The FBI is the repossessor of Dispossessor. The NCA collars and extradites a notorious cybercriminal. A German company loses sixty million dollars to business email compromise. DeathGrip is a new Ransomware-as-a-Service (RaaS) platform. Russia blocks access to Signal. NIST publishes post-quantum cryptography standards. DARPA awards $14 million to teams competing in the AI Cyber Challenge. On our Solution Spotlight, N2K President Simone Petrella talks with Lee Parrish, CISO of Newell Brands, about his book "The Shortest Hour: An Applied Approach to Boardroom Governance of Cyber Security". AI generates impossible code - for knitters and crocheters.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
On our Solution Spotlight, N2K President Simone Petrella talks with Lee Parrish, CISO of Newell Brands, about his book "The Shortest Hour: An Applied Approach to Boardroom Governance of Cyber Security" and security relationship management. Coming tomorrow, stay tuned for a special edition with Simone and Lee’s full conversation.
Selected Reading
FBI strikes down rumored LockBit reboot (CSO Online)
Suspected head of prolific cybercrime groups arrested and extradited (National Crime Agency)
Orion SA says scammers conned company out of $60 million (The Register)
DeathGrip Ransomware Expanding Services Using RaaS Service (GB Hackers)
Swiss manufacturer investigating ransomware attack that shut down IT network (The Record)
Russia Blocks Signal Messaging App as Authorities Tighten Control Over Information (SecurityWeek)
Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation (SecurityWeek)
Need to know: NIST finalizes post-quantum encryption standards essential for cybersecurity (N2K CyberWire)
NIST Releases First 3 Finalized Post-Quantum Encryption Standards (NIST)
DARPA Awards $14m to Seven Teams in AI Cyber Challenge (Infosecurity Magazine)
The AI scams infiltrating the knitting and crochet world - and why it matters for everyone (ZDNET)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[Music] You're listening to the Cyberwire Network, powered by N2K. [Sound of seagulls] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech, all lowercase. That's Shopify.com/tech. [Music] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [Music] [Music] The FBI is the repossessor of this possessor. The NCA collars and extradites a notorious cyber criminal. A German company loses $60 million to business email compromise. Deathgrip is a new ransomware-as-a-service platform. Russia blocks access to signal. NIST publishes post-quantum cryptography standards. DARPA awards $14 million to teams competing in the AI cyber challenge. On our solution spotlight, NGA President Simone Petrela talks with Lee Parrish, CISO of Newell Brands, about his book, "The Shortest Hour," and applied approach to boardroom governance of cybersecurity. And AI generates impossible code for knitters and crocheters. [Music] It's Tuesday, August 13th, 2024. I'm Dave Bittner, and this is your Cyberwire Intel Briefing. [Music] Thank you once again for joining us. It is great to have you with us. In a major international crackdown, the FBI and partners have dismantled the criminal ransomware group Dispossessor, suspected to be a rebranded version of Lockbit. The operation involving the FBI, UK's National Crime Agency and German authorities led to the seizure of over 30 servers and domains across the US, UK, and Germany. Dispossessor, which emerged in August 2023, quickly gained notoriety for its ransomware-as-a-service model, allowing affiliates to launch attacks globally. The group was linked to attacks on 43 companies in various countries. Speculations surrounds Dispossessor's connection to Lockbit with evidence suggesting a possible rebranding effort. SockRadar noted that Dispossessor's website closely resembled Lockbits, reinforcing these suspicions. The takedown is a significant blow to the group, but with its decentralized structure, law enforcement may still face challenges in fully eradicating their operations. The investigation continues as authorities scrutinize the seized servers. In another coordinated international operation, the National Crime Agency has arrested and extradited Maxim Silnical, a prominent Russian-speaking cyber criminal linked to the notorious cybercrime network that borrowed the name "JP Morgan" for its branding. Silnical, operating under various aliases, was apprehended in Spain and extradited to the US to face charges. His network, active since 2011, pioneered ransomware-as-a-service and exploit kits, including the infamous Reviton and Angler exploit kit, which extorted millions from victims worldwide. The NCA, working with global partners, traced and dismantled this group's activities, leading to significant disruptions in their operations. Their malvertizing campaigns affect over half a billion victims globally. The investigation continues as authorities review evidence and pursue additional suspects connected to this cybercrime ring. Luxembourg-based chemicals and manufacturing giant Orion SA disclosed a $60 million loss due to a criminal wire fraud scheme, likely a business email compromise attack. The fraud involved a company employee being tricked into authorizing multiple fraudulent wire transfers to unknown accounts. Despite the significant financial hit, Orion's