US-Iranian tensions find expression in cyberspace as Refined Kitten returns. Facebook tries friction against abuse. Cryptominers in the wild. Lead generation for cyber criminals.

Automatic TRANSCRIPT

Tensions between the US in Iran over tanker attacks nuclear ambitions, and the downing of Global Hawk drone seemed to be finding expression in cyberspace refined kittens seems to be pointing for some American fish Facebook. Tries friction as an alternative to content moderation in damping. It's abuse in inciting, South Asian violence, crypto mining campaigns are showing some renewed vigor. My guest, Michael coats offers advice on selling to CISCO's and a look at lead generation for Nigerian prince scams. Now a word from our sponsor extra hop. The enterprise cyber analytics company, delivering security from the inside out prevention, based tools, leave you blind to any threats inside your network by adding behavioral base network. Traffic analysis to your sock. You can find and stop attackers before they make their move extra hop illuminates, the dark space, with complete visibility at enterprise scale detects threats up to ninety five percent faster with machine learning and guided investigations that helped tier one analysts perform like seasoned threat hunters visit extra hop dot com slash cyber to learn why the sans institute calls extra hop fast and amazingly thorough a product with which many sock teams could hit the ground running. That's extra. Hop dot com slash cyber. And we thank extra hop for sponsoring our show. From the cyber wire studios at data tribe. I'm Dave bittner with your cyber wire summary for Friday, June twenty-first 2019 tensions between the US and Iran. Already high over attacks on tankers in the Arabian Gulf, and ongoing disputes over Iran's nuclear ambitions have risen significantly in the wake of Iran's shootdown of a US air force. Our cue for a Global Hawk reconnaissance, and surveillance drone on Wednesday. The US says the drone was in international airspace. Over the straits of Hormuz Tehran says the arc you for a was flying over southern Iran either might be right in the fog of war, but we're strongly inclined to go with the US air force on this one. The Global Hawk is a big capable and expensive platform, costing one hundred thirty one point four million dollars a copy leaving research, and development costs out of the reckoning it's forty seven and a half feet long has a wingspan just. Shy of one hundred thirty one feet and it weighs more than eight tonnes when it's loaded for emission. It's got a fourteen thousand mile range, cruises at about three hundred fifty miles an hour and has a sixty thousand foot service ceiling. It doesn't of course, have a pilot or crew on board. So no lives were lost when in Iran, Ian surface to air missile, probably a Siad SD to see knocked it down still Theron says it sent a message and Washington is unhappy with the shootdown those drones aren't cheap. And there are only so many of them to go around besides their US government property. And so the US government is understandably steamed, what's this got to do with cybersecurity? You may. Well, ask well, it's this as is so often, the case, Connecticut action is accompanied by cyber action, especially when there appears to be the danger of esscalation and cyber battlespace preparation appears to be underway. Wired says that the security firms Drago's and crowd strike have report. Added a surge in phishing emails, deployed against a range of American targets. The actor is said to be a PT thirty three also known as magnesium or refined kitten fire I without naming the threat. Actor says it seeing much the same at least some of the phishing attempts were baited with what appeared to be an announcement of a job opening at the White House's council of economic advisers the militias link opened an HTML application which in turn started visual basic script on the targeted machine that installed the payload the power ten remote access Trojan. All of these security firm say are consistent with how refined kitten has done business in the past. It's not known if any of the attempts have been successful, nor is it clear, whether their goal is reconnaissance of potential targets or the staging of malware against the possibility of future. Use crowd strikes at a Myers speculated to wired that the choice of fish, bait suggest that the campaign might be principally interested in gathering. Intelligence about US policy with respect to economic sanctions, but he points out that this is exactly that speculation the point of the campaign isn't known espionage is possible. But so are reconnaissance. And staging Dragos is Joe slowec told wired that, quote, you can't turn on a dime and save I need cyber now. And quote, that's what battlespace preparation involves getting the intelligence, getting the reconnaissance and staging capabilities, where you may need them. Under pressure to do something about abusive its platform to inspire violence in Sri Lanka and me on mar Facebook is trying something other than content moderation. Introducing friction Facebook will limit the number of times users around the region can share a message for now. The limit is five the hope is that this will help keep things from going viral that ought not to go viral, it will be interesting to see if it has the desired effect. Security companies are tracking crypto minors in the wild e set and malware, bytes are tracking similar cross platform. Crypto minors, respectively loud, minor, and bird, minor. They share some infection. Vectors Trend, Micro also has its Iona crypto minor. This one is satori like dot net that arrives via the Android debugged bridge, and finally, it's long been a truism that criminal markets behave in many ways, like legitimate markets, and that criminal enterprises, Abe some of the practices of legitimate biz. Mrs researchers at security company Gari have been looking at some of the west African cyber gangs, the people who gave the