OODA Loop

Understand tomorrow, today.

The Cyber Threat Analysis Report Volume 1, Edition 1

Archive, Cyber, Economic, Industry, Maritime, OODA Original, Security, Technology / by

Spike in Hacking of US Networks is said to be Tied to China and Iran

US businesses and government agencies have been targeted in aggressive attacks by Iranian and Chinese hackers who security experts believe have been energized by President Trump’s withdrawal from the Iran nuclear deal last year and his trade conflicts with China. Recent Iranian attacks on banks, businesses, and government agencies have been more extensive than previously reported. The attacks prompted an emergency order by the Department of Homeland Security during the government shutdown last month.

The utility of offensive online activity is a strategic resource no nation will willingly ceede. Old hands will recognize this for what it is: business as usual. No agreement or diplomatic effort will have a meaningful impact on what is arguably the most valuable and effective tool available to nation-states (and non-state actors operating on their behalf). We should be neither surprised nor angered at such news, merely cognizant of the shortcomings in our ability to deal with such issues in the usual intellectual fashion. We are nowhere near reaching ‘the end of history,’ but it is clear that the theories and tactics that got us to this point are not serving us as well as we would like.

 


OODA Loop Sponsor

Is the City of Ottawa Prepared for a Cyber Attack?

In the fourth quarter of 2018 alone, more than 4,000 attempts to compromise City of Ottawa workstations and laptops were prevented, according to city data. “Like any major municipality, we’re a target,” said Chris Fulton, city manager of technology security. Fulton was asked after the meeting how prepared the city is for a cyber attack. “We feel that we’re as protected as we can be.”

You cannot guarantee that you’ll be able to detect or prevent attacks, but you can control how quickly and cheaply you recover from one. From the point of view of those who attacked the city of Atlanta with ransomware, the exercise was a failure (no ransom paid). Yet one need only look at the potential $17M price-tag associated with the event to recognize that the very noble ‘we don’t negotiate…’ tack isn’t in the best interests of taxpayers. An increase in data points isn’t a trend, but organizations of all types – private and public – would be doing themselves and their constituents right by investing in a sound, verifiable, and secure backup scheme (and a couple of bitcoin just in case).

 

Cybersecurity: Damage Controller or a Business Priority?

Cyber threat has turned out be a menace for global industries in the past few years. The C-suite executives worldwide are fretting over hazards of cyber attacks and its repercussions. According to the PwC study of 2018, cyber threat is among the top worries of the CEOs. In other words, a sum of 62 percent of CEOs worry cyber attacks which can create hindrance in their company’s growth.

The idea that any commercial concern will elevate cybersecurity to a peer position to other business units is wishful thinking. On top of that, it is also wrong headed. No one is in the cybersecurity business (even cybersecurity companies), they’re just in business. Security does not generate revenue and in some cases impedes operational effectiveness. The idea may be anathemic to many security practitioners, but the goal is secure enough commensurate with any associated risk. Cybersecurity failings have no long-term impact on any measure by which corporate leadership are evaluated. Not share price, not reputation, not market share.

 

Small Businesses ‘Underestimate Cyber Threat’

SMEs do not fully understand the threat of cyber attacks and the potential damage inflicted, a survey by Chubb reveals. The survey of 1000 SMEs across the Asia-Pacific region, including 400 in Australia, shows 60% believe they are less vulnerable to cyber incidents than their larger competitors.

Example #947 at how bad humans are at assessing risk. “I am too small to be a target” is exactly backwards; your size and corresponding lack of attention to the threat makes you a much more attractive target. Large enterprises are already aware of the threat and taking steps to address it. The bad guys do ROI calculations too, and in an age of ransomware and cryptocurrency mining, where literally any computing resource is a virtual gold mine, it is SMBs that are the best bang for the buck. Hardening yourself against threats and reducing risk need not be complicated or expensive.

 

 

UK Could ‘Manage’ Huawei 5G Cybersecurity Risk

A UK government agency has said it can manage any cybersecurity risk posed by the use of Huawei products within 5G technology. Reported by the Financial Times, the as yet unpublished announcement by the National Cyber Security Centre (NCSC) suggested it was too complex to simply ban the firm from the UK. The statement, regarded as a “sensible approach” by cybersecurity experts, follows ongoing concerns in the US and Europe that use of the Chinese firm’s hardware could provide a gateway for Beijing’s tampering in foreign telecommunications networks.

