You're listening to the Cyberwire Network, powered by N2K. When it comes to music, everyone has a totally unique taste. So when a song comes on to perfectly fit your mood, it kind of feels like magic. And at Credit Karma, we do the same thing, but for your finances. We got tired of the financial system, giving broad, impersonal, and a relevant advice to everybody. So we created a way for you to cut through the noise and find offers and recommendations that make sense for your specific money goals. So you know the guidance you're getting is truly custom to you. Download into at Credit Karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. A crowd strike update takes down IT systems worldwide, a U.S. District Court judge dismissed most of the charges against solar winds. Sophos examines the ransomware threat to the energy sector, European web hosting companies suspend doppelganger propaganda, an Australian digital prescription services provider confirms a ransomware attack affecting nearly $13 million, a pair of lock-bit operators plead guilty, educate CSO Rick Howard speaks with AWS's CISO Chris Betts about strong security cultures and AI, and a look inside the world's largest live-fire cyber defense exercise. It's Friday, July 19, 2024, I'm Dave Bittner, and this is your Cyberwire Intel Briefing. Happy Friday, and thank you for joining us here. It is always great to have you with us. A widespread IT outage has impacted businesses globally, causing significant disruptions in banking, aviation, healthcare, media, and more. Early Friday, companies in Australia using Microsoft's Windows began reporting blue screens of death, followed by similar reports from the UK, India, Germany, the Netherlands, and the U.S. This led to sky news going offline and major U.S. airlines grounding flights. The issues have been traced to a misconfigured update from cybersecurity firm CrowdStrike, connecting only Windows devices. CrowdStrike engineers acknowledged the problem on their Reddit forum, offering a workaround and guidance for affected customers. The update involved CrowdStrike's Falcon Sensor product, which is part of their security suite. CrowdStrike CEO George Kurtz confirmed the update defect, emphasizing it wasn't a cyber attack. He stated that a fix had been deployed and reassured that Mac and Linux systems weren't affected. Microsoft also acknowledged the problem, noting that a resolution was in progress. The financial impact of halted operations and business disruptions could reach millions. Airports face delays and long queues with flights canceled worldwide. Passengers in India received handwritten boarding passes. TV networks like TF1, CanalPlus, and Sky News experienced broadcasting issues. The outage has been a stark reminder of the global economy's dependence on a handful of major tech companies. CrowdStrike's stock dropped nearly 12 percent in pre-market trading, while Microsoft's fell about 1.4 percent. The incident has prompted financial regulators in the U.K. to investigate the impact on banks and payment systems. For additional insights on this story, I am pleased to welcome to the show Andy Ellis. Andy is an operating partner at YL Ventures, and previously was CSO at Akamai. Andy, great to have you back. Great to be here, Dave. So as you saw this story developing, I would love to get your insights as to how you reacted to this. Well, yeah, it really was a flashback for me. When you develop planetary scale systems, any system that is deployed so widely that you really can't find somewhere where it isn't, safety becomes a bigger issue than security most of the time. And when I was at Akamai, we had several issues like this, and we designed a lot of safety systems just to prevent a mass outage of exactly this kind. So you have a certain amount of empathy for the folks at CrowdStrike for the very bad day they're having? I have a ton of empathy. This is, I suspect when they finish with the incident post-mortem and try to figure out what happened, there's going to be a lot of places where they're going to say, if only we had done something. And that's what usually happens when you build a safe system, is that when you have a bad day, about 17 different things went wrong. And if any one of those had gone right, you wouldn't have had the bad day. And from an outsider's perspective, you're like, wow, how incompetent are you that 17 things went wrong? And the real answer is, well, if only 16 went wrong, like that's a normal day. We catch those bad things don't actually happen because that's the whole point of safety systems is to make sure that you have redundant safety checks. And for some reason, and we'll learn what those are a little bit later, CrowdStrike safety systems didn't stop this. I've seen folks speculating that perhaps there could be some aftermath of this if CrowdStrike users decide that they're going to disable CrowdStrike for a little while things settle down. Yeah. So that is certainly a possibility. It's entirely possible that folks will say, well, we're