world, the now familiar, but still sometimes affective Nigerian prince scam a Gari tells axios that Email scammers run their operations like a business complete with consultants and lead generation systems, the gangs use regular lead generation services of the kinds that many legitimate businesses employ as the story in axios, puts it a Gari has seen the criminal groups use several lead generation firms, the lead generation sites offer, customizable searches, you want CFO's of companies in a given sector of a given size and a particular geographical region. You got him a Gari found that the crooks generally signed up for free trials using the g mail dot trick that lets them create accounts easily some of them are even more brazen. The London blue crew just went ahead and bought a fifteen hundred dollar annual subscription to a lead generation service last year. Was it worth it currently at least London blue seems to have thought so they downloaded fifty thousand leads in six months? And now a word from our sponsor observe. It according to Cisco over the course of one and a half months. The typical suspicious insider can download fifty two hundred documents unfortunately many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know. Exactly. Who did what when and why security analysts have to Wade through a sea of event logs many of which are completely irrelevant who eventually discover the root cause of an incident. What are we told you that there's a way to investigate insider threat incidents faster with observe? It's dedicated insider threat management platform security teams can quickly find out the context into both the user and data activity behind an alert detailed user activity timelines and easily. Searchable meta data help, you know the whole story on insider threats. Visit observant dot com slash cyber wire to try. Out observed sandbox environment for yourself, no downloads, or configuration required. That's observant dot com slash cyber wire, and we thank observe it for sponsoring our show. And I'm pleased to be joined once again by Mike Benjamin. He's the senior director of threat research at century links black Lotus labs, a Mike. It's great to have you back. You all been tracking a large RTP scanning campaign, and it's been getting some attention lately. What do we need to know here? RTP, of course, a lot of folks are using to administrate remote computers and often is using single factor username and password. And with that sort of structure, on the internet actors want to take advantage of for variety of reasons and periodically will see someone come out on the internet, and scan RTP across the internet. They'll look for some pretty simple default username passwords. And they'll move on with their day. They'll grab a handful of hosts and, and that's about the extent of what they'll -ccomplish we are constantly monitoring for internet wide anomalies in port utilization. So those things tend to stand out like a sore thumb when somebody issues. Such a scam. They also tend to do them from a small subset of hosts so you'll see a number of other public resources talk about. Hey, I'm seeing a scan from IP address, x y and z in this particular campaign what we were seeing was. They were dropping a persistence, payload on the host, and then in some cases, even using that to scan for more hosts, and so while, not a warm in the true nature of the word. They were using that scale to find more hosts, and we saw a lot of folks reporting on the fact that there were one point five million open RDP hosts on the internet, and that sounds like a horribly scary number, right? Anything that can talk to one point five million hosts, however, the actual infection pool that we were able to see where they successfully brute forced. And the we saw command and control callback was more in the tens of thousands still, not a small number in regards to success, but nowhere near that one point five million number. Now, this is the campaign that folks referring to his goal. Absolutely. The command controls been publicly listed, and as was the port number for the callback. So of course folks can review their logs to look to see if they were one of those infected two what are the ways to for folks to prevent this first and foremost? Don't turn on RTP on the internet. Vnc even SSH try to restrict it to the places where we actually need to be accessing it from, that's pretty basic security, control. The most folks can use, and in this case, they were using dictionary attacks, so basic password, hygiene could also prevent such an attack. So what are the take here? What did we learn from this one? Well, anytime an actor decides that they want to automate, the scale of what they're doing it gets us all in a bit of an uproar. But in most cases, will find that what they're attacking really isn't that complex a number of years ago, we saw embedded IOT devices attacked with some extremely simple user names and passwords that then evolved to a whole plethora. Exploits that we see embedded into those things. But I'll tell you about ninety nine percent of the time. They're no necsports with existing patches and known dictionary method attacks. So the good news is we can manage these things, and as we see them as an internet community as a security community, we should make sure that we're openly sharing what's going on. And make sure the were patching those, you know, simple simple to do tasks, you know, never underestimate. How many folks out there just trying to be opportunists? Absolutely. And in many of these cases we're seeing the sophistication that occurs afterwards not be particularly high with some of these really loud actors, but keep in mind, those vulnerable hosts those default credentials sit out there for more sophisticated actors to us as well the things that we need to be concerned about even if the, the very loud ones aren't actually causing much impact at the end of the day. All right. We'll might Benjamin. Thanks for joining us. And now a