Cyber Threat Analysis 26 May 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

U.S. Can’t Detect When Cyber Attacks Are Under Way, Survey Finds

A majority of senior federal officials responding to a survey said they don’t think the U.S. government can detect cyber attacks while they’re under way. 65% of cyber security officials from the DOD, intelligence agencies and federal civilian agencies said they disagreed with the idea that the federal government as a whole can detect cyber attacks while they’re happening. 59% said their “agency struggles to understand how cyber attackers could potentially breach their systems.”  25% said their agency made no changes in response to last year’s breach at OPM. 40% reported their agencies don’t know where their key cyber assets are located. (Bloomberg

Federal systems face a double-whammy in that they are both aggressively targeted and the least likely to be able to respond – strategically or tactically – in kind. Attacks move “at the speed of cyber” while their targets move at the speed of government, which is to say “glacially.” As with the private sector, security is a secondary aspect to the mission of government agencies, so we should not expect them to be any better or worse than anyone else. It is easy to conflate the capabilities of a rare bird like the NSA, forgetting that the vast majority of government is downright pedestrian, and so too goes their response to cyber threats.

The Cyber Security Industry’s Big Blind Spot

Today’s threat actors are more focused, funded and disruptive than ever, but the cyber security defense industry is not built to respond appropriately, says thought leader Tom Kellermann. What are security leaders overlooking? In his new role as CEO of Strategic Cyber Ventures, a cyber security technologies investment firm, Kellermann sees lots of new ideas. But too many of them are variations of the same theme: They are focused on developing specific tactical solutions that address only temporary problems that ultimately will morph. There is a systemic, industry-wide lack of long-term vision. (Bank Info Security

There is nothing new under the sun when it comes to computer security. The functional aspects of information technology marches apace with inventor imagination and user demand, but security technology is fundamentally stuck in the early ’90s. Are there relatively novel ideas on how to address long-standing problems? Sure. Would bringing them to market negatively impact the cash cow that is the heart of any large cyber security business? Absolutely. This is not to say that the field will never see innovation, merely that – barring a sufficiently enlightened investment community and corporate buyers willing to eschew ‘how things are done’ thinking – it will emerge at a pace that does not disrupt revenue milch cows.

DOD cyber officials: Pace of threats calls for faster acquisition

A panel of top naval military officials outlined the need for faster fielding of technological tools to fight at so-called cyber speed as one of the many challenges within information warfare. Leaders discussed how rapidly technology has changed and how adversaries have adapted, creating faster and more complex threats. To help combat these emerging threat vectors, new tools and capabilities must be brought into the fold. “You can’t fight in the cyber domain with old acquisition processes…it doesn’t work,” Brig. Gen. Loretta Reynolds, commander of Marine Forces Cyber Command. “The cyber threat is an all-day, everyday thing. We have got to have the ability to put tools on a network that get after the threats as they arrive.” (Defense Systems

In a world where prevailing offensive tactics can change several times in a year, the multi-year acquisition process means defenses tomorrow that are cutting edge for yesterday. Efforts like 18F and other ‘fast track’ approaches are of limited utility in the security space because of requirements that anything new go through an expensive and time-consuming vetting process that is trivial for industry giants but onerous for small businesses who are actually innovating. It also does not help that decision-makers in this space tend to have acquired their expertise via PowerPoint, leading to buying decisions that are reminiscent of “buy IBM” thinking. Of course none of this explains why the military cannot successfully execute the fundamentals (see first story).

Time To Treat Sponsors Of Ransomware Campaigns As Terrorists, Lawmaker Says

A senior lawmaker hinted that nations not doing enough to stop ransomware groups from operating within their countries should be treated in the same way that the US treats countries that sponsor terror groups. In opening comments at a Senate Judiciary subcommittee hearing, Senator Lindsey Graham described ransomware attacks as a “terrible crime” affecting the lives of thousands. The goal should be to identify nations that are doing a good job in trying to deal with the problem and to help them in that effort while weeding out the ones that are not doing enough or are actively sponsoring such attacks. (Dark Reading)

Legacy-future thinking has yet to solve one cyber security-related problem. Looking to the world of arms control and non-proliferation is a crutch that ignores the exponentially more difficult nature of the problem. The idea that nation-states where bad actors originate from would attempt to curb their activities displays a shocking level of ignorance about how these entities are intertwined. All of this ignores the fact that paying ransoms is actually cheaper and faster than calling for help. The simple economics of ransomware make it an ideal model to refine and expand, since the solution has nothing to do with “security” and everything to do with un-glamorous, sound IT practices. (see below)

Ransomware and DDoS combine to form a dangerous new two-pronged cyber attack

Criminal developers have created a new evil way to monetise their operations by adding a DDoS component to ransomware payloads. Instead of ‘just’ encrypting data files and locking the machine, a new variant of the Cerber ransomware is now adding a DDoS bot that can quietly blast spoofed network traffic at various IPs. It means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim: two attacks for the price of one (and two ways cybercriminals can make money off victims). (Information Age)

If you were ever confused about the level of ingenuity and professionalism of your adversaries, labor under such delusions no longer. Ransomware, and any of the myriad variations evil-doers can come up with have the potential to be far more pervasive than other threats. Done well, and with professionalism (as the vast majority of such cases are) it is a ‘perfect storm’ of conditions: effective, efficient, and lucrative. As long as paying a ransom is cheaper than calling for help (to the extent DFIR can help at or below the right price point) the best defense against ransomware has nothing to do with security.

Should Companies Be Required to Share Information About Cyberattacks?

Damage from cyberattacks comes in layers. Direct harm, in the form of theft and other losses. Damage to the reputation of the companies affected when news gets out. And the slow erosion of confidence in overall online security. How do we limit the damage and, more important, restore confidence in online security? Requiring companies to report when they’ve been attacked and to share details about how it was done might help strengthen cyber defenses for everyone. But it can also complicate the process of trying to keep systems secure, and injure the companies’ reputations in the meantime. Conversely, allowing breached companies to work on solutions in secret may fix problems quickly and prevent reputational harm. But keeping attacks secret may also increase the danger for others. (WSJ)

It is a mistake to consider sharing an either-or option. Sharing information about tactics, techniques and procedures is undeniably a useful endeavor. Done well it can support a herd-like immunity that has the potential to negatively impact attackers at scale. Negative reputation or financial impacts associated with disclosure exist, but are temporary. True: too public a disclosure too early could lead to attackers changing tactics, but by the same token too much secrecy defeats the entire purpose of sharing. Participating in a good private sharing forum that strikes a balance between both sets of equities and has a diverse membership base is one of the more useful things you can do to defend yourself and contribute to the security of others.

When Executives Ignore Security Policies

A new study finds that 45% of IT executives knowingly circumvent organizational security policies, and many have even successfully hacked their own or another organization. IT decision-makers between the ages of 18 and 44 demonstrate a “much more cavalier” toward IT security than those over age 45. “Even if these actions are being performed to validate existing infrastructure, senior leadership should be aware that this activity is occurring. It may also be worthwhile to consider third-party audits to ensure adherence with corporate security policies.” (CIO Insight)

Employees as the security “weakest link” applies to every employee. The idea that as an ‘expert’ you know more and so can take on additional risk is a common sentiment in every discipline. Yet cases like HBGary and Hacking Team tell us that such actions are a slippery slope because expertise in one area does not make one an expert in all things. Standards and policies have to apply to everyone, and especially those at the top, or they will never be taken seriously by those below.