just going to turn off CrowdStrike. The challenge is, it's also a critical security system. So if you turn it off, that's basically taking the walls off of your house and saying, well, I had a leak in one wall. So let's just remove all of the walls because I'll be safe for that way. What do you suppose we go from here? I mean, CrowdStrike certainly taking it on the chin today, but they'll be back to fight another day. Oh, absolutely. When you look at people who are this large having a bad day like this, it's not a business ending event. It is business impacting the CrowdStrike that we will know in two years will not actually look like the CrowdStrike of today. I suspect there'll be a huge internal focus on whatever they're going to call their initiative. We called it bulletproofing. Really, we were proofing ourselves against the bullets we were shooting into our own foot. How do you make your system more redundant, more safe? Because where this will really show up is in the sales cycle. Every CrowdStrike sales rep is about to have a really tough six to 12 months because they're going to have to explain what CrowdStrike is doing better to every single one of their customers, every single one of their renewals. Every CISO and CIO is foaming at the mouth saying, "Well, I can't wait to hold this over them in negotiations next year because I'm going to demand a discount because I had a really bad day and the limitation of liability and the contract meant they couldn't make me whole, so they're going to make me whole by giving me cheaper products going forward." Yeah. All right. Andy Ellis is operating partner at YL Ventures, and previous to that, he was chief security officer at Akamai. Andy, thank you so much for taking the time for us today. Thanks for having me, Dave. In an event unrelated to the CrowdStrike issue, a major Microsoft 365 outage on Thursday caused by an Azure configuration change impacted users across the central US region. Starting around 6 p.m. Eastern Standard Time, the outage affected services like Microsoft Defender, Intune, Teams, OneDrive, and Xbox Live, preventing access and login, Microsoft worked to reroute traffic to restore service, noting a positive trend in availability after a few hours. Down Detector received tens of thousands of issue reports, particularly from Xbox users experiencing server connection problems. A US District Court judge dismissed most of the charges in a landmark case against solar winds, following the Sunburst Hacking campaign linked to Russia. Judge Paul Engelmer ruled that many of the charges impermissibly rely on hindsight and speculation, though some claims about misleading cybersecurity statements were upheld. The SEC had charged solar winds and its CISO, Timothy Brown, with fraud for overstating cybersecurity practices and failing to disclose known risks. Solar winds must respond to remaining charges within 14 days. The court noted solar winds inadequate cybersecurity measures, including weak passwords and excessive administrative access, but dismissed other claims as "non-actionable corporate puffery." The decision underscores challenges in holding companies accountable for cybersecurity in public and regulatory statements amidst criticism from the cybersecurity community. Ransomware is a significant threat to the energy, oil and gas, and utilities sectors globally. A report from Sophos titled "The State of Ransomware in Critical Infrastructure 2024" highlights that median recovery costs for energy and water sectors soared to $3 million in the past year, four times the global median. Vulnerability exploitation initiated 49% of attacks in these sectors. Data from 275 respondents in energy, oil, gas and utilities shows that 67% of these organizations faced ransomware attacks in 2024, higher than the 59% global average. Median ransom payments rose to over $2.5 million. Recovery times have worsened with only 20% recovering within a week, down from 41% in 2023. High rates of backup compromise and encryption were also reported. Proactive monitoring and response plans are essential to mitigate these threats. Two European web hosting companies, Hentzner from Germany and Hostinger from Lithuania, have suspended accounts linked to the Russian propaganda campaign Doppelganger. This network used legitimate European infrastructure to spread disinformation. Hostinger's servers in Singapore hosted several propaganda websites mimicking legitimate media, including Israeli and German sites. Hentzner's Finnish subsidiary hosted four such websites, blocking the affected server after German nonprofit journalism group Correctives Investigation. Researchers at Kuriam and EU Disinfo Lab discovered Doppelganger's operations across at least 10 European countries, highlighting the inadvertent use of European services for disinformation. Doppelganger has been active since May 2022, spreading fake articles designed to resemble real media outlets like Germany's Der Spiegel and Britain's The Guardian. Australian digital prescription services