word from our sponsor extra hop. The enterprise cyber analytics company, delivering security from the inside out prevention, based tools, leave you blind to any threats inside your network by adding behavioral base network. Traffic analysis to your saw you can find and stop attackers before they make their move extra hop illuminates the dark space with complete visibility at enterprise scale detects threats up to ninety five percent faster with machine learning and guided investigations that helped tier one analysts perform like seasoned threat hunters visit extra hop dot com slash cyber to learn why the sans institute calls extra hop fast and amazingly thorough a product with which many suck teams could hit the ground running. That's extra. Hop dot com slash cyber. And we thank extra for sponsoring our show. My guest today is Michael coats. He's CEO and co founder at altitude networks. And he's also former CEO at Twitter and former head of security at Mozilla our conversation focuses on how he as someone with purchasing authority prefers to have products pitched by cyber security, vendors, I had some pretty exciting years leading security programs. I was head of security at Mazzola for many years. I was also the see so at Twitter for a number of years, and what I noticed was that there was clearly a lot of activity in the vendor space for security solutions, which is great. We need an invasion, but the way in which they reached out to potential buyers like myself as a C. So left me, certainly wanting more. I would receive largely a ton of unsolicited inbound emails with really. Hughley. Message formats, I applaud the efforts to try and catch are I, but they end up having an unintended consequence emails. Like, do you care about security or, or did you know you're vulnerable to this? Let's talk more all things. I get it. They're trying to be catching clever. But it's actually kind of kind of off putting. Yeah. The thing that hit me initially was that massive amount of cold, call Email that I would get, and that really just didn't work. Well, as, as I know we'll dive into here. Well, let's come at it from the other direction, the folks who were successful who got your ear. What techniques today us as a result of the large amount of movement. There's obviously tons of investments in security right now, tons of innovation, lots of new companies because of their fact, there's so much noise many buyers like myself would actually rotate hard, the other way. Instead, we would rely very heavily on referrals from a personal networks. And I realized that, that is something that would happen in any space, you always want rough, you know, think about a referral, but insecurity, in particular, DC, so's form together in these see-saw networks, and we have one in the bay area, and I know other. Industries in other locations have them, too, and in some regards a bit of a support network, because let's face it the security role is hard. It's hard at every. But, but we would definitely use that, that referral, like, hey, have you guys heard of this, or I'm looking for solution in this space and see who had pipe in. And that, that is great. It's really good to have a referral. But at the same time that could leave us a little bit blinded to really great new innovation that we should be should be thinking about, do you think there's a risk of becoming insular? I think we're gonna challenging spot because we definitely need to branch out and look at new ideas. Look, a new solutions and, and yes, if we're not careful, we could be a little bit insular right now in terms of the solutions and products we use. But I think the trick we need to do is actually shift the way we look at selling security software security solutions on also the method we have for discovery because we've kind of taken to extremes here, we're talking about on one hand. You have cold inbound versus referral. What's that middle ground? Where can we have a? Trusted review of options out there. And in some regard, trusted advocates kind of fill that void if you have a V C relationship someone that you trust the kind of vetting mechanism like, hey these these solutions. Look, pretty interesting insure their in their portfolio, but they've done some vetting to get them their spits kind of nice that works really. Well, of course in Silicon Valley but not scalable to the rest of the country or world. And so can we have some sort of consumer reports style, trusted review or display of vendor information? The thing that's important about that. And why really key in is as a security buyer, you want the security information what the technical chops of what you're looking at? You really don't wanna see a marketing slick sheet that says, machine learning internet of things. How do you measure success, which are false positives? How do you look at those types of things that actually matter to us? So I think we can find that middle ground. If this security vendors realize, hey. Stop trying to push buzzwords stop with the cold calls. How do you show your product and what it actually does hopefully in a neutral space, if we can create such a such a beast, and if not, how do we lead in more of a, a demo I style sales approach like your product speak for itself? Let me come to your website, and like actually see how it works. And for some reason, I think we're really far away from that, that reality right now what do you suppose that is? There's no doubt that there is a lot of noise out there. I mean you walk around on, on any of the trade show floors, and it's hard to focus on any one thing, everyone's fighting for your attention. So I guess on one hand, I have a certain amount of sympathy for the folks out there who trying to sell in that environment. And I have to eat my own words here because I'm now on the other side of the fence. Yeah. I think one we have a macro challenge and security, which is there's far too much headline chasing. You know, Hollywood style products that are solving things