operations and data remain unaffected with no system breaches reported. The company has informed law enforcement and is exploring all options, including insurance to recover the funds. Orion's overall financial outlook remains strong despite the incident. Meanwhile, Swiss manufacturing giant Schlatter Group is investigating a ransomware attack that disrupted its IT network and led to a blackmail attempt. The company, specializing in plant engineering and welding, detected the attack on Friday, initiating security measures and involving law enforcement. Currently, Schlatter has no access to its email system and is assessing potential data theft. While no ransomware group has claimed responsibility, Schlatter's ICT experts are working to restore systems. The company reported nearly $150 million in sales last year. A new ransomware as a service platform, Death Grip has emerged, making sophisticated ransomware tools accessible to cyber criminals with limited technical expertise. Promoted on Telegram and underground forums, Death Grip offers advanced tools like Lockbit 3.0 and Chaos Builders, derived from leaked ransomware builders enabling users to launch effective ransomware attacks with ease. This platform underscores the increasing accessibility of cyber crime tools, raising the threat level for businesses and individuals worldwide. Real-world incidents involving Death Grip have already surfaced, demonstrating its potential to cause significant harm. The proliferation of such ransomware as a service platforms highlights the urgent need for enhanced cybersecurity measures, including robust security protocols, regular updates and employee training. Collaborative efforts among governments, private sectors, and cybersecurity experts are crucial in combating this evolving threat and safeguarding sensitive data from ransomware attacks. Russia's state communications watchdog, Razkom Nadzor, has blocked access to the Signal Messaging app, citing violations of Russian legislation aimed at preventing its use for terrorist purposes. This move is part of a broader crackdown on dissent and media freedom following Russia's invasion of Ukraine. The government has previously blocked independent media, ex-Twitter, Facebook and Instagram. Additionally, YouTube has faced mass outages, which experts believe may be part of the Kremlin's efforts to limit access to opposition views. NIST has officially published three post-quantum cryptography standards, Kyber, Dialithium and Sphinx Plus, with a fourth Falcon chosen for future standardization. These standards aim to protect against quantum computing threats, which could potentially decrypt current asymmetric encryption methods. IBM played a significant role in developing these algorithms and worked with NIST in establishing the PQC framework. While quantum computers pose the most immediate threat, other emerging technologies like AI and optical computing could also challenge current encryption. The new PQC standards, combined with crypto-agility, allowing rapid adaptation to new algorithms, offer a stronger, though not absolute, defense against future decryption threats, ensuring data remains adequately secure for the foreseeable future. DARPA has awarded $14 million to seven teams competing in the AI Cyber Challenge, a competition aimed at developing AI systems that can identify and patch vulnerabilities in open-source software. The semi-finalist teams receive $2 million each and will advance to the final competition in August 2025. The AI Cyber Challenge, run in collaboration with the Advanced Research Projects Agency for Health, challenges participants to create cyber-reasoning systems capable of automatically finding and fixing vulnerabilities in critical software like the Linux kernel and Jenkins. The competition highlights the potential of AI to secure critical infrastructure and may lead to commercializing and open-sourcing these technologies to enhance cybersecurity across various sectors. ♪♪♪ Coming up after the break, N2K President Simone Patrellas speaks with Lee Parrish, CISO of Newell Brands, about his book "The Shortest Hour" and applied approach to boardroom governance of cybersecurity. Stay with us. ♪♪♪ ♪♪♪ When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. ♪♪♪ Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure user-friendly file-sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. It's intuitive UI, mobile apps, and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. ♪♪♪ On today's solution spotlight, our N2K President Simone Petrella sits down with Lee Parrish, Chief Information Security Officer of Newell Brands, to speak about his book, "The Shortest Hour" and apply to approach to boardroom governance of cybersecurity. Welcome to Solution Spotlights, where we talk about some of the most innovative strategists shaping the future of cybersecurity leadership. And today, I am joined by Lee Parrish, SISO of Newell Brands, and author of a recently published book, "The Shortest Hour." Thanks for joining today, Lee. Well, not at all. It's my pleasure. Thank you for having me. Well, to start us off, I was hoping you could tell us a little bit about your leadership philosophy when it comes to building cybersecurity programs throughout your career and now at Newell Brands. Certainly. I've been doing this