Educate Management About Risks of Using Telegram and Other Consumer Apps for Sensitive Communications; Use Google YARA Rules to Detect Unauthorized Use of Cobalt Strike; Debate Continues Over Offensive Cybersecurity Operations

This is a complex story with not a lot of verification, but I wanted to highlight one important quote: “The Justice Ministry confirmed the leak but added that some messages were grossly modified or taken out of context.” This is a good one to highlight to CXOs and board members: doing company business over apps that have “zero revenue” models, or only get revenue through sponsored messages and in-app purchases is an enormous risk. The risk is not just eavesdropping, it is fake messages being sent out as coming from your company.

John Pescatore

If you've seen the movie RED with Bruce Willis, you're thinking of the end-quotes pertaining to Moldova. In this case, it's their leadership which finds themselves in an uncomfortable position under "hot pursuit." Essentially their Telegram accounts were compromised. Beyond my usual pitch to implement MFA everywhere, I would also add understanding who and how information you're sending over a service can be accessed. If you have any doubts, implement your own encryption (such as S/MIME for email) rather than relying on service provided encryption, particularly if it's not truly end-to-end. When in doubt, use enterprise vetted services, on their issued devices.

Lee Neely

This debate goes back to 1995 when Dan Farmer and Wietse Venema released the SATAN scanning tool – one of the very first tools network security folks could use to find vulnerabilities and misconfigurations. Overall, we are better off having strong security tools in use by the good side, even if the bad side will get to use them, too.

John Pescatore

You can use these new YARA rules to detect Cobalt Strike variants in your environment. Not a bad idea to go proactively hunting to see what turns up. Beware of security research legitimately using it for exactly that. While tempting to put those workstations on a blanket allow list, you need to not completely ignore them as they too could become a target for compromise.

Lee Neely

Another long running policy debate. When this comes up, my response is always “Did you check that you are not vulnerable to those same offensive tactics before you use them?” I always attribute that philosophy to the first US security analyst, who in 1736 said “Don't throw stones at your neighbors, if your own windows are glass.” Mr. Franklin’s advice pre-dated Stuxnet by 274 years…

John Pescatore

Be really careful conducting offensive operations. To include not only resistant to all the attack techniques you're dying to lose on your target, but also all the basics - hardened/updated entry points, MFA everywhere, responsive monitoring and alerting. Even then, if I can't talk you out of it, I would make sure you have support to the highest levels and experienced guidance.

Lee Neely

The takedown involved taking down 250 domains.Let that sink in for a minute. How's that for scaling virtualization and distributed resources? Note to self - taking down an operation like this is a bigger job than I once thought, requiring international coordination and cooperation. After the takedown, students were distressed as they were using the site to access textbooks and research papers which were otherwise priced out of their reach, contrast that to the Author's guild who herald this as one of the largest takedowns in the fight against criminal e-book piracy to date. The issues behind the library bring to light the need to solve affordability and reachability of this type of resource. Hopefully that will be worked by both universities and the Author's Guild, leveraging lessons from Z-Library.

Lee Neely

Quantum computing still has a way to go to break current ciphers. As a "quick fix", increasing key sizes in existing ciphers may buy additional time. But you need to start these migration initiatives early, long before the actual threat materializes. It is nice to see OMB worry about these issues before they are becoming an emergency.

Johannes Ullrich

A relatively straight-forward directive to take action on. Knowing one’s environment is foundational to essential cyber hygiene. The first 3 CIS critical security controls focus on inventory of hardware, software, and data sensitivity/location.

Curtis Dukes

Moving to post-quantum cryptography (PQC) is going to take deliberate effort over multiple years and will need to be tracked and supported. While this data call starts that process out, it's a bit premature as we don't have finalized standards for Quantum Crypto, let alone products to deploy, meaning the answer to this data call is effectively "everything in scope." The memo is also asking agencies to produce budget estimates to implement PQC, which is again difficult without products to incorporate. The memo attempts to prioritize by focusing on high impact systems, high-value-assets (HVAs), systems which are particularly vulnerable top CRQD-based attacks as well as logical access control systems or those containing mission relevant data, while excluding National Security Systems (NSS).

Lee Neely

Perhaps a little aggressive but doable for most.

William Hugh Murray

BEC is still a concern; with estimates of a 65% increase in identified global exposed losses between July 2019 and December 2021. The increased success is partly attributed to the pandemic where increased telework removed some traditional mitigations, such as shouting or walking down the hall for support. The attackers still largely leverage phishing, social engineering, hacking, in combination or separately. This means we need to stay vigilant and support our users making good choices to avoid BEC, and make sure our training and support mechanisms remain viable in the current work environment. Conduct regular exercises and adjust where you can to make improvements.

Lee Neely

BEC schemes have been around for years. Cybersecurity best practices, such as email authentication using Domain-based Message Authentication Reporting and Conformance (DMARC), ensure that only legitimate senders are using company trusted domains to message customers and employees. Use the DOJ charging documents to frame the discussion between executive leadership and IT staff.

Curtis Dukes

With increased supply chain risk focus and regulatory requirements, you should be incorporating all the guidance you can find into your planning and response. These are intended for customers to leverage as a basis for assessing, describing and measuring security practices relatively to the software lifecycle. The customer slicksheet provides suggestions for requests you can make of suppliers to help reduce your risk. While likely more effective in a paid environment, don't hesitate to leverage these to increase the integrity of open-source software leveraged.

Lee Neely

This is a supplier problem. It will not be fixed by customers. Too many suppliers, too many updates, too obscure.

William Hugh Murray

The good news is that cryptography is hard for the bad guys to do well. The bad news is that cryptography is also hard for the good guys to do well. If you are building or buying apps that use cryptography, make sure the code is tested by skilled personnel. Side note: “Zeppelin Ransomware” would be a good name for a band…

John Pescatore

Encryption is hard, even without quantum computing. In this case the researchers discovered two flawed encryption techniques, then were able to leverage twenty 40-CPU servers to factor a 520-bit RSA key in a few hours, from there they had the two primes (p,q) used to compute the public key (n) which in turn allowed them to compute the private key (d). Yes, this makes my head hurt too - look when implementing cryptography, make sure that it's done properly, ideally let someone else create and certify the implementation before you use it. If you really want to roll your own encryption, read that blog, and if you're still determined to do so, make sure that you have it authoritatively reviewed for deficiencies.

Lee Neely

While finding a vulnerability in the encryption routine worked this time; the best defense is still patching, configuration management, and limiting accounts with elevated privileges.

Curtis Dukes

My regular reminder that the Europol No More Ransom website www.nomoreransom.org has a repository for known decryption keys

Brian Honan

The Crowd attack has to come from an IP address in your allow list, where the attack can bypass an authentication check. Make sure that you're on a fixed/supported version of Crowd, and cross-check your Remote Address configuration. The Bitbucket fix requires applying the update. It is possible to slightly reduce the risk by disabling public signup, but this really only moves the attack from unauthenticated to authenticated users, so if someone has credentials, it's still game-over.

Lee Neely

The trick here is finding a cost-effective way to raise the bar without overly increasing the operational costs. One of the attack vectors which has to be considered is the interface between IT and OT systems, which is an increasingly used as an attack vector. Examine these connections with an eye to preventing the trust relationship being used as a superhighway to your OT systems.

Lee Neely

Establishing a common and prioritized set of safeguards to achieve a baseline cybersecurity posture across all sectors should be a national imperative. The CIS Critical Security Controls, starting with implementation group 1 are measurably effective against the top five attacks being used against every industry sector, why not start there.

Curtis Dukes