nobody else can download that data, you know, who can see it. When anything comes back into us, we do the same type of transactional-based security checks. So whether it's virus scanning, code reviews, we have a minimum of two people look at each piece of code that comes in manually. So these are actually paid reviewers that will look through code. And, to me, it creates a much more secure and robust way of working versus the traditional model of just assembling teams together and having that ad hoc requirement for security. This is just built into the process.

Michael Morris: [00:09:24] Topcoder uses a rating system as well. So a lot of people will think about the gig economy models as this unknown group of people. And in the Topcoder world, that almost couldn't be farther from the truth. So a lot of what we do is in the form of we run a lot of competitions. So if we're trying to solve something complicated, we have multiple people try to solve it. And we pay the ones that do the best job. You know, not only the best one, but we will also pay different places. We do that on the algorithm side. We do that in the coding side. We do that in the creative design side. So it's a way of working in our environment where you can create this competitive but still collaborative environment for people to work within. So we track everything from somebody's reliability to their performance. We graph it against their peers. We have rating systems. So if you think of, like, what Major League Baseball does for their players, we do that same type of thing for our community. But we track them on their accomplishments. You know, when they compete in something or produce something, all of those scores, all of those reviews, all of that data gets inputted into our platform, and it shows up in their profile.

Michael Morris: [00:10:46] So these are very much known entities that are in this community. And in my opinion, it's - that's the type of thing - again, we kind of think that the paradigm shift, moving to the gig economy, it's a misconception to think that these are unknown entities. Yeah, they may be remote and virtual, but they're very well-known. They're very well represented in terms of what they've done in the past, right? These are known entities. These are people that have a background and have a track record that you can look at and see. You can see the people that are working on your projects.

Dave Bittner: [00:11:25] That's Michael Morris. He is the CEO at Topcoder.

Dave Bittner: [00:11:28] GreyNoise Intelligence, a network traffic mapping shop, has seen an unusual surge in traffic that spoofs major financial institutions. Sure, there's spoofing that goes on all the time, but GreyNoise told CyberScoop that this is really a concentrated wave of spoofing. Why it's being done is unclear, but there's some speculation that an attempt to embarrass security vendors may be in the works.

Dave Bittner: [00:11:55] The U.S. House of Representatives would like Google to explain its Sensorvault location database. Specifically, they'd like Mountain View to tell them why they collect it and what they do with it, who has access to it and why they seem to hang on to it for, essentially, forever.

Dave Bittner: [00:12:11] The bosses behind the hands behind the keyboards behind the bots didn't much like the Mueller report. Bots took to the internet in large numbers after the report was released last Thursday. Security firm SafeGuard Cyber told us in an emailed comment that this is a pattern. The bots and the trolls who go with them tend to remain, as SafeGuard put it, dormant until a particular topic or event aligns with their disinformation campaign. A lot of the bot chatter was Russian, but not all of it. There are, if NBC News is to be believed, also indications that some of the bot masters are in Saudi Arabia. Why their chatter should align with what St. Petersburg is woofing isn't immediately obvious.

Dave Bittner: [00:12:53] And finally, the Australian Signals Directorate says that government agencies don't really have to follow its recommended security controls because those controls, best practices though they may be, might just be too hard to follow. ZDNet sniffs that ASD is showing a can't-do attitude, but it also raises a question worth considering. If a practice is realistically too difficult to be followed, can it be a best practice? Perhaps we need a new category of control - not best practice, but counsel of perfection.

Dave Bittner: [00:13:30] I'd like to take a moment to thank our sponsor, Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyberthreats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both. You decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, visit scs.georgetown.edu/cyberwire. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.

Dave Bittner: [00:14:29] And I'm pleased to be joined once again by Professor Awais Rashid. He's a professor of cybersecurity at University of Bristol. Awais, it's great to have you back. We wanted to talk today about risk assessments, and specifically evidence-based risk assessments. What do you have to share with us today?

Awais Rashid: [00:14:44] I think the key word here is data, data and data. The challenge usually is that we have a number of risk assessment frameworks that are out there - lots of best practices and guidelines - but we often do not have very good data sources and information sources on which these risk assessments are based. They are, at times, derived from low-level technical measures that don't necessarily relate to the higher-level business objectives of organizations. Or vice versa, they are based on estimates because they're based on expert judgment. And I think the key challenge here is, how do we actually ensure that we are getting the right type of data to inform risk decision-making within organizations, and that there is full traceability of those risk decisions all the way from the data points that we get and their impact on the overall business and effectiveness of the organization?