You have no control over the hardware, firmware, and software you use: act accordingly. Even infrastructure providers are users of such technology, albeit more sophisticated ones than you or I. While they can closely monitor any given box, they don’t control it, which means there is always some level of risk, whether that box is made by Huawei or Cisco (which doesn’t make all its boxes under secure, 5-eyes-friendly conditions either). The issue is not that any given box is more or less secure than any other, its that one box is made by a front/proxy for a hostile foreign government. No nation would stand for this if the matter were jet fighters or warships, but the technology that designs and helps operate such items, meh.

 

Staffing Shortage Makes Vulnerabilities Worse

For enterprise IT groups, responding to the volume of new vulnerabilities is growing more difficult – compounded by a chronic lack of skilled cybersecurity professionals to deal with the issues. That is one of the major conclusions reached in a new Ponemon Institute report. When asked about the difficulties of maintaining an adequate security posture, 68% of the more than 600 cybersecurity professionals surveyed listed “staffing” as a primary issue. These staffing shortages don’t exist exclusively at small organizations, either, with 72% of those surveyed from organizations with more than 1,000 employees.

Another argument for the importance of building security solutions that work at scale. The talent issue (shortage or mismanagement, you pick) is not going away. The rate at which we’re going to deploy vulnerable hardware and software is only going to expand and accelerate given the rate of adoption of ‘smart’ devices. No one bakes in security at the start, so we’re always going to be called in after the fact to clean up one mess or another. Our failure to throw away assumptions and look at issues with fresh eyes, or adopt novel approaches, has us stuck in a time warp.

 

Where’s the Equifax Data? Does It Matter?

It’s been 17 months since the infamous 2017 Equifax data breach was revealed to have compromised the data of about 147.9 million people. But an investigative report from CNBC found that, curiously, the data hasn’t yet turned up on the Dark Web. According to the outlet’s threat-hunter sources, it’s increasingly looking like it was a spy job, carried out by a nation-state; not criminals bent of ID theft or financial gain.

The mosaic theory of intelligence blooms in the information age. For those who have never been exposed to the practice, it’s how you assemble a comprehensive picture of an adversary’s capabilities or plans though small pieces of datum that – in and of itself – are not sensitive or revealing, but when assembled paints a disturbingly clear picture. Standing alone, the theory that the Equifax breach was for illicit commercial gain makes sense, but the value of this data, combined with those of dozens of other data breaches (OPM in particular) make for an intelligence treasure trove.

 

2.7M Recorded Medical Calls, Audio Files, Left Unprotected on the Web

“Your call is very important to us,” you often hear while being put on hold. But calls were clearly not important to the Swedish Healthcare Guide service – at least not important enough to protect the personal privacy or safety of Swedish patients. IDG’s Computer Sweden revealed that 2.7 million recorded calls made to the 1177 national health service were left completely unprotected on a server that had no encryption or authentication protection.

In an age of persistent data collection and surveillance, the importance of security cannot be understated. Like the recent leak of facial recognition data from China, the carelessness shown to intensely personal data is fairly shocking. The potential for misuse or abuse of such data is significant in both common ways (e.g. public exposure, shaming, etc.) as well as new ones like the generation of ‘deep fakes.’ The rate of big data abuses is likely to outpace the value generated by big data if mechanisms are not put in place to, if not entirely thwart misuse and abuse, make it easier to detect.

 

Russian State-Sponsored Hackers Are Fastest: CrowdStrike

It takes Russian state-sponsored hackers less than 20 minutes to start moving laterally within a targeted organization’s network after the initial breach, according to CrowdStrike’s 2019 Global Threat Report. For this year’s report, which is based on data from over 30,000 intrusion attempts, the company has measured the average speed of nation state actors believed to be operating on behalf of Russia, China, North Korea and Iran. The breakout time of profit-driven cybercriminals has also been analyzed for comparison.

