The ForeScout Cyber Roundup is a weekly blog series dedicated to deciphering some of the previous week’s cyber headlines. Each article includes a condensed summary of the news and a ‘why it matters’ section—a closer look at the potential implications of the event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. The goal of this roundup is to offer insight and perspective and positively contribute to information sharing that can inform and enhance the cyber posture of our readers. Articles are ordered by date, not necessarily priority.
- Federal Researchers Simulate Power Grid Cyberattack, Find Holes in Response Plan (November 9, 2018)
Summary: Starting on Halloween, hundreds of government and industry researchers gathered to test various theories on the damage and repercussions of an attack on U.S. critical infrastructure; specifically, an attack on the power grid.
Why it matters: According to a recent report from Black Hat, 69% of respondents believe that such an attack will occur in the next two years. While many experts believe an attack on U.S. critical infrastructure is imminent, that doesn’t necessarily mean that it will be successful. An attack would likely come from a nation-state, but the motivation behind the attack may vary by actor—common motivators include hacktivism, cyber terrorism, nation-state APT testing, economic disruption, political influence and military dominance. Success then, is the actor’s ability to satisfy that motivation, and in this case, the duration of power disruption is often a measure of the malicious actor’s success. NIST defines that disruption as ‘smart grid impact levels’ in its Guidelines for Smart Grid Security. As an example, sporadic, temporary outages would have less of a negative impact than an enduring, targeted, regional attack. There are multiple degrees of success for the actor—and consequence for the victims—dependent on numerous factors: duration, region, population density and resiliency, to name a few. Of those factors, resiliency is one of the main factors within the control of the defender. Resilience isn’t encompassed only in the ability of the victim to recover from the attack and resume normal operations; resilience also includes learning from attacks and taking a predictive cyber stance. What we can expect is that simulations such as this one in New York will continue and increase in complexity. What we can hope is that security teams across all domains—not just critical infrastructure—will also focus on resilience when designing their networks and defending their data.
Federal Researchers Simulate Power Grid Cyberattack, Find Holes in Response Plan
- How the U.S. might respond if China launched a full-scale cyberattack (November 13, 2018)
Summary:The Foundation for Defense of Democracies (FDD) hosted a tabletop exercise last week to better understand how the U.S. might respond to a cyberattack from China.
Why it matters: There are fundamental differences between China and the U.S. when it comes to ownership of critical infrastructure. For many Chinese companies, the state is often the sole or majority owner, making many of those companies state-controlled. Conversely, more than 85% of U.S. critical infrastructure is owned or operated by the private sector, not the government. These different critical infrastructure ownership models add a layer of complexity to the already challenging issue of attribution—the correct identification of a cyber perpetrator. Extensive government ownership of critical infrastructure is simply not the U.S. model and this is not likely to change in the future. It is therefore critical that the government and private sector collaborate for mutually beneficial security improvements, and the overall security of the nation. The Department of Homeland Security (DHS) established the National Protection and Programs Directorate’s (NPPD) Office of Infrastructure Protection (IP) to foster interaction and an integrated approach between public and private sector. NPPD has been gaining momentum and just this week, a bill that would solidify DHS’s role as the main federal agency overseeing civilian cybersecurity headed to President Trump’s desk—establishing the Cybersecurity and Infrastructure Security Agency (CISA) and also rebranding the NPPD as the Cybersecurity and Infrastructure Protection Agency (CIPA). Earlier this year, DHS also established the National Risk Management Center (NMRC), which is designed specifically to enhance coordination between DHS and the private sector to better protect national critical functions. One of the biggest ways that private sector can help is by simply making defense easier—offering federated solutions that can bridge the gap between traditional IT and OT cyber needs.
How the U.S. might respond if China launched a full-scale cyberattack
- Lazarus Group Attacks ATMs, Tens of Millions Stolen in Recent Heist (November 10, 2018)
Summary: The Lazarus Group has made headlines on several different occasions over the last few years—from the 2014 attack on Sony to the well-known WannaCry ransomware. An alert regarding new activity was first issued by US-CERT on October 2, stating that the Lazarus Group had been targeting ATMs in Africa and Asia since 2016.
Why it matters: As is often the case when it comes to point of entry, these actors capitalized on the fact that some of the payment systems were operating on outdated software and infiltrated the network via spear phishing. The systems weren’t being patched because they were no longer supported. This incident should serve as a reminder—not just for banks and FinTech—but everyone, that it is critical to patch your systems routinely, and even more important to develop a strategy to get off old, unsupported systems and software before they reach end of life. An effective cyber strategy must coincide with the business strategy as well. Businesses can no longer afford to simply provide their customers and users with the functional tools; security must be just as much a priority as functionality. In cases where organizations simply cannot sunset outdated systems, they must make security a priority and assess and invest in rigorous monitoring and microsegmentation. For businesses with modernized networks and a routine patching process in place, it’s important to realize the need for enhanced visibility to detect and manage devices that you might not know are on your network. Protections are available to remedy the issue, but it will be interesting to see if other malicious actors leverage (or alter) the original malware for their own financial gain, or to evade detection, as it’s not uncommon for bad actors to reuse code and TTPs from other actors, further complicating the attribution challenge, as recently evidenced in an attack on a UK-based engineering company. There are often headlines about the devastation wrought by malware, but it’s important to note in this instance that although the Lazarus Group is still active, they have changed their targets and modified their approach. Some might argue that is simply because they are covering their tracks and taking precautions to remain elusive, while others might think this foray into ATM attacks is designed as a distraction for cyber analysts and researchers. But, perhaps our defenses are improving; perhaps the protocols and tools now in place have reduced the attack surface and forced bad actors such as the Lazarus Group to adjust their tactics.