Dave Bittner: [00:15:38] What about situations where a type of business, for example, could be growing very quickly, changing very quickly and be new? And obviously, this applies to cybersecurity. There may not be that historical data that you can use to make your risk assessment with.

Awais Rashid: [00:15:55] Yes. Historical data is just one type of data. The question is, you know, what is it that you need in terms of your organization at a particular point in time in making decisions? And your example is actually excellent in the sense that you are in a business that are growing. And as you are growing and new people are joining the business, are you simply considering access control mechanisms for those people? But are you also considering that perhaps your HR department is now getting overloaded and they are not able to actually notify in time when people are leaving your organization so that their credentials can be revoked in time, and so on and so forth?

Awais Rashid: [00:16:32] So the key is understanding where an organization is at a particular point in time, understanding what the goals are, what are the challenges that it is facing at a particular point in time, and then seeing what data is relevant in terms of making risk decisions. At the moment, a lot of the risk decisions are made on the basis of estimates and probabilities. And that's a good way of doing things. But we can't keep doing it just simply based on estimates and probabilities. We need to better instrument our systems and organizations to get actual data so that we can make decisions that are based on actual evidence of what's happening within an organization and what kind of risks are actually posed.

Awais Rashid: [00:17:13] This also takes me on to an example that in some of the studies that we have done, we often see that organizations worry about the risks that don't necessarily immediately impact them. And the focus always tends to be on very high-level risks, on very sophisticated attackers who may want to compromise the organization, when, actually, the biggest risk might come from the low-skilled, you know, opportunistic attacker who may just exploit a very simple vulnerability because you're not really considering that those things need to be taken care of.

Awais Rashid: [00:17:44] And I think this is really what I mean - that we need to really understand as to where the risks come from and collect much, much better data. That - in general, there aren't really very good ways, A, to instrument systems at the moment, but also, B, actually then taking that into risk decision-making in an effective way that informs the more senior members of an organization.

Dave Bittner: [00:18:05] Now, how much should you suppose it helps to bring someone in from the outside, someone who has no emotional attachment to any of the internal goings-on within the organization?

Awais Rashid: [00:18:16] Oh, that's a - that's a tricky question.

Dave Bittner: [00:18:18] (Laughter).

Awais Rashid: [00:18:19] It is a tricky question. But if I say, no, it's not a good idea, then, you know, I'm basically telling that nobody should invite any consultant ever into an organization.

Dave Bittner: [00:18:28] Yeah.

Awais Rashid: [00:18:29] Anyways, it is a good idea, then, you know, everybody will invite consultants.

Awais Rashid: [00:18:32] I think that the fact of the matter is that there is a balance. People coming from outside can often see things that you can't internally see within an organization because let's just say you're too close to the situation. And what may seem day-to-day practice or what may be data that you don't think is relevant may be more or less relevant to what you want to do. But that shouldn't be at the expense of what is embedded test knowledge within the organization.

Awais Rashid: [00:18:58] And a lot of work, actually, that we have ourselves and others have done shows that, in fact, so-called day users within an organization, nonsecurity users, often tend to have a lot of contextual knowledge. And if you actually speak to them, they can understand us. They can explain as to where potential risks are arising, but also why do they arise in that particular way because it could be that the way the security systems are designed are not designed to fit in with what they need to do to get their job done, for instance. And that's why they end up, for example, sometimes being bypassed or slightly molded to get what needs to be done.

Awais Rashid: [00:19:34] It has to be a balance as to, you know, bringing an external perspective versus actually leveraging what is perhaps a major source of information - the employees of an organization because they often understand the context really, really well. And they can actually articulate things that an external person may not know.

Dave Bittner: [00:19:52] Professor Awais Rashid, thanks for joining us.

Dave Bittner: [00:19:59] And that's the CyberWire. For links to all of today's stories, check out our CyberWire Daily News Brief at thecyberwire.com.

Dave Bittner: [00:20:06] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.