There are many metrics you can use to assess the effectiveness of your defensive capabilities, but the only one that really matters is time. Being able to detect and respond at combat speed is the difference between a busy day at the office, and a headline-grabbing breach. This is not to say that every enterprise needs to be able to perform at this level, but if you’ve done some threat modeling and these are the classes of actors you’re concerned about, it’s time to up your game. Building your defensive scheme and implementing corresponding technologies with an eye towards what will slow an attacker’s advance or spread will serve you better now and in the long run than whatever strategic fad or blinky box-of-the-month ever will.

 

New Vulnerabilities Found in Top Password Managers

Top password manager products have fundamental flaws that expose the data they are designed to protect, rendering them no more secure than saving passwords in a text file, according to a new study by researchers at Independent Security Evaluators (ISE). “100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised. Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

Why don’t they let cybersecurity nerds have children? Because they’re always throwing the baby out with the bathwater. A password manager is still, and will continue to be, a very useful tool that helps reduce security issues related to password strength and re-use. Expect any actual flaws identified in the aforementioned report to be fixed within days, if not sooner. That a given tool can be exploited doesn’t mean it will, that you will be targeted, and that all the other security mechanisms and practices you have in place will also fail at the same time. Considering edge-cases and extreme scenarios can be helpful, but it has to be tempered with a sense of ordinary and mundane, because that’s what most of life is like.

 

The Cybersecurity Legislation Agenda: 5 Areas to Watch

New digital threats that could topple business, government, military and political institutions is moving cybersecurity to the top of the congressional agenda. The newly seated 116th Congress has so far seen 30 bills introduced in the House of Representatives and seven bills introduced in the Senate that directly deal with cybersecurity issues. That does not include other pieces of legislation that have at least some provisions that deal with information and digital security.

Don’t hold your breath. Having tracked cybersecurity legislation for close to 20 years, it’s pretty clear that most of these efforts have a near-zero chance of becoming law. It’s not that no one cares, but there is still a shooting war going on, along with a trade war. Fears about “hacked” elections notwithstanding, the political environment is simply not one where issues of this nature are going to have traction (though given the makeup of the congress and who sits in the White House, that could be said for any proposed legislation). Everyone acknowledges the importance of better cybersecurity laws, but there are far too few Will Hurds and Jim Langvins who can craft good ones and push them through to signing ceremonies.

 

How Much Does it Cost to Launch a Cyberattack?

Companies spend big to defend their networks and assets from cyber threats. Kaspersky Labs has found security budgets within enterprises average around $9 million per year. On top of that, data breaches cost companies millions of dollars. Yet, cheap, relatively easy-to-use off-the-shelf hacking tools make the barrier to entry for cybercriminals incredibly low. Top10VPN’s Hacking Tools Price Index found malware available for as little as $45, while tutorials on how to construct attacks are available for just $5. The rare times criminals will be required to pay more than $1,000 for any single component would be for a zero-day exploit (as little as $3,000).

Cash Rules Everything Around Us. A SANS class costs north of $5,000. Other sources of high quality training are not much cheaper. Maintaining security certifications costs hundreds of dollars a year. If this were any other endeavor, we’d say we were on the wrong end of the deal. This is why threat modeling and good risk assessments are so important. JPMC spends half-a-billion dollars on security, but do you need to? What’s reasonable and prudent? Can you get there without going broke (yes)? Lay the groundwork for a solid cybersecurity posture now, so that you’re not flailing about and overspending later.

 

Researcher: Not Hard for a Hacker to Capsize a Ship at Sea

“If one was suitably motivated, perhaps by a nation-state or a crime syndicate, one could bring about the sinking of a ship,” said Pen Test Partners researcher Ken Munro, in a stark assessment of maritime cyber-danger this week. At issue is the fact that critical ship control systems, including IP-to-serial converters, GPS receivers or the Voyage Data Recorder (VDR), tend to be easily compromised. “It’s a low-skill attack,” Munro told Threatpost.

It’s probably not EASY, but it’s probably easier than ship owner/operators think. Hacker claims of being able to do amazing things a’la how hacking is portrayed in most movies is usually more about promotion than precision. But the fact does remain that seaborne cybersecurity is pretty sad. Like every other market: customers want things that work, they don’t demand that they work AND be hacker proof. One need only look at the impact of the attack against Marsk to realize how brittle things are in this industry.

 

About Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.