The CyberWire Daily Podcast 9.6.19
Ep 922 | 9.6.19

China hacks to track. Turning the enemy’s weapons against them? Notes from the Billington CyberSecurity Summit. Anti-trust investigations for Facebook and, probably, Google.

Transcript

Dave Bittner: [00:00:03] Chinese intelligence and security services have been busy in cyberspace. A third-party customer leaks data it received from Monster.com. There's a Joker in the Play Store. Some notes from the Billington CyberSecurity Summit - a military look at cyber ops, what CISA's up to, and some advice from the NCSC. Can CISOs learn a thing or two from VCs? Anti-trust investigations are on the way for Facebook, and it seems likely that Google could be next. 

Dave Bittner: [00:00:36]  And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial and observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:01:26]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 6, 2019. 

Dave Bittner: [00:02:02]  More reports have emerged on China's extensive work to track and monitor its predominantly Muslim Uyghur minority. State security services, Reuters says, have compromised telecommunications networks in several Asian countries with a view to keeping track of the activities of Uyghur travelers. The affected networks have been found in, at least, Turkey, Kazakhstan, India, Thailand and Malaysia. 

Dave Bittner: [00:02:26]  Other notes on Chinese activity focus on what appears to be a systematic effort to turn leaked Equation Group tools to Beijing's operational advantage. A CheckPoint study of China's Buckeye group, also known as APT3 or UPS team, has followed up earlier work by Symantec and taken a look at Buckeye's Bemstour tool. CheckPoint concludes, with appropriate reservations about the inevitable uncertainty of such assessments, that Bemstour has adapted the Equation Group's EternalRomance exploit to its own purposes. As the researchers put it in their conclusion, quote, "attack artifacts of a rival - i.e. Equation Group - were used as the basis and inspiration for establishing in-house offensive capabilities." 

Dave Bittner: [00:03:13]  The job search service Monster.com has been affected by a data breach at an unnamed third-party, a recruiting firm that's a Monster customer. TechCrunch notes that Monster did not notify affected individuals of the breach because, in their view, the data, once sold, becomes the responsibility of that third-party, and Monster says it did notify the errant customer that they had a problem. TechCrunch also observed that there is no particular unanimity on the topic of whom to notify. Other companies faced with similar third-party data exposure have taken it upon themselves to notify affected individuals. Others, like Monster, see a line to be drawn here and argue that at some point, the data you buy becomes your responsibility. 

Dave Bittner: [00:04:00]  A researcher with CSIS Security Group describes Joker Android spyware. Computing reports that Joker has been found in 24 Play Store apps. 

Dave Bittner: [00:04:11]  The 10th annual Billington CyberSecurity summit concluded yesterday in Washington, D.C. We've got some notes on three of Thursday's keynotes. Major General Dennis Crall, U.S. Marine Corps, presently serving as deputy principal cyber advisor and senior military advisor for cyber policy in the Department of Defense, framed military cyber policy thusly - this is all about outcomes. 

Dave Bittner: [00:04:35]  He offered three salient considerations for U.S. military cyber policy. First, lethality. This has three aspects - getting the right authorities, and these need to be not only the right ones to authorize sound operations, but they also need to be deep enough to enable forethought and anticipation. Processes, which need to be repeatable and to enable operators to use the authorities they've been given. In the context of process, General Crall quoted fellow Marine and former Secretary of Defense General Mattis who said, quote, "when good people meet bad process, bad process wins," end quote. And finally, of course, capabilities - a trained force with tools necessary to accomplish a mission. 

Dave Bittner: [00:05:20]  We should note that General Crall didn't discuss actual lethality. His usage seemed more metaphorical than literal. It would, our reporters thought, be a mistake to have heard him advocating a general shift of cyber activity toward killing. Effectiveness might be a useful gloss on what he called lethality. Second, partnerships. Such partnerships, General Crall said, are both domestic, where partners often have authorities the military lacks, and international, where allies cooperate to share information within a framework that affords a common level of protection. Finally, reform. At bottom, General Crall saw this as a commitment to keeping faith and trust by applying scarce resources in the most effective and affordable ways possible. 

Dave Bittner: [00:06:07]  The conference also heard from Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency in the U.S. Department of Homeland Security. He discussed the vision of his agency, which is familiarly known by its acronym CISA. Krebs said CISA is best thought of as the nation's risk advisor. 

