Week in Review: ShinyHunters-Scattered Spider merge, DARPA AI prize, Water infrastructure volunteers

A

From the CISO series, it's cybersecurity headlines. Shiny hunters and scattered spider merge. DARPA Awards big prize for AI code hunting. And our water system needs help from volunteers. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. All of our producers on cybersecurity headlines, as always, bringing you the best stories. And now we're looking forward to some insight opinion and expertise from our returning guest. And Steve Zaliewski, co host of Defense in Depth, making his triumphant sixth appearance on the show. We only, we have only one way we could possibly, possibly celebrate this. He's taking a. He's getting a complimentary trip on the CISO series corporate jet that is in fact, the big boss man, David Spark giving a big thumbs up. And Steve, thank you so much for being here, as always being game to lend your expertise to these news stories. I got to ask, though, how was your week in cybersecurity?

B

Well, the first thing I'm going to say is thank you for the jet. And I go, I hope David's been working out because he's going to be pedaling awful hard from what I can see in there to keep us in the air. So. But I have confidence.

A

Yeah, the aerodynamics of that do not check out at all.

B

I'm just saying, you can't even see his feet. You know, it's kind of like a duck underwater. So thank you for that. And then two, what's kept me up this week? I would say with Black Hat being a week ago, okay, the, the ability to analyze everything you took in. What are the themes that's happening in the industry? How are people feeling? So for this week, it's been a little overwhelming for me to be able to just absorb everything that I saw and heard and try to be able to establish the themes like, you know, AI is everywhere. What happened to iam, where did we go with the whole quantum computing key management thing? So those are examples of what I was observing either as being in front of our faces or what happened to them last year when they were big and now they've gone away. I can think of, for me, I.

A

Can think of no finer voice to sort out the narratives within the industry and kind of navigate those trade winds than Steve Zalowski. Before we jump into the news of the week, I thank our sponsor, Vanta A New Way to grc. Now, if you're listening to the show as a podcast, one, you didn't see the jet because it's audio Only so you have to join us live. So to do so you can go to cisoseries.com, look for the events page. We have all the information for the week in review. It's every single week at 3:30. It's also on YouTube, YouTube Live. You can go to the CISO series YouTube page and find us there as well. We would love for you to join us and see all of the wonderful graphics for our returning guests. And for those of you who are with us right now, be sure to contribute your comments in the chat. We'll do our best to address them during the show. See, TJ Williams was the first one to get in with some comments, so we'd love to see some of our other regulars and some new faces in there as well. And if none of that is your bag, feedbacksoseries.com is the way to let us know what you think of the show, what you think about the news, and we'd love to share those on the air as well. Before we jump into the news, just a quick reminder that Steve's opinions are in fact his own, not necessarily those of any other party that he may be affiliated with. We've got about 20 minutes though, so let's get going. First up here, Consolidations just everywhere. Shiny Hunters and Scattered Spider Merge. The two gangs are working together in a coordinated campaign targeting Salesforce users. According to researchers at ReliaQuest, the activity combines phishing, voice phishing and malicious app based attacks. Techniques include impersonating IT support in phone calls, creating fake Okta branded login pages, and setting up spoofed connected apps that look like legitimate tools to collect credentials and data. A lot of classics kind of all coming together under this campaign. Many of the malicious domains use ticket related themes and target industries including luxury retail, aviation insurance, overall technology and financial services. So Steve, both of these groups have gained notoriety recently for the success of their attacks. Definitely both of them making a name for themselves. But perhaps the real story here is the constant theme of phishing and social engineering as being this weak point. We just keep seeing over and over again we cannot beat that drum enough. Some may say it's unfair to blame employees, but these sophisticated groups are telling us through their actions that that's where they're finding success. I'm curious, what's your take on it?