for about 23, 24 years now. And I think that there's one consistent theme across all of the companies I've worked for and the strategies that I've built. It's been a focus, a hyper-focus on the people, the people aspect of the cybersecurity program. So one thing I mention a lot to people, and I mention in the book as well, is as SISO's, we all have the same access to technology as every other CISO. The security vendors are not selling to some of us and not others. I mean, we're all on a level playing field. And when it comes to processes and policy and things like that, again, we're all on the same landscape. There's nobody has an edge in that area. We have access to research firms, analysts, frameworks, cybersecurity frameworks, all kinds of things. So again, we're on an equal playing field. The true differentiator and a cybersecurity program then lies in its people. And as a result of that, I spend a lot of time selecting the right people, selecting people who are curious and people who like to dive into unintended use cases for technology and things like that, people who are curious. So that's what I've been doing consistently over my career. And that always resonates with me as a recovering consultant where we focus so much on people processing technology. And I'm a huge advocate that people are kind of truly the long pole in that tent. And the companies that you've worked with or the organizations that you advise, obviously the budget and the sophistication of some of those enterprises can be very different. And so when it comes to selecting people, what's that consistent thread that you have maybe leveraged throughout that journey to focus on the people? Because I'm sure there have been organizations where you have unlimited operating budget to actually spend on salaries and you can kind of build the best or buy the best. But then what happens when you're just looking for that curiosity and fostering them? Or is it a balance between the two and it's been that way no matter what organization you've supported? Yeah, I think there's always a challenge in bringing on new folks, getting the budget and things like that for small to mid-cap companies. So what you want to do is make sure that when you do get the funding for that, you fill that chair with the most optimal resource that you can find. What I've seen in my career recently in the last 10 years is the resumes that come across my desk are usually people who have one to three years of experience. And so if CSO has a strategy to fill, let's say, 15 rules in their cybersecurity program and their strategy is I want to fill these with people who have eight to ten years of experience, that may not be realistic, not in today's environment, unless you're willing to pay over market for those folks and have them work remote 100% of the time, pay them an exorbitant amount of money above comp ranges. You're not going to find those people. So what I've done is I see the team with three, four cybersecurity experts, people who have that level of experience, and then the rest of the team I fill with people who are, maybe they don't have a lot of experience in cybersecurity, but it's all about professionalism. The personality, that curiosity is something that I continually look for in people. So as a result, we have to work with the business. And if we have people who are resistant to building relationships and just want to work off on their own, that typically doesn't work too well. So I look for people who have high personalities, very curious about things. And they inject into the team, the experts will provide them experience and lessons learned from a career of doing this. So that's what I found. Yeah, I think one of the most operative words that I just picked up on that you said is the idea of having a strategy to begin with. And I know from personal experience, I've worked with a number of colleagues and companies where the strategy is more just, you know, we have this many openings and let's fill them as quickly as possible. And there hasn't been that thought put into, is it a team of eight to ten years experience with a high salary cap or is it something that we're going to kind of round out with smaller ones? What do you think, I guess maybe my first question is like, why is it so hard for us as an industry to kind of like wrap our heads around that strategy? If you're like building a team, you have to sort of think about the constraints of the budget you have and then what are you going to build and how do you think about those positions and those players before you actually start putting people in the ground. But why has that been so hard for us? And my second kind of corollary to that is what are some of your recommendations to your peers and those coming up in the field to maybe integrate that into more of their own program development strategies across cybersecurity? You know, it is a challenge. I think that a lot of times I think it's much better now than it was in the past and most of I will say many of the security leadership were comprised of people who were very technical and didn't have a lot of business acumen. You know, they were hands-on keyboard and when the need arose for someone to take a CISO role, the logical selection was somebody who's been involved in it and that usually was a