Dave Bittner: [00:06:25]  He explained the agency has five principles of execution. First, operate with the statutory authority to lead critical infrastructure protection in a collaborative fashion. Second and third, CISA is committed to remaining results-driven and risk-focused. Fourth, the agency is determined to work consistently within the framework of constitutional rights and national values. And finally, CISA intends to execute and engage as one agency in one fight as one team. What this means in the short-term is that the youngest agency in DHS will face its defining challenge next year during the 2020 election season. Krebs concluded, quote, "in 2020, we're going to lead. We're not going to let the Russians or the Chinese in," end quote. 

Dave Bittner: [00:07:13]  And the final keynote speaker was Ciaran Martin, CEO of the U.K.'s National Cybersecurity Centre. He began with a description of the realities of the environment in which we live. We find ourselves, Martin argued, defending open digital societies. Prosperity is a social concern, and critical infrastructure presents a serious national risk. Cybersecurity is, at its core, about defending a way of life. We face a formidable set of adversaries. Russia is a determined aggressive disruptive opponent. Our commercial environment today is one in which our businesses are under routine, continuous Chinese assault. North Korea and Iran are active and hostile. Transnational cybercrime has become, cumulatively, a grave threat to the digital economy. And state actions have come to have serious collateral effects quite apart from the effects they're designed to have on their intended targets. Both WannaCry and NotPetya illustrate this. And it's worth noting that none of the four state bad actors or the many criminal gangs have any particular stake in an open, reliably useful internet. 

Dave Bittner: [00:08:19]  Operating in this world has led Martin to three conclusions. First, government matters. The internet is a public good, but well-intentioned calls for a public-private partnership have proven, he argued, a recipe for inaction. Instead, governments should take responsibility for detection, resilience and making technology safer. That third responsibility he emphasized. It's too easy, Martin said, to succumb to what he called producer capture, the sort of Hobson's choice of security design big companies, in his view, too often offer their customers. Second, we must, quote, "think carefully about our own footprints," end quote. Cyberspace may be an operational domain, but fundamentally, it's a peaceful domain. And we must act in cyberspace with this in mind. Finally, governments need to look to the future, and that means looking for effective deterrence. 

Dave Bittner: [00:09:13]  And finally, it seems that antitrust investigators are circling closer to big tech. The Wall Street Journal reported this morning that state attorneys general are opening anti-trust investigations of Facebook. New York's attorney general is leading the effort, to be joined by Colorado, Florida, Iowa, Nebraska, North Carolina, Ohio, Tennessee and the District of Columbia. On Monday, it's expected, the Journal says, that Texas will announce that it and some three dozen other states are opening an investigation of Google. The inquiries seem to be about as bipartisan as such things can be nowadays. As an indication of public sentiment, they suggest that big tech is about where big steel and big oil were about 100 years ago. 

Dave Bittner: [00:10:01]  And now a word from our sponsor, KnowBe4. Today's phishing attacks have evolved way beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization in order to set the perfect trap, and pretexting is the key. Whether it's a phone call from an attacker impersonating your IT department or what seems like an innocuous email that ends up harvesting important credentials, the perfect pretext can lead to the bad guys owning your network before you know it. Join KnowBe4 for an exclusive webinar where Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, will show you how the bad guys craft such cunning attacks. He'll dig into tactics for reconnaissance, target selection, creating a pretext and launching an attack. And more importantly, he'll tell you what you need to know to protect your organization. Kevin will also share new demonstrations that will blow your mind. Go to knowbe4.com/pretext to register for this exclusive webinar. That's knowbe4.com/pretext. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:11:21]  And I'm pleased to be joined once again by Malek Ben Salem. She's the senior R&D manager for security at Accenture Labs. It's always great to have you back. You and I have been talking about the trip you recently made to RightsCon, and one of the topics of discussion there was how to deal with disinformation campaigns online. What can you share with us? 

Malek Ben: [00:11:41]  Yeah, so one of the interesting conversations in that conference was about, you know, freedom of expression on the internet versus censorship. The voices that are asking now for more control and more moderation of what gets published on the internet, in particular after all the disinformation campaigns that we've seen throughout election cycles - for instance, that video of Nancy Pelosi a few months ago. So the question is, how can we fight disinformation, whether there are any viable approaches, techniques, and can we do it without censorship - right? - without turning into - while keeping the internet the way we know it as a platform for free expression. 

Dave Bittner: [00:12:26]  So what were some of the ideas tossed around? 

Malek Ben: [00:12:29]  It seems that there is a consensus that we definitely need to develop standards of internet transparency and integrity. We also need to limit space for impersonators. Existing platforms, anybody can create an unlimited number of accounts in an anonymous manner. The question is, do we need to have more checks to check that the people creating accounts are really, you know, physical people as opposed to bots - right? - that can start building or propagating information without them representing people in the real world. So they don't reflect the public opinion in the real world. 