B

You've heard me say this before, right? A brutal truth, which is the human is the weakest link. Okay. And it goes to the nature of being humans, right? We are lazy to a certain extent, we are forgetful, we don't get enough sleep. And so this opportunity to take advantage of human nature, I often say I could fix the problem if everybody would just do what I say. And every child that we've all had, and how many times have we said this? And I say treating the business like you treat a child oftentimes goes a long way to understanding what you can do. So now I've got to say, if I can't prevent the attack by telling you to do it, how do I know? Minimize the damage when you touch the hot stove, okay? And what I won't say aggravates me, but the appreciation here is deep fakes. What we're doing in social engineering, attacks that we spent a lot of time, 20 years, bending that curve to get it to an acceptable level. And now with the deep fakes and the ability to take that digital Persona, okay, of you, for example, and making it almost perfect. So now when I'm coming at you, right, it's much harder for you to know that it's fake. It's much harder for my tools to know that it's fake. That's one. But the other one is the fact that you have two professional organizations that are now working together. And what that means is kind of like Ukraine and Russia groups, right before the war, when they were working together, were accounting for 50% of all of the ransomware attacks. And it was a profession, it was a business. They were professional about it. You paid them the money, they gave it back. Same thing here. What you're seeing now is it's not script kiddies. It's not, I'm here because I want to take you down because you have leather on your jeans. These folks have realized this is a way to monetize and it's a career, and they've professionalized it, and now they're working together to both increase the velocity of attack and increase the sophistication of the success of the attack. That's what has me nervous when I.

A

Read this article and the chat has voted. Shiny Spiders is now the name of the combined group. We've gone with that. But what's interesting with that, what I think of is when I think of two companies merging, I think of, like, the classic big giant mergers, your Time Warner aol. There's always the chance that when you have a big merger of two otherwise presumably competent organizations, there is some inefficiency, right? There's politics that will come in there, that actually the sum is less than the value of its parts. I messed up that analogy. But you know what I mean? So the more I think of these as businesses effectively just outside the bounds of law, I wonder what those knock on effects were. Certainly the optics of it would not initially seem to be great for us ordinary folk.

B

And to your point, when you get nation states or organized crime that represent a revenue stream for a country like it was for Russia, like it was for Ukraine, North Korea, which was, I hate to say things like nation state or the fact that a country is sponsoring these because it's a revenue generating opportunity for their treasury, but when you see this kind of thing in the professionalism, you can't help but say, right, who are the larger sponsors and what is it that we're trying to do now in coordinating these attacks? I don't have good answers. I'm not going there. But to your point of when two companies merge, they're what were the board of directors thinking to facilitate this merge versus what are the executive teams doing to simply managerialize the execution of the merger?

A

All right, well, next up here, maybe it's some good news here. It seems like DARPA awards $4 million prize for AI code review at DEFCON. The winner of a two year competition to create the best artificial intelligence systems that can find and fix vulnerabilities was announced at DEFCON by the competition sponsor, United States. You may know them. The US Defense Department Team Atlanta is composed of tech experts from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science and Technology and the Pohang University of Science and Technology. Teams were judged on the ability of their systems to create patches for bugs that were found. Obviously, Steve, there's no area of life or business. It seems that AI has not touched and hopefully shown potential maybe for improvement here. I'm curious, what are your thoughts about AI as a tool for, I don't know, defense in depth.

B

Check you out. Wow. You know, be careful. You may be on that airplane with me as my sixth one. Right? So we'll all be pedaling together.

A

I wish you had a slide whistle for that.

B

Yeah, there you go. So folks, may or may not remember, but I think it was about 10 years ago Darpa, right, did an equivalent exercise here for capture the flag. Can I get AI to be able to be better than humans at capture the flag exercises and the different modalities or methodologies for the mitre, ATT and CK framework as to how to do that and they made great progress and considered that. What I thought was really interesting about this one and I was heartened by this, I really appreciate DARPA doing this Is there are a lot of startups out there that are going after vulnerability management which we've been doing for 20 years, which is patching. And we haven't been very successful at it because the number of assets we have to patch has far surpassed our ability to patch it because of patch windows or any number of things. What I thought was really interesting here is what does it mean to put AI at the problem? Okay. And what I'm hoping for and what I was seeing here is it's not just the velocity to ingest 54 million lines of code, it's the ability to generate the insights of which of those lines of code were the problem in a dynamic fashion and then the speed of execution. So that what we're doing now is looking at exploitability and then material exploitability. And then how do I thwart the attack by potentially finding out what is the combination of defense in depth, zero trust, patching, role based access controls to be able to manage the attack envelope and not just try to prevent it at all cost. And this is where I really appreciate it when I read this. And what I'm seeing with a lot of startups now is this are leveraging AI and that ability for speed of ingestion, speed of insight and speed of action to be able to not replace humans, but take what humans do and just ramp it up times a thousand in order to be able to provide a polymorphic machine driven defense against the polymorphic machine driven offense that they're using to do this against me.