technical person. I think a lot of times, as CI says, we jump into something, we're given budget and we're saying, "Okay, what do we want to do?" And let's go forward and build this. That's not the time to actually think about that. You should be thinking about that before you get the money and before you even start talking to vendors or before you even do an interview. The analogy that I use quite a bit is when you go into a car dealership to purchase a car, you don't walk on the lot and say, "Show me everything." I want to see SUVs, I want to see electric cars, I want to see compact cars, I want to see sports cars, I want to see electric vehicles. No, you already have an understanding of some of the models that you want to see and you probably have an understanding of the price range you're probably going to pay. It's the same thing for cybersecurity. You should already know what it is that you want who you're going to talk to and kind of sort of know how much you're going to pay. As far as the people aspect goes, I would say one of the things that I like to do is to make a quad chart, so that's kind of the way that I've done it. And then I meet with, before I even give the strategy to the CEO, what I'll do is I'll go to each of the individual leaders, and I'll talk about how the security solutions I'm proposing may interoperate with what's already in the environment. You just want to make sure that the whole strategy fits together, and you don't want to have people on the team that have all the same skill sets. Like you don't want a bunch of people who are really good at threat intelligence, and then they don't understand other domains within cybersecurity. So it really is a chess man. Yeah, well, and it really hits on another theme that obviously is part of what you implement in your own leadership roles, but also is in your book that is, I know geared towards independent directors, but probably just as helpful for existing CISOs. And it's that kind of theme concept around security relationship management. And I think there's kind of that executive responsibility for all those other stakeholders in an organization to kind of think about how security impacts what they do as well. And I say that to pivot into what inspired you to write this book, because if I have it correct, really the shortest hour is meant to help inform new directors on boards, to understand how they can actually conduct and not only ask the right questions as they execute cybersecurity oversight, but also understand enough to make some real actionable decisions out of that and evaluate where things are. Can you talk to me a little bit about what inspired you and what are some of the things that you hope directors who have an opportunity to read this take away from it? Yeah, absolutely. I was blessed very early on in my career where I was surrounded by leaders who were very engaging and they wanted me to participate and they gave me invitations to participate. I realized that a lot of listeners who are CISOs may not have that same level of support and they have to fight their way. And so I do realize that I was very blessed early on. And throughout my career, again, I've been extremely blessed and every company I've worked for, there was an opportunity for me to present to senior leaders and to the board of directors and to committees as well. And an unfiltered way to be able to explain risk and not be toned down by leaders and things. Well, don't say that, you know, they were very open. So that's the baseline. I mean, if you don't have that, the game is over. But very early on, I was interacting with some very, very serious people on different boards. And there was a White House Chief of Staff, a U.S. presidential candidate, all of these different folks in my very first time working with the board. So I learned very quickly. And it was really nice to be able to have that experience. And then as I moved throughout my career, I had experiences with working with the board, not just in a presentation format, but actually like one-on-one, to be able to fly to a location and meet with a new director who's coming on board. And so access and then that deep relationship has really helped. So it's been a great journey. I really enjoyed doing it. And hopefully people will enjoy it and provide good feedback. Well, Lee, thank you so much for taking some time to share some of your experiences with us, as well as some of the nuggets out of your newly published book. So congratulations on getting that out there. It's really been an amazing thing to read as I've started to delve into it. And for those who have not had a chance, Lee, I'll let you give one last plug. Where can someone go get a copy, their hands on a copy of "The Shortest Hour"? Yeah, so it's available to all the favorite booksellers, you know, Barnes and Noble Amazon. You can go to Taylor and Francis, Relage, you know, it's all over the place. But thank you for the support. I really, really appreciate it. Great. Thank you. That's our N2K President Simone Petrela speaking with Lee Parrish, SISO of Newell Brands. The book is titled "The Shortest Hour", an applied approach to boardroom governance of cyber security. Look for a special extended edition of this conversation in your Cyberwire podcast feed. ♪♪ ♪♪ Elevate your enterprise identity