provider Metasecure confirmed that a ransomware attack in April 2024 led to the theft of personal and health information of 12.9 million individuals. The compromised data from services provided between March 2019 and November 2023 included names, dates of birth, addresses, phone numbers, health care identifiers, Medicare and concession card numbers and prescription details. Metasecure stated that due to the complexity of the data set, identifying specific impacted individuals was not feasible without incurring substantial costs. The stolen data totaling 6.5 terabytes was taken before the deployment of file encrypting ransomware, but the company restored its systems using a clean backup, despite the data breach prescription delivery services in Australia remain unaffected. Two Russian individuals, Ruslan Magamitovich Astamirov and Mikhail Vasiliv, admitted to participating in multiple lock-bit ransomware attacks, targeting victims globally and in the US. According to the Justice Department, these affiliates breached vulnerable systems, sold sensitive data and deployed ransomware, demanding ransoms for decryption and data deletion. Astamirov, active between 2020 and 2023 and Vasiliv, active between 2021 and 2023, caused significant financial losses. Astamirov, arrested in June 2023, faces up to 25 years in prison, while Vasiliv, extradited and already sentenced in Ontario, put face up to 45 years. Coming up after the break, Rick Howard speaks with AWS' CISO Chris Betts about strong security cultures and AI. Stay with us. And now, a word from our sponsor, know before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons know before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at knowbefore.com/securitycoach. That's knowbefore.com/securitycoach. And we thank know before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. >> N2K's Chief Security Officer, Rick Howard, recently caught up with AWS's CISO, Chris Betts at the AWS Reinforced 2024 event. They discuss strong security cultures and AI. >> AWS is a media partner here at N2K CyberWire. In June of 2024, Brandon Karp, our VP of programming, Ben Ivan, our Executive Producer, and I traveled to the great city of Philadelphia to attend the 2024 AWS Reinforced Security Conference. And I got to sit down with an old friend of mine from way back, Chris Betts, the relatively new CISO for AWS. Chris has been in the saddle for just shy of a year now, and we got to talking about the idea of establishing a strong security culture as the new CISO coming on board. And I asked Chris after I had talked to a bunch of AWS security leaders that week that it appears that not just the security team is working on this, but the entire AWS leadership team is in the house for this. >> Yes, it's spot on. One of the things I've come to realize more about culture over the last few years is that culture is something that doesn't just happen and is not fire and forget. Culture takes constant reinforcement and reinvestment. It's something that you have to continue to deliberately, deliberately spend energy on. >> And yet it's, it's amorphous, right? We say culture like we all know what that means, and we can point to it when we see it, but it's hard to pin it down. Am I right about that? >> Yes, though I think there's some really good signs that you can pull. One of the examples that I think about often is how people make decisions. And so what's the language that you use? You're in a room, you're having a conversation about how to solve a problem. What's the language that you use? What's the ultimate good that everybody just automatically agrees with is the right thing? And there's lots of different languages we use in many companies. When I'm at AWS, I can tell you almost every conversation that I'm in involves a set of two things. One, what is best for the customer? Not what will the customer like? What is best for the customer? And since I'm in security, my conversations are most often about security. And there's never a question. The minute somebody goes and anchors back to, oh, security is our top priority, bang. Everybody agrees. So then the question is about what do we do that's best for the customer? And how does that align with security being our top priority? Because security is what's best for the customer. And so that's the way you have a conversation. That's one sign. The other sign that I think about off a lot is where do people spend their time? I mean, you know, you've been a CISO as a leader, there is almost nothing more important than where you spend your time. You can talk about a lot of things, but where you spend your time really says what's important to you. That's a great point. I was asking Steve Smith earlier today. He's the CSO of Amazon, right? I asked him, you know, because we do, we interview a lot of CISOs in this program, right? And the question for a company like yours, the size that it is, Amazon is a fortune in company. If AWS was its own company, what do you guys would be fortune 35 or something like