Lazarus group attacks ATMs, tens of millions stolen in recent heist
- Russia and Spain strike agreement for joint cybersecurity group: report (November 7, 2018)
Summary: The U.S. accused Russia of election meddling and disinformation campaigns during the 2016 election and the Department of Homeland Security (DHS) suspected more disinformation activities from Russia during the recent midterm elections. Now, it appears Russia’s disinformation efforts have spread to Spain.
Why it matters: Disinformation isn’t a new concept; however, how it’s deployed has evolved with technology. Advances in artificial intelligence (AI) and machine learning (ML) have greatly benefited society in many regards, but they have also introduced the possibility of pliable reality. Because so many people worldwide receive their news digitally, Russia and others seeking to spread disinformation for political or socioeconomic advantage have leveraged social media platforms to create fake accounts to influence real users. But the problem extends beyond the bots—recent advances in technology now make it possible to alter videos and audio files and create a clip that looks like a real recording. These changes, combined with other factors, have fundamentally changed the landscape of war. During the Cold War era, the U.S. was able to rely on the threat of nuclear attack to offset any threat of war from other nations. Today, however, the U.S. must expand its repertoire of deterrence methods to overcome the challenges introduced by modern technology. Most recently, the U.S. has relied on the threat of sanctions and indictments to deter malicious actors, but to counter disinformation, it’s likely that we’ll see increased efforts that combine automation with human input. In other words, just as our adversaries are leveraging technology to spread disinformation, the U.S. can leverage those same technologies to debunk the disinformation—discerning ‘fake news’ on a massive scale.
Russia and Spain strike agreement for joint cybersecurity group: report
- Here’s why it is unsurprising that China, the US, and Russia didn’t sign the global cyber security pact (November 13, 2018)
Summary: The Paris Call for Trust and Security in Cyberspace, as the pact has been called, is a coordinated effort to get countries to agree on a set of international rules for cyberspace.
Why it matters: Analogous to the famous Geneva Convention, the introduction of the Paris Call for Trust and Security in Cyberspace has received substantial support across the globe. But, the major players in cyber, including the U.S., refused to sign. But, that news isn’t entirely shocking. After all, signing such an agreement would limit that nation’s cyber menu. The countries that refused to sign have all engaged in some form of cyber activity with one another at some point; the U.S. allegedly launched an attack on Iran that disrupted its nuclear centrifuges, China has stolen numerous blueprints from the U.S., and Russia has historically launched campaigns to interfere with foreign politics. The struggle for dominance has evolved over the years and what we’re seeing in the cyber arena now is simply the next phase in that evolution. To stay ahead and to stay secure, there are a couple of things that the U.S. is going to have to figure out sooner rather than later. First, the threshold of war—defining specific parameters that, if crossed, will result in a measured action. In other words, establishing boundaries that make it clear to other countries that they are only allowed to go so far before the U.S. will act against them. Secondly, because so much of U.S. critical infrastructure is maintained by the private sector, and because more attacks against the U.S. are targeting critical infrastructure, it’s critical that the government and private sector continue to collaborate. Many companies in the private sector have taken a strong stance against any government cyber initiatives that fall outside the scope of cyber defense; this summer, Google announced that it will not extend its Project Maven contract, largely because of internal controversy around how the project could aid in warfighting. It’s not going to be an easy problem to solve; the government must protect the nation and its citizens, but it needs the help of the private sector to do so.
Here’s why it is unsurprising that China, the US, and Russia didn’t sign the global cyber security pact
- Report: NIST to use IBM’s Watson AI system to score vulnerabilities (November 12, 2018)
Summary: After making its debut on Jeopardy in 2011, IBM’s Watson has proven its value as a culinary chef, a museum guide and a veterinary helper. Now, the AI system is tackling some the challenges that cyber analysts face at NIST.
Why it matters: There’s no shortage of AI applications and use cases—and that’s part of the challenge many organizations face when it comes to investing in AI. Those anxious to leverage the technology must first identify and prioritize their problems because, although incredibly powerful, if assigned the wrong problem, AI can be ineffective or even disrupt an organization’s mission and overall business. In this case, NIST seems to have thoroughly evaluated opportunities where AI could bring the most benefits: ingesting and processing large volumes of data and producing actionable results for human decision. This is yet another example of how AI can be powerful and effective in isolation, but even more successful when coupled with human intelligence. AI will radically change the way analysts think about cybersecurity, and will shape the objectives and functions of Security Operations Centers (SOCs). Instead of waiting for something bad to happen, SOCs can shift from passive security and use AI to detect not just vulnerabilities, but patterns and anomalies as well. As a result, we can also expect that the demand for cyber talent won’t fade, but the type of talent needed may evolve.
Report: NIST to use IBM’s Watson AI system to score vulnerabilities