that don't matter. And because they're so much investment money out there right now. The bar to get funded the bar to start a new idea is, is lower, perhaps than it should be as a result. You see just crazy off the wall ideas that may catch fire because of their buzzword Innis may get a set of buyers that aren't as technically, adept, that need it like what is your solution right now to quantum encryption, and things like that, like, well, it's a cool buzzword, but is it really the most important thing solve in your program? So we have that big mismatch between flashy headline grabbing things people trying to solve AP really. They don't even have good inventory management or how do you even think about automation, real time alerting? Something like the target breach in. So I think that's one problem. There's just so much stuff out there and then the second part really is, we don't have a channel that can give people that neutral way of learning about companies. So it really is the biggest shouting match. How can I shout more over Email? How can I shout with catchy phrases that a expo floor and that's an unfortunate reality of where we are right now. I think as we mature as buyers, become more sophisticated more where but they need to focus on. We'll get better and going back to that point again like I would really love for that neutral evaluation. Like give me the maybe not a hard copy. But that magazine of what are the different security products in different spaces. And how do we have a neutral body to give some information about them? Now if someone's reaching out to you, you get that Email in your inbox, what would the ideal approach be how could someone get your attention and get you to spend a little more time with their? Yeah. I think that actually is a really good question. Because sure I'm harping on Email is really hard. It ended is because there's so many inbounds but there's a lot. We can do in the messaging it self because there is some amount of hit rate there, some opportunities where people do sit downs. Let me let me see what's going on. What kind of inbounds I have the thing that can help a lot for vendor selling to see? So is to basically do the three second test. Let's assume you're going to get three seconds as they scroll through, if they open it so make your subject line helpful. But if they scroll through that Email, you're gonna get three seconds, don't have a long narrative, don't have tons of words. Do not ask me things that make me kind of recoil in bit of frustration. Like, yes, I do care about security. I love cute. Puppies. I know you don't have a silver bullet and all these things I just cut through all that. Just tell me one. What do you do like we solve this problem? Don't tell me about flashy features because we don't need to sell on features. When you saw on what problem get solved. If you tell me number one, what problem you solve? I will then self select I have that problem. Right. Don't and either answer is good for you because we don't need to talk about that problem. But if I do read the next time, tell me how you solve that problem do it. Maybe this is my Twitter. My Twitter day's coming back. Do it in, like one sentence, or to able to should be compelling in two sentences and three tell me how you integrate because that's actually really important for security person to wrap their head around, like, am I looking at a network device on my looking at an agent on my workstations help me wrap my head around it real quick. And then after those three things what I would ideally like as a buyer, let me go view your product without talking to sales. I know it's horrible. I know you want me to talk to sales, but let me just see it because if I can do. Those things there's a better chance. I will learn about your product, and when it's the time is right? I will engage. But if you don't do those things because you really want me to engage with sales. I you really want me to read this long narrative. Well happens, I will do none of those, and you have no reaction from me. And I think that's a worse worse outcome. Because when you look at security and why particular things happen, like if you think about phishing attacks, we're always, like, how does anyone fall for those and most almost no one does. But if point one percent to you descend more emails. So, right. So maybe we're at a spot where the smarter companies are figuring it out, and they're being more successful or maybe were all incredibly biased. And we're in this small segment of the market, but I don't think that's the case. Because as much as we say, there's more technical or less technical cease os, or the west coast, east coast, how they're different from each other, or even the middle America. I think really people want that cornfield. I don't think there's anybody. Out there saying, yeah, I really wanna read through this long narrative to decide if I care about security. Thank you for asking. So I don't know. I don't know or missing. I think we have a fair point, as, as the buyers to say, please just give it to me this way. That's what I want. That's Michael coats from altitude networks. And that's the cyber wire funding for this cyber wire podcast is made possible in part by extra hop, providing cyber analytics for the hybrid enterprise. Learn more about how extra reveal X enables network threat detection, and response at extra hop dot com. Thanks to all of our sponsors for making the cyber wire possible, especially are supporting sponsor observe it the leaving insider threat management platform. Learn more at observe it dot com. The cyber wire podcast is proudly produced in Maryland out of the startup studios of data tribe, with their co building the next generation of cyber security, teams and technology are amazing cyber wire team is Stefan vizier to make a Smith Kelsey bond, Tim. No, Dr Joe Kerrigan, Nick. Vicki Bennett mo-? John, Patrick Jennifer, Ivan heater Kilby. And I'm Dave bittner? Thanks for listening.

Coming up next