Articles

How shape-shifting threat actors complicate attack attribution

Researchers explain how they identified—or failed to identify—the threat actors behind three high-profile incidents and why attribution is so difficult.

The already difficult task of attributing a cybersecurity attack to a particular threat actor is made harder by the shape-shifting nature of threat groups. Despite the best efforts of researchers, some attackers may never be identified.

At last week’s VB2021 conference, cybersecurity analysts and researchers walked through the breadcrumbs they followed to identify the malicious actors behind the Colonial Pipeline, Sony Pictures, and Iran railway system attacks. These examples show why attribution is complicated and sometimes impossible.

From Carbanak to BlackMatter

CrowdStrike researchers quickly attributed the Colonial Pipeline attack this past May to a group known as Carbon Spider, likely an Eastern European or Russia-based threat group. But as Josh Reynolds, a senior security researcher at CrowdStrike, and Eric Lou, a senior intelligence analyst at CrowdStrike, spelled out at VB2021, the group wasn’t always a “big game” ransomware threat.

Carbon Spider started in 2013 using Carbanak malware to target financial institutions before moving on in 2015 to target restaurants and the hospitality industry with point-of-sale (POS) malware to collect payment card data. In 2016, Cobalt Spider broke off from Carbon Spider to handle the card data thefts while Carbon Spider continued to target financial entities.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Christina Kirschnerova on Unsplash

Alejandro Mayorkas

TSA to issue cybersecurity requirements for US rail, aviation…

New rules include reporting incidents to CISA and naming cybersecurity leads, but experts and industry representatives cite lack of input.

After issuing cybersecurity requirements for pipeline companies via two directives earlier this year, the Transportation Safety Administration (TSA) will now also issue cybersecurity requirements for rail systems and airport operators. The two pipeline directives followed a high-profile ransomware attack on Colonial Pipeline that shut off oil flow to the East Coast in May, sparking gas shortages and panic buying.

“TSA’s broad responsibilities cover security at our airports, highways, and traffic management systems, pipelines, mass transit terminals and hubs, and subways and metros that carry billions of passengers every year,” Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said in announcing the new regulations yesterday. “Whether by air, land, or sea, our transportation systems are of utmost strategic importance to our national and economic security.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Iwan Shimko on Unsplash

Articles

FCC asks carriers to step up to stop SIM…

The US federal agency puts pressure on telecom carriers to put better authentication, account protection safeguards in place.

Last week the Federal Communications Commission (FCC) put out for comment its first set of consumer cybersecurity protection rules under the Biden administration. These proposed rules address the growing scourge of so-called SIM swapping and port-out fraud.

These scams exploit the fact that many businesses and organizations use cell phones to identify individuals for a host of accounts aside from mobile phone service. Among the accounts that use cell phones number for identification are e-mail, social media, banking, cryptocurrency exchanges, and online retail outlets, to name just a few of the kinds of accounts that criminal actors can compromise.
SIM (subscriber identity module) cards allow carriers to identify individual users once inserted in a device. Mobile phone owners can typically switch carriers and keep their own devices by simply swapping out SIM cards.

In issuing its Notice of Proposed Rulemaking (NPRM), the FCC said it “has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud.” As Senator Ron Wyden said in a letter he and his colleagues sent to the FCC last year urging the agency to address SIM swapping, fraudsters use SIM swapping to “get wireless carriers to transfer the cell phone accounts of victims to them, steal their login credentials and then empty their victims’ bank accounts.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Eirik Solheim on Unsplash

Articles

MITRE ATT&CK, VERIS frameworks integrate for better incident insights

The MITRE ATT&CK/VERIS collaboration aims to create a common dictionary for communicating information about security incidents.

Incident responders work much like police detectives or journalists, in search of the who, what, when, why and how of incidents before they can take steps to address problems. One tool that helps responders address incidents after they occur and position organizations for better defense in the future is the widely used Mitre ATT&CK framework (with ATT&CK standing for Adversarial Tactics, Techniques, and Common Knowledge). The ATT&CK framework is deployed as a cyber intelligence tool during or after an incident to identify the relevant adversary and reveal appropriate mitigation steps. One recent example comes from McAfee, which used ATT&CK in a case that initially started as an investigation into a suspected malware infection but ended up as a surprise discovery of a long-term cyberattack by two Chinese threat groups, APT27 and APT4.

MITRE ATT&CK relies on a detailed knowledgebase of adversary tactics and techniques based on real-world observations. In essence, the ATT&CK framework deals in a granular way with the who, what, and why of the attack.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Dayne Topkin on Unsplash

Articles

US cryptocurrency exchange sanctions over ransomware likely not the…

The sanctions against Suex, aimed to cut ransomware gangs off from their revenue, sends a signal to other exchanges that support criminal activity.