A

Yeah, I mean it may, I mean it certainly is turning into a game of cat and mouse but I like seeing that the cat is getting sharper claws like, like that we're making the investments that we need to make to stay apace with this kind of stuff and that is proving effective and that we're seeing multiple parties whether it's Google's was it Project Zero that they're working on some along the similar names we have darpa, you know, multiple avenues. Obviously a lot I'm sure Microsoft and every other, a lot of the large players are doing similar things. It would be incumbent on them to do so that you know this is not being taken for granted. Right. We're seeing investment in the space as something valuable. Whether it's you know, mean time to context, mean time to build a remediation strategy that isn't patch all the things which we know is completely broken. You know, kind of alluding to what you were saying. So yes, seeing some, a little bit more symmetry right in capabilities is is always a good thing from a defenser standpoint.

B

Let me add one more piece here and we can go which was are we trying to be more efficient in the use of human resources to stop attacks? Are we trying to be more effective at leveraging AI to remove the drudgery from many of our runbooks and the processes that humans execute to be able to stop attacks? And I would say this is the conversation we're actually having is that AI as a force multiplier to remove a lot of the drudgery that humans have to do with eyes on glass to be able to let the humans be more effective at figuring out what the right defense in depth compensating controls are for actionability and let the machines go ahead and do a lot of the drudgery.

A

All right, next up here, Franklin volunteer hackers defend our water system. Former White House official and executive director at the University of Chicago's Cyber Policy Initiative, Jake Braun, says his Franklin Project continues to grow with more volunteers than they can handle. The Franklin Project provides free cybersecurity services to critical infrastructure, especially particularly water systems, in addition to an excess of need. Braun told the Register during this year's DEFCON that one of the volunteers first challenges was convincing the water utilities themselves that but despite being located in small towns, they were still a target for state based cyber actors. So Steve, two issues here. The first being volunteers are needed to support a key part of our infrastructure. But also I think this attitude that's common with many businesses, certainly not picking on what utility providers or anything like that, but that we're too small, we're too remote to be attractive to sophisticated actors. I'm curious, where would you like to go with this?

B

So the first thing is, I think most of our audiences here understand cybersecurity is a family. Okay, it is an extended family, but we, like firefighters, like policemen are there for each other. Okay. Why is everybody reaching out? Because it's the right thing to do. And no company, no matter how big or how much money. Right. Can effectively go it alone. You can try, but you really have to rely on mutual aid, mutual defense, mutual support to be able to position that we have a larger shadow to be able to stop the bad guys. Okay. What you're seeing here is the security industry doing what it does best, which was there are no walls between us to do the right thing. And so you're seeing all the volunteers saying, we've got to do this. Absolutely, everybody's in. Okay. But here's the other part, and it's what you were talking about is the small, you know, water districts or everything else. Nation state attack, okay. Is not about the individual company. It's not about an individual monetization. Right. They're trying to change the balance of power politically at a national level. They are trying to disrupt our social fabric for how we do business. Okay. But for many of these small regional environments, they don't think that way. They're looking at I need to make sure I'm supplying water with four nines of availability because I got to make sure for health and safety I keep the water flowing and that it's chlorinated. Okay. For them to appreciate nation states wanting to come in and take them and others out. Okay. They're very operationally oriented. They're not necessarily looking at the larger efforts. This is why we have to rely on our community to be able to come in and say, we're not going to try to make it a problem for you for nation state, but let's help you improve the hygiene of the basic cybersecurity because that's good for you because it hardens the larger national infrastructure. And there we go. The security family is doing the right thing.

A

All right, well, before we move on to our next story, want to spend a few moments and thank our sponsor for today. Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster than with AI. Now that's a new way to GRC. Get started at vanta.com headlines. That's V A N T A dot com headlines. All right, next up here, Microsoft rolls out PC backup during attack. Microsoft just opened a limited public Preview for Windows 365 Reserve, which is not a 15 year age Scotch, but in fact a new service that gives employees temporary access to cloud PCs when their devices fail or get hit by cyber attacks. You get up to 10 days per year of access with preconfigured desktops that come ready with your company's apps and security policies already spun up. The preview is invite only for now, but once you're in, users can log in from any device through A browser or a Windows app keeping work flowing while it sorts out the problem. Now Steve, if you recall, Microsoft is being very proactive in designing ways that people can get access to their data if their main systems seem to have been compromised in some way. I'm curious, does the idea of pre configured desktop that come ready with your company's apps and security policies give you a warm and fuzzy feeling?