that? So that would be, that's a giant big organization. So how do you, what's your typical day that if it matters what you're spending your time on, what is the typical day for somebody like you? Well, actually, this ties back to our culture. I spend a bunch of time either talking about strategy, where we want to go, how we want to drive something that really makes a customer's experience better, either because of the security of the cloud, the security for the cloud we build has to be right. But I spend almost as much time focused on how do we make sure security in the cloud, that the time that the customer spend building, that it's seamless for them to be secure. Because it wouldn't be a security podcast, unless we talked about generative AI. I think we get fined if we don't actually mention it. So we talk a lot of Amazon and AWS people this week about their takes on it. So what's your high level take on good, bad for the industry? What are you looking forward to anything like that? Generative AI is an amazing tool. It is really cool. I'm excited about what it can do for the industry. I'm excited about what it can do for security practitioners. I'm excited about what it can do for developers. I think we're in very early days of seeing how people take advantage of this. But I see it being used in some really, really innovative ways. And so there are also things we need to do really thoughtfully and carefully to make sure that we're providing secure solutions with generative AI. And we need to be aware that there are going to be people like any tool who abuse it and make sure that we're designing our defenses against that. So, but I'm genuinely excited about it as a tool, recognizing that it's one of many tools, but it's a tool that I think helps solve some problems that we'd struggle with solving in the past. So is there anything on the 25 meter target list that you're looking at? I'm going to start thinking about that one for generative AI like right now. Is there something like that you're worried about as the AWS CISO? Here's this new technology. Gardener has all the AI stuff just barely going up the peak of inflated expectations. It hasn't even reached the top yet to go down into the trough of disillusionment. So we are still very much hyped up about this. Is there, as we think about that problem space, as we start to figure out what it can do and what it can't do? Is there something right now that you're thinking about as the AWS CISO that, oh, let me start working on that one right now. The other ones will come later, but this is the one I'm going to work on first. Is there something like that? There's a few that I'm really excited about right now. One, we know that people spend a ton of time. I think I saw a stat somewhere about 46 or 48 percent of their time of security practitioners building queries to look for data. And the learning curve there can be really, really steep knowing which data elements from what place to bring together. Some of the capabilities of generative AI to develop, to take natural language input and come out with technical code that can be reviewed and then executed. I think it's going to help speed up incredibly our ability to rapidly analyze triage take actions. So those queries, yeah, because we don't need to generate code, you're taking it to the next level to generate queries so we can find the right stuff. So we can find the right data. So in fact, yeah, I'll talk a little bit more about that the keynote today, but there's some amazing capabilities coming down the road. I've talked to a lot of CISOs who are using CodeWhisper and Amazon Q developer to enable their security operations team to write code faster. I mean, look, we've all led security operation teams where there's a ton of really nuanced manual effort to go build spreadsheets, run a whole bunch of Linux commands. You know, we have all seen security teams where they spend a ton of time on very manual work, you know, building spreadsheets, running a set of shell commands in 2024. We're still building spreadsheets. Yes. In order to go do analysis and it's, and when I talk with those teams, and this is the manual work, this is not the nuanced work that the security operations folks really want to do. This is the toil. This is the work you do before you do the work, right? Yeah. And so when they start using some of these code development tools, and the reason they do that is because it's just faster to go build it than to go write some code. But what if instead of taking several hours to go write that Python script to go do the analysis instead that can happen in minutes? All of a sudden that work, that manual work where they're trying to make that trade off in their head between building a tool that's repeatable, evaluatable, you can help understand how it happened. It's repeat all those capabilities that you want is not subject to the human error, the way that spreadsheet plan is. They can do that in minutes. It's been life-changing for some of these CISOs for their operation