solutions with Strata. Seamlessly connect legacy apps to any identity provider, apply MFA effortlessly, and maintain identity continuity without disruptions. Strata reduces tech debt, enhances security, and provides a robust, efficient identity management system. Feel secure and efficient managing your identity infrastructure. Strata helps you streamline operations and ensure continuous identity availability. Visit strata.io/cyberwire, share your identity challenge, and receive a free set of AirPods Pro. Take control of your identity management today. Visit strata.io/cyberwire and our thanks to Strata for being a longtime friend and supporter of this podcast. ♪♪ ♪♪ And finally, it's no shock that Scammers would embrace AI. It's a match made in Cyber Heaven for nefarious activities. But here's a twist. They've set their sights on crafters and makers. Yes, the crafty folks on platforms like Etsy are now dealing with AI-generated patterns that can turn your knitting or crochet dreams into a nightmare. Imagine spending weeks on a project only to find out the pattern was flawed from the start, courtesy of AI. From impossibly intricate stitches to bizarre, unusable designs, these fake patterns are causing headaches and wasting time. For more on this story, I'm joined by our Cyber Wire special knitting and crocheting correspondent, Maria Vermasas. Maria, thank you for taking time away from the T-minus space daily to offer your insights on this important story. I mean, this is a real big deal for folks who are both professionals and into this hobby, right? It is, and it's becoming a really annoying problem, and it's been proliferating quite a bit. So, I mean, it is a money maker. Buying patterns online is actually a big source of income for a lot of people who are professional fiber artists. And these fake patterns that are just everywhere on all the hobbyist platforms and pretty much anywhere you can think of, they are causing a lot of people to sink a lot of money into patterns that are just not craftable. And what ends up happening is they're spending a lot of money that gets wasted. They show up at, you know, crafting stores going, "What the heck's wrong with the thing I did or that I bought from you? Why doesn't this work?" So you have all bad vibes all around, but more importantly, people are spending a lot of money on things that basically cannot be made. And that is a really big problem. One of the things that struck me here about this story, something I had not realized having no experience with this, is that essentially these knitting and crocheting patterns are code. They are, yes. They are. And it's really fascinating. There's a couple of different ways that you can write the code. The instructions is what we often call them for the pattern, for whatever you're making. But you can think of them really like an algorithm. They are just basic instructions, sort of like basic. Back in the day where you have go-tos, essentially. But you just read it and it just tells you what you need to be doing. And AI can generate very convincing looking instructions for a pattern. And there's actually some really funny videos out there from professional crafters who try to follow these patterns. And they will point out like in a whole bunch of places, you can't actually do anything here, even though the AI very convincingly tells you that you can. But if you were a beginner crocheter or knitter, you wouldn't know that. So you would just wonder, "What am I doing wrong?" And the answer is it really isn't you. It's the pattern, which is not how it used to be. Are there any particular tells or advice for folks who may be starting out to spot these sorts of impossible patterns? Yeah, for beginners it is tough. The images that often accompany these patterns can be the best way to tell if something's real or not. There are a lot of gorgeous looking AI-generated images of objects that have been supposedly crocheted or knitted. But they're impossible to make. So they look impossibly beautiful, impossibly ornate, the scale is off like it's either massive or super tiny. And these trick a lot of people, so don't feel bad if you can't tell the difference. The patterns themselves, you would have to be a very experienced crafter to be able to tell whether or not it's legitimate. So usually the images are a big giveaway. So be skeptical of things that are looking too bright, too perfect, corners that are too sharp, things like that. And just make sure that the seller that you're buying from is reputable. They've got a lot of other patterns that have been reviewed well and maybe that they show you actually how to make it. Because most fiber artists who do this professionally are very happy to help out. And they'll show you how to, an AI-generated one will just be, here's a pattern. So that's kind of a big tell. All right, Maria Vermasas is host of the T-minus Space Daily Podcast. Maria, thank you for helping us get to the knitting gritty. I'm glad my hobby could be helpful for once. And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Pounceman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Hart. Simone Petrella is our president, Peter Kilpey is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow. [MUSIC] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire. [MUSIC]