Days after the Russia-linked BlackMatter ransomware gang hit an Iowa grain cooperative with a ransomware attack, the Biden administration unveiled its latest effort to address the ongoing ransomware crisis. In a move designed to cut off ransomware gangs from their financial rewards, the Treasury Department announced that its Office of Foreign Asset Control (OFAC) placed Czech Republic-registered but Russian national-owned and -operated cryptocurrency exchange Suex on its sanctioned entity list, formally called the Specially Designated Nationals and Blocked Persons (SDN) List.

Suex facilitates “financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants,” according to the announcement. Treasury says that over 40% of Suex’s known transaction history is associated with illicit actors, representing $370 million in illicit trading.

OFAC included on the SDN list a total of 25 bitcoin, ethereum, and tether addresses known to be controlled by Suex. These addresses received more than $934 million in various crypto assets overall. In addition, blockchain transactions tracking company Chainanalysis said that the Suex addresses have received more than $160 million in bitcoin alone from “ransomware actors, scammers, and dark net market operators” since the exchange was founded in 2018.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

Software cybersecurity labels face practical, cost challenges

The federal government wants consumer software to have cybersecurity labels; experts question the feasibility of the mandate.

As part of his extensive cybersecurity executive order issued in May, President Biden directed the National Institute of Standards and Technology (NIST) to develop two pilot labeling programs on the cybersecurity capabilities of internet-of-things (IoT) consumer devices and software development practices. Although these pilot programs won’t be mandatory for device or software sellers, they could likely raise market expectations. In addition, whatever labels come out of these programs would also carry with them some sense of government authority and might ultimately become part of the government contracting process.

Last week NIST held a two-day workshop on these topics. Of the two pilot programs, the consumer software labeling initiative is the trickier one given the ever-changing nature of software and the absence of any similar existing consumer software labeling initiative.

To help it grasp the more complex task of developing labels for software, NIST solicited one- to two-page labeling position papers from interested parties. In calling for these papers, NIST cited “the challenges and practical approaches to consumer software labeling,” asking` for feedback on the “technical criteria needed to support validation of consumer software security assertions that reflect a baseline level of secure practices.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

Federal agencies face new zero-trust cybersecurity requirements

The OMB and CISA issue guidance to move all federal agencies to a shared zero-trust maturity model for FY22-24. The catch: No new funding.

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them “strategic and technical guidance documents meant to move the US government towards a zero-trust architecture.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Laura Heimann on Unsplash

Articles

Federal agencies face new zero-trust cybersecurity requirements

The OMB and CISA issue guidance to move all federal agencies to a shared zero-trust maturity model for FY22-24. The catch: No new funding.

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them “strategic and technical guidance documents meant to move the US government towards a zero-trust architecture.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Laura Heimann on Unsplash

Articles

China’s PIPL privacy law imposes new data handling requirements

The Personal Information Protection Law will force global companies doing business in China to be more careful with cross-border flow of personal information.

As part of the country’s growing scrutiny over the tech sector, China enacted on August 21 a sprawling and comprehensive data privacy law, the Personal Information Protection Law (PIPL), which goes into effect on November 1, 2021. In combination with China’s newly enacted and still little-understood Data Protection Law, which goes into effect on September 1, 2021, this law promises to impose a host of new data privacy, security, and protective obligations on all US and global companies doing business in China.

These significant laws fit into China’s broad “informatization policy,” which Chinese President Xi Jinping has described as the modern equivalent of industrialization. However, the data protection law comes closer to serving more as a cybersecurity law than the PIPL. In his efforts to boost China to” cyber superpower” status, President Xi has famously said that “cybersecurity and informatization are two wings of one body, and two wheels of one engine.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Alejandro Mayorkas

Tech giants pledge at least $30 billion to improve…

Technology, financial, and education leaders commit to a wide range of initiatives to enhance the nation’s cybersecurity posture in collaboration with the Biden Administration.

Industry leaders from the technology, financial, and education sectors have pledged a wide range of private-sector initiatives to tackle the nation’s cybersecurity problems. Those efforts include increasing the cybersecurity talent pool, boosting security awareness, and better securing the software supply chain. Microsoft pledged $20 billion and Google pledge $10 billion to develop more advanced security solutions in areas such as security by design, zero-trust, software supply chain, and open-source software.
That announcement came at a meeting hosted by the Biden Administration yesterday where private sector leaders met with national security and cabinet team members to tackle the nation’s cybersecurity problems. Among the attendees from the government were:

Commerce Secretary Gina Raimondo
Energy Secretary Jennifer Granholm
Homeland Security Secretary Alejandro Mayorkas
SBA Administrator Isabel Guzman
National Security Advisor Jake Sullivan
Director of the National Economic Council Brian Deese
Senior Advisor and Director of the Office of Public Engagement Cedric Richmond
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger
National Cyber Director Chris Inglis
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly

This article appeared in CSO Online. To read the rest of the article please visit here.