B

Well, there's warm and there's fuzzy.

A

Okay. Okay.

B

I get warm because I start to sweat thinking about giving Microsoft access to all that material or committing myself to one egg, one basket. That's why I say warm fuzzy is there's what I want and what I need. Big companies, Microsoft has not done a good job being what I would call a good partner. What they are, is a great company that wants to extract revenue. Okay. And you see a lot of people that are very dissatisfied with some of the tactics that they use. But when I get to small to medium enterprise, when I get to. Well, there's what I want and there's what I need. What I need is to withstand the attack. What I want is to be able to do it without Microsoft's help. And I wish I had the maturity and the money to be able to build a completely transparent or a completely secondary way of withstanding the attack. I can't. So I really appreciate what Microsoft is doing because I can see over time if you use Chromebooks for your company and you're a SaaS, SaaS consumer, the ability to identify the key business data or consumer data and put it in a good place so that I can then just drop in an alternative application platform. I think that is an obligation to offer it out there. You're going to see a lot of people adopt it. Not because they're saying I like Microsoft, but what they're saying is for the cost for what I have and what I need, this is good enough.

A

Yeah. That is what struck me about. This is very, I mean again, turns out Microsoft knows how to craft services and sell like who knew, right? But the, this seems so tailored to, to, to, to. Exactly. To your point, right. To, to, to apply to that need in a very specific way. Oh, and by the way, keep you in the warm and fuzzy Microsoft family. Hand over, you know, all the subscriptions and stuff like that. But you know, again, for a, for a less than mature organization, this to me seems like an invaluable stopgap during an incident. Right.

B

Or think of it this way, right. You're, you're an msp. Okay. And you Run it for a company that manufactures something. Let's just say bathtubs. Okay. They just need to manufacture the bathtubs to keep going. Okay. Cybersecurity for them is a cost of doing business. They're not going to be targeted. Odds are they're going to be a byproduct of a larger attack. Okay. And so what they need to do is I need to spend some money on cybersecurity so I can keep making bathtubs. This is a very nice way for an IT and an MSP to work with them to say, I can offer you. Right. The ability to do a business impact in a BCP business continuity plan to withstand a cyber attack that you're not going to be specifically targeted, but the script kitties may just hit you and now you have a way to proceed forward.

A

All right, well, our last story for today, booking.com faces another sneaky phishing trick. Back in June, we covered a story about booking.com dealing with the click fix captcha scam. And now the travel organization is dealing with a new challenge. A variation on an old school homograph scam in which a letter in a URL is replaced by a similar looking character. This time it is a Japanese hiragana character that looks like a forward slash and a tilde together. And apologies to the Japanese language in this particular case, the phishing email contains the bogus link is being purported to follow up to a complaint of service. This is probably one of the oldest cybercrime techniques out there. Steve, I see you nodding your head a tale as old as time here, but it does highlight a serious issue which kind of bookends our first story here. Homographs and typo squatting are easy ways of fooling a user into clicking what looks like a legitimate link. But what chance? This is what always comes to my mind when I see these stories. What chance does anyone have in terms of keeping their guard up against every single letter in a URL? Like, that's just a. It's a matter of time before this works. Right.

B

It's not a matter of time before it works. This is why it always works.

A

Okay. Yes.

B

Okay.

A

It's not. Yeah, it's not. It's not. Yeah. It's a certainty. After a long enough timeline, it's a certainty.

B

They know that 1% of the time you're going to do it. They know that they hit you up with enough times, right. In a moment of not paying attention or whatever, you're going to click. This is part of that deep fake analysis. And What I say is we're getting smarter too because they're doing an analysis on you. Have you just had a child? Are you likely sleep deprived? Will you be likely to miss? Right. So they're getting very sophisticated and this is why for all the folks that are concerned about AI and Skynet and it's taking my jobs away, okay, this is a case where we have to put AI in because all of my current controls which. Is this a legitimate site? It may be legitimate. Right. I can't tell by the ip and I've trained you and I've done everything I can, but you're going to make mistakes. I need that additional ability for AI to be watching and streaming through this and being able to give me that authorization. Last mile, check to go. Hey, Steve, this one doesn't look right or when you do it, that I can within seconds cauterize the wound of the fact that you did. So it's cost of doing business.