Dave Bittner: [00:13:14]  Right, but then I suppose there's a - there are legitimate needs for anonymity online as well. 

Malek Ben: [00:13:19]  Absolutely, yeah, and that's really one of the advantages of the internet that gets also, I guess, reflected by the development of platforms like blockchain and Ethereum where you see platforms being created that are decentralized, distributed and people can join anonymously. That reflects the need for anonymity. It's still a tradeoff. I don't think anybody would say that we need to completely remove the ability for people to interact in an anonymous manner but limiting the space for impersonators is what's needed - limiting that space meaning checking for bots that really have more harmful impact. 

Dave Bittner: [00:14:03]  Yeah. I mean, what a challenge to try to have, you know, community standards when you have truly a global community. 

Malek Ben: [00:14:10]  Especially as we see also that the impersonation techniques are changing and are evolving, right? Now you see these bots infiltrating authentic social groups, right? So it's not like, you know, one bot that's broadcasting the wrong information on their own, but they're really infiltrating the more closed groups and domestic social media dialogue. How do you detect that? It's not straightforward, but I think we need to do more research and come up with some ways of, again, not completely limiting this but perhaps limiting the space for these impersonators. 

Dave Bittner: [00:14:48]  You know, it strikes me, too, that there's - one of the things that, by automating - the ability to automate these things - that that enables an asymmetry that I don't know that we had to deal with before, that the scale and velocity at which folks who are out there to spread misinformation and so forth can do so. It's a different ballgame than it used to be. 

Malek Ben: [00:15:09]  Absolutely. The automation of the fast propagation of this misinformation is at an unprecedented scale, but also, the automation of generating misinformation - automatically generating deepfakes, right? We've never seen that before - automatically generating videos that mimic a real person but look really like a real person and that are hard to detect in real time. That's an absolutely new challenge, and it will continue to grow as we make use of, you know, GANs, general adversarial networks, to perform - or to build these deepfakes. So it's a challenge that will continue to grow, and we need to work with the social media companies to come up with some common standards where we can identify these deepfakes and synthetic data. 

Dave Bittner: [00:16:03]  Interesting stuff for sure - Malek Ben Salem, thanks for joining us. 

Malek Ben: [00:16:07]  Thank you, Dave 

Dave Bittner: [00:16:12]  And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind TRISIS, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show. 

Dave Bittner: [00:17:11]  My guest today is Doug Grindstaff. He's the senior vice president of cybersecurity solutions for the CMMI Institute, an organization that was originally established by the Department of Defense to assess organizational capability around software development. My conversation with Doug Grindstaff centers on his notion that CISOs would do well to adopt some of the techniques commonly associated with VCs. He thinks they've got a lot in common. 

Doug Grindstaff: [00:17:39]  It is very similar to what VCs face in that it is a very fast-paced and dynamic environment. It is an environment in which there are multiple threats and the risks are very high, and so being able to understand those risks, develop a methodology to de-risk those threats and to focus the organization on very specific outcomes, I think, is really critical to the success of AVC, and in this case, also a CISO. 

Dave Bittner: [00:18:07]  And so what are some of the unique things that VCs face that you think could be brought over to the world of CISOs? 

Doug Grindstaff: [00:18:13]  From a VC perspective, I think understanding - what are the steps that are necessary to start to de-risk an investment? In the case of a CISO, how do we understand the risks facing my business? Maybe it's a function of my business model. Maybe it's a function of my threat environment, my competitors. How do I understand those threats and then develop a very precise way of prioritizing those risks and then start to mitigate those risks? I think from a VC perspective, one of the issues that is critical is to understand - what are the steps to de-risk my investment? As I start to de-risk my investment, I start to increase the value of that investment and increase the further likelihood of future investment. 

Doug Grindstaff: [00:18:53]  From a CISO perspective, being able to understand - what are the most significant inherent risks to my business? What are those things that could be terminal, have a terminal impact on my business? And then start defining - what are the necessary steps to mitigate those risks? It could be building new capabilities. It could be focusing on developing people, acquiring new technologies. But that sense of prioritization, both from a VC perspective and from a CISO perspective is, I think, really job one and mission-critical. 

Doug Grindstaff: [00:19:21]  The second after that starts to become alignment, and if you're successful as a VC, you have clear organizational alignment from the stakeholders and maybe the other stakeholders that are in the investment with you all the way through the organization. What is the next crucial step, next crucial milestone we need to achieve in order to continue to build this business and generate the returns we expect? From a CISO perspective, it's very much an analog. They also need to understand - how do I create organizational alignment so my board understands and has defined our risk tolerances and the team that's supporting the security program understands exactly what are the most important security controls? What are the most important processes and technologies that are going to be part of mitigating those critical, those terminal risks? 