staff and allows them to go handle problems bigger, better, and start asking new and different questions of their data. That's just an amazing experience. It is. And I acknowledge all that. But I think the problem I was trying to get you to say earlier is what are you worried about is the hallucination problem, right? When you're doing a natural language query of completely new data set, how do you know you're getting the right answer, right? And how do you make the analysts comfortable that they're getting the right answer and not going off in some wild goose chase somewhere? When I think about how about generative AI, I think about how it answers problems and for what. You'll notice both of the examples I gave you involve human judgment in the loop to understand, "Hey, does this query make sense?" We're talking about acceleration of human capability. There are some areas and there'll be places where even with hallucinations, that's right enough for people to get the right thing. I think, for example, of of justing of any incident. How do you take this complex set of things, boil it down so when you're doing 24-hour SOC operation, you can hand off to the next person. You know what? You can afford a little hallucination there because this just gives them the start, so they have the context and then they're going to go in and continue that and they're going to go go check the data. There are other places where you need to have a human in the loop. Make sure that that codes right before you go and do it. But still, this is a massive acceleration and yes, we need to make sure that in the right places, we're making the right decisions as we go. So yeah, massive capability, not a panacea. It's a tool. We have to use it for what it's useful for. That was my friend Chris Betts, the AWS CSO. That's our own Rick Howard speaking to AWS's Chris Betts. And now a message from Black Cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? That's because 87 percent of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking credential theft and reputational harm. Close the at-home security gap with Black Cloak concierge cybersecurity and privacy. Award-winning 24/7 365 protection for executives and their families. Learn more at blackcloak.io. And finally, at the Retomare's military base in Madrid, CSO Spain got a first-hand look at the Spanish team's headquarters for Locked Shields 2024, the world's largest live-fire cyber defense exercise. The fictional island nation of Barilia faces relentless cyber attacks over 48 hours, simulating a high-stakes scenario where essential services are targeted amidst a territorial dispute with crimsonia. Enrique Perez de Tenia, head of international relations for the Spanish Joint Cyber Space Command, guided reporters through this complex exercise. Locked shields organized by NATO's cooperative cyber defense center of excellence involves nearly 4,000 participants worldwide. The Spanish team, comprising military personnel and civilians, collaborates with international allies to defend Barilia's critical infrastructures, such as nuclear power plants and banking systems from simulated cyber threats. Throughout the tour, observers witnessed the intense yet composed atmosphere as teams manage communications, legal issues, and technical defenses. Perez de Tenia explained the importance of real-time crisis management and legal compliance, likening the exercise to real government operations during cyber crises. Despite the fictional setup, the exercise underscores the ever-present nature of a cyber warfare with no borders or safe zones. Locked shields not only test defensive capabilities, but also fosters collaboration and learning among participants, while Spain ranks mid-pack, the exercise emphasizes improvement over competition. Perez de Tenia highlights the significance of building relationships and sharing expertise to strengthen cyber security. In the end, the exercise reveals the stark reality of our digital age. Constant vigilance and cooperation are crucial, as cyberspace remains an unpredictable battlefield. As Perez de Tenia aptly puts it, "We are not aware of how cheap it is to protect ourselves and how expensive it can be if we do not. But 100% cybersecurity does not exist." And that's the CyberWire. For links to all of today's stories, check out our daily briefing at TheCyberWire.com. Be sure to check out this weekend's research Saturday, and my conversation with Selena Larsen from Proofpoint. We're discussing Scammers Create fraudulent Olympics ticketing websites. That's research Saturday, check it out. We'd love to know if you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Councilman. Our executive producer is Jennifer Ivan, our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilti is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts, and fresh insights into the topics that matter most, right now to frontline practitioners. Register early and save at mwise.io/cyberwire. That's mwise.io/cyberwire. (upbeat music) [MUSIC PLAYING]
