Cyber Threat Analysis for 11 Aug 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Is Cyberwar Turning Out to Be Very Different From What We Thought?

In a 2012 speech, then-Secretary of Defense Leon Panetta warned Americans they could face a “cyber Pearl Harbor” someday. But for the most part, cyberwar hasn’t yet turned out that way. Instead what is emerging is the sort of attack that happened at the Democratic National Committee, where embarrassing files and emails were posted on WikiLeaks. Indeed with rare exceptions like Stuxnet, what we have seen from nation-states is more the sort of behavior one would expect from spies than soldiers, establishing cyberspace as a clear realm for espionage and less so for war. (Politico)

Despite what generals – armchair or otherwise – would have us believe, no one gains from ‘destruction’ in cyberspace. Whether the threat is from criminals, terrorists or rival nation-states, there is far too much to be gained by exploiting systems than there is shutting them down. You can’t steal money if you shut down connectivity; you cannot communicate your message if your audience gets a 404; if your goal is domination you don’t want to waste blood and treasure blowing things up only to have rebuild them again. The loudest voices in cyberspace speak of things-martial because that’s a language they understand and know how to do; it is not necessarily the right language or analog it is merely convenient in the absence of more serious consideration.

Hacked companies still prioritize innovation over cybersecurity

Eight out of 10 executives surveyed acknowledge that their companies had been compromised by cyber attacks in the past two years, yet less than half of the CIOs, CISOs and CTOs surveyed said that they had invested in information security in the past year. The notion that hacked companies are underinvesting in cybersecurity defies logic until you understand that most CIOs are told to prioritize innovation over risk mitigation. Companies are racing to find their own Pokemon Go. CEOs laser focused on growing the business are loath to slow down to reduce risk. (CIO)

Security is not the issue we think it is. Companies are in business, period. They are not in the security business. The idea that any enterprise outside of the military or intelligence community would place security anywhere near the top of the priority list is a delusion. Even the biggest hacks have no long-term impact on a commercial concern’s well-being, which is all shareholders care about. Innovative security mechanisms and methodologies that can add value to the overall business/business process are one way for security practitioners to elevate themselves and their practice, but all too often innovation runs smack up against regulation, bringing attempts at true security (vice compliance) to an abrupt halt.

Democratic congressional group confirms it was target of cybersecurity attack

The Democratic Congressional Campaign Committee confirmed that it had been the target of a cybersecurity incident similar to other recent attacks, including the theft of documents from the Democratic National Committee. The DCCC said in a statement that it took immediate action. (Union Leader)
Salvador Allende is rolling over in his grave. Much has been made about the implications of a potential foreign entity attempting to impact the upcoming presidential election. While certainly valid, hardly a new issue, from the perspective of either side. That there is a “cyber” component doesn’t change this, though it is certainly fodder for attribution fetishists. Hospitals aside, nowhere is the conflict between efficiency, effectiveness, and security more pronounced than in a political organization. You are dealing with sensitive information, your people are dispersed, the business cycle is 24/7, time is of the essence, and failure has serious repercussions for years to come. Still, money is spent on “business” not security. This is part of a trend, not an anomaly.

Attack attribution does little to improve enterprise security

After every major data breach, the security community engages in a game of whodunit and attempts to figure out what entity or nation state carried out the attack. While people want some sort of closure after a crime has been committed and to see the perpetrators brought to justice, it’s time to reconsider the benefits of attributing cyber attacks. Having a corporate security team attempt to figure out who is behind a hack is complicated, is time consuming and does very little to improve an enterprise’s defenses, which should be a company’s priority after an attack. (Network World)
Attribution can be useful, depending on who you are and what your goals are. The vast majority of victims, especially in the commercial space, derive no benefit from attribution. The importance of attribution to a governmental victim is obvious, but commercial victims are in business, and the cost of investigating whodunit isn’t good business. The sooner attribution is placed into context the faster we can start to get victims learning from what happened and using those lessons to improve their capabilities. “Who” is of little use if you’re not going to exercise an equivalent level of effort to combat “what,” because if one entity can find a way in, another can too. Defenders love martial analogies, but ‘know your enemy’ is of little utility if only one side is fighting.

Senators Call on FCC to Bolster Vehicle Cybersecurity

Senators Blumenthal (Conn.) and Markey (Mass.) urged Federal Communications Commission Chairman Tom Wheeler to ensure “robust cybersecurity and privacy provisions” for the airwaves that will make up vehicle-to-vehicle connectivity. The two added that it’s essential that the vehicles have “robust safety, cybersecurity, and privacy protections in place before automakers deploy vehicle-2-vehicle and vehicle-2-infrastructure communication technologies.” (Morning Consult)

Wish in one hand … It should be considered progress that politicians are asking for protections before widespread deployment, until you remember that automation and computer controls in cars is already decades old, and like so many things in IT: functionality trumps security. Always. While there is a certain amount of hype surrounding what cars may be able to do in the future, if history rhymes like it so often does, this particular horse(power) has left the barn. Serious security mechanisms will follow a sufficient number of casualties, or when we have our modern Unsafe at Any Speed moment.

Strider cyber attack group deploying malware for espionage

Strider, a previously unknown group of cyber attackers, is using stealthware for cyber espionage campaigns. Strider is using an advanced piece of malware called Backdoor.Remsec to spy on targets in Russia, China, Sweden and Belgium. According to Symantec researchers, Remsec appears to be designed for spying, and is capable of creating custom malware tools and has operated below the radar for at least five years, Symantec said. (ComputerWeekly)

Slow and steady wins the race. Compare the duration of the Strider campaign with your average corporate budget cycle and/or the life-span of a CISO. While most chase the problem of the month or the headline of the week, the other side bides their time and has far more success (illicit though it may be). To reinforce an earlier point: the value in offensive action is exploitation, not destruction. Martial analogs are only useful if you’re fighting: they are a poor way to grok the problem – and develop effective solutions – if the problem is espionage.

5 Takeaways From Cisco’s Big Cybersecurity Report

Companies are still using outdated technology leaving them prone to cyber attacks, security researchers are losing their confidence, and hackers are making millions of dollars through so-called ransomware attacks. These are some of the findings detailed in Cisco’s annual report on the state of cybersecurity based on research the company obtained from customers, outside security analysts, and its networking devices connected to the Internet. (Fortune)
Your weekly reminder on the importance of blocking and tackling.