A

Yeah, I mean if you, if you want to go on the Skynet route, it's like the Terminator in that it doesn't get tired. It, you know, it doesn't, it doesn't have a bad day. You know, none of these systems are perfect, but like that idea of kind of always having again a speed bump or not even a speed bump at that point. Another set of eyes for when you have that moment of weakness. Yeah, just a. Yeah, pretty much mandatory kind of going forward. By the way, a big shout out to our chat today. CCL coming in late here, kind of following up on The Microsoft Windows Reserve 365 here and CCL thrown in for Cloud PC saying it's amazing, all you need is a browser to access your VM Apache guacamole on steroids. I don't know about you, but I am hungry. Thanks to Schmooze and TJ Williams and everyone in our chat, helping make it just absolutely great and fun. Really appreciate every single person in there every single week. And if you haven't joined us yet for the live stream, get in there. It is a ton of fun. Thanks to everybody that shows up every week. Steve, before we get out of here, any story that was a thumbs up or a facepalm for you this week.

B

Here'S what I'm going to say. The face palm for me is the fact that two of these stories are all about social engineering attacks. The bad guys know that the weakest link is not the individual source code vulnerabilities. Okay. It's not a network gap in a firewall it's the fact that most attacks succeed because at some point a human has been compromised. And so I would go both the face palm for it's all about the human, but also the frustration, which was, like I said, all you have to do is do what I say, but it's not going to happen. And that's the why AI in its various flavors continues to have to be able to augment for us because AI on ATT and CK has to be AI on Defense. And so I would go both a face palm and what I wanted for the audience is the theme. Here is an appreciation for what do we want? Here's what I want, but here's what I need. Here's what I'm going to have to do because wanting isn't enough.

A

Well, thank you so much. Words to contemplate is what I always love from Steve Zaliewski, the co host of Defense in Depth. Thank you so much for being on the show. And you should check out Defense in Depth if you haven't listened to it before. It's one of the podcasts from the CISO series. Be sure to check that out. Steve is a frequent co host over there and lending his superior wit and wisdom. Thank you so much Steve. People can find you on the cyberspace LinkedIn I believe. Is there, is that is that correct, Steve?

B

Yep, LinkedIn. I'm there for everybody if there's something I can do. If there's a problem I can own, that's my obligation.

A

And you quite frequently will look for ask questions that may be featured on an episode of Defense in Depth as well, which is always exciting to see those responses as well. So make sure we'll have that link in the show Notes. Thank you so much once again, Steve. Also, thanks to our sponsor for today, Vanta A New Way to grc. A huge thank you once again to our audience. We can't always get every comment up on screen, but we deeply appreciate you being here participating, making me smirk while I'm trying to look very serious reading the news. Don't worry, you can still send us feedback through email feedbackisoseries.com, get your thoughts to us and we would love to share those on the show as well. Please join us next week. First up, we have Super Cyber Friday, where our topic will be hacking Tabletop exercises. And now of critical thinking about how to get better value out of running disaster scenarios. That starts at 1pm Eastern and then come on back for a very special episode of the week in Review Starting at 3:30pm Eastern we'll be celebrating the five year anniversary of Cybersecurity Headlines as a podcast. That's our daily news show and we're going to have some of our producers like our glorious producer Steve Prentice. We're going to have Hadaska Sorla on there, our newest producer and myself. We'll be discussing some of our favorite stories from the past couple of years, just some of our favorite experiences and talking about the news of the week as well. It'll be a fun time. To register. To join us, head on over to the events page@cisoseries.com, follow us on YouTube, the CISO series account there and you will be informed about when all of this is happening. In the meantime, you still get your daily news fix through Cybersecurity Headlines celebrating that five year anniversary. Give us about six minutes, we'll get you all caught up. Until the next time we meet. For myself, for our glorious producer, Steve Prentice, for Steve Zaliewski, for our big the big boss man David Spark, and all of us in the CISO series Conglomerate organization, here's wishing you and yours to have a super Sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.