Doug Grindstaff: [00:20:06]  And then I think finally - and this one is what I often talk about as a Copernican shift for the CISO. From a VC perspective, I think it's very easy to think about focusing on outcomes, right? There are very basic metrics that determine whether or not you're generating the kind of return. Am I elevating my revenues to levels that are sufficient? Am I able to demonstrate growth in EBITDA that allows me to demonstrate increases in value? From a CISO perspective, it's a little bit different, and the reason I refer this as a Copernican shift is that I think it's important to focus not so much on process, not so much on - do I have sufficient control systems? Am I using the right standards? But am I focused on the outcomes? How do I know? How am I measuring whether or not the level of activity, the level of capability I have is sufficient to mitigate those key risks? 

Doug Grindstaff: [00:20:56]  We often think of sufficient capability as maturity. Do you have sufficient maturity in those critical capabilities that will start to mitigate the risks that your organization is facing? And obviously, those risks are informed by all those things we mentioned earlier - the threat landscape, the competitive landscape - you know, that broad array of risks facing your business. And understanding that, putting it in the context and operationalizing it such that now I know - what are those key steps and key investments I need to make to start to address those terminal risks? I think it's just as important, and I think it's a valuable analog because the VC works in a very dynamic, constantly shifting threat environment where the likelihood of success is not high, and the downside risk is actually quite significant. It could result in loss of investment, loss of business. 

Dave Bittner: [00:21:44]  Yeah, it's really interesting to me. As you point out, the CISOs - in my mind, they sort of sit between two groups. They quite often have the board above them, and then they have their team and the rest of the organization below them. So there's - they sort of sit in the middle of - I don't know if tension is the right word - between those two groups. I wonder, is the VC sitting in a similar position? Is there someone above them? What are the different sides they're aiming to please? 

Doug Grindstaff: [00:22:13]  Yes. They're trying to please their shareholders. They have stakeholders, right? They have individuals who have pooled money to potentially create a fund where they're expecting certain returns, and so the threshold returns are quite high and the timeframe quite narrow for the VC. That generates a significant amount of tension as they start to try and support organizations to achieve, you know, the de-risking process, generate increases in value and hopefully future investment. 

Doug Grindstaff: [00:22:39]  And what you described with the CISO, I think, is spot-on, and I think it is an enormous challenge. VCs are used to working with the financial stakeholders. They're used to building funds and generating specific targeted returns, but, you know, you look at a lot of the folks that move into these roles of CISO and CSO. There is not a lot of training, whether it's how to put cybersecurity into a business context and think of it as a kind of key strategic plank for the business, whether it's defining the risk not as an IT risk but as an enterprise risk. You know, those kinds of strategic skills and that kind of board interaction are not commonplace in terms of their career path development, so gaining those skills and building that capability, I think, is one of the really significant challenges facing most CISOs. 

Dave Bittner: [00:23:23]  I can't help noticing, I mean, the emphasis that you're putting on this whole notion of framing everything in terms of risk, and I really - I think we've tracked that trend over the past year or more that that's really a direction folks are headed. 

Doug Grindstaff: [00:23:37]  I would say that's true intellectually. We engage a lot of organizations across sectors, and I think there is a desire to understand risk, although unfortunately, a lot of organizations think of risk as the threat landscape. And when we think of risk, we think it as enterprise-inherent risk, so we look across all elements of a security program, from the physical security to risks of natural disaster to, of course, network and data integrity issues. 

Doug Grindstaff: [00:24:03]  So when we think of risk, we think of it holistically and use that. Understanding the holistic risk, put into the context that the company uses to find their risk tolerances, is important. And so once I can get a sense of what are the inherent risks, I make sure they're in the same context that the organization thinks of all other risks on the business and then create an operational plan that seeks to mitigate those risks. 

Doug Grindstaff: [00:24:25]  I think that is still evolving. It's not an easy process to work with the - let's say an ERM and try to operationalize an ERM, an enterprise risk management tool that organizations use. Operationalizing that is quite challenging, and in fact, for the CMMI Institute, we actually developed a methodology that creates a relational database that connects risk to capability to understand which capabilities matter most given, you know, your organization's unique risk tolerances and risk profile. 

Dave Bittner: [00:24:56]  That's Doug Grindstaff staff from the CMMI Institute. 

Dave Bittner: [00:25:05]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:25:17]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.