Category: Privacy

There seems to be no end to warrantless surveillance:

According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well.

The DAS program, formerly known as Hemisphere, is run in coordination with the telecom giant AT&T, which captures and conducts analysis of US call records for law enforcement agencies, from local police and sheriffs’ departments to US customs offices and postal inspectors across the country, according to a White House memo reviewed by WIRED. Records show that the White House has, for the past decade, provided more than $6 million to the program, which allows the targeting of the records of any calls that use AT&T’s infrastructure—­a maze of routers and switches that crisscross the United States.

Threat intelligence sharing has come a long way since Valentine’s Day 2015.

Related: How ‘Internet Access Brokers’ fuel ransomware

I happened to be in the audience at Stanford University when President Obama took to the stage to issue an executive order challenging the corporate sector and federal government to start collaborating as true allies.

Obama’s clarion call led to the passage of the Cybersecurity Information Sharing Act, the creation of Information Sharing and Analysis Organizations (ISAOs) and the jump-starting of several private-sector sharing consortiums.

Material progress in threat intel sharing, indeed, has been made. Yet, there remains much leeway for improvements. I had the chance to discuss this with Christopher Budd, director of Sophos X-Ops, the company’s cross-operational task force of security defenders.

Budd explained how Sophos X-Ops is designed to dismantle security silos internally, while also facilitating external sharing, for the greater good.

For a full drill down, please view the accompanying videocast. Here are my takeaways.

Overcoming inertia

Threat actors haven’t been exactly sitting on their laurels. Case in point: fresh intel just released in Sophos’  Active Adversary Report for Security Practitioners discloses how telemetry measuring network activity has begun turning up missing on a grand scale – in nearly 42 percent of the incident response cases examined by Sophos’ analysts between January 2022 and June 2023.

These gaps in telemetry illustrate just how deep and dynamic the cat vs. mouse chase has become; in some 82 percent of these cases the attackers purposefully disabled or wiped out the telemetry to hide their tracks.

“Because of improved network defenses, the attackers are innovating ways to get in and out as fast as they can,” Budd says.  “We’ve been dealing with this arms race for decades; at this point, not only is it an arms race, but it is also a highly caffeinated arms race.”

Budd

Overcoming inertia remains a big challenge, Budd adds. Historically, network security has been marked by siloed security operations; unilateral teams got stood up to carry out email security, vulnerability patching, incident response, etc. — interoperability really wasn’t on anyone’s radar.

Meanwhile, the network attack surface has inexorably expanded, even more so post Covid 19, as companies intensified their reliance on cloud-centric IT resources. And today, with the mainstreaming of next-gen AI tools, attackers enjoy an abundance of viable attack vectors, putting security teams that operate unilaterally at a huge disadvantage.

Joint task force approach

Sophos X-Ops launched in July 2022 to apply a joint task force approach to protecting enterprises in this environment. Budd directs a cross-operational unit linking SophosLabs, Sophos SecOps and SophosAI, bringing together three established teams of seasoned experts.

From this command center perspective, real-world strategic analysis happens continuously and in real time. The task force can deploy leading-edge detection and response tools and leverage the timeliest intelligence. It’s much the same approach that has proven effective time and again in military and emergency response scenarios.

“The benefit of a joint task force model is you maintain excellence and expertise in each domain area,” Budd says. “You don’t dilute the expertise in that domain area; you break down the silos by bringing each piece that you need for that unique threat to build a unique solution.”

The incidence response team, for instance, might zero in on suspicious activity to gather hard evidence that gets turned over to malware experts for deeper analysis. AI specialists might then jump on board to develop an automated mitigation routine, suitable for scaling. And the entire mitigation effort gets added to the overall knowledge base.

This is how the Sophos X-Ops team helped neutralized a recent spike in ransomware attacks against Microsoft SQL servers. The joint task force unraveled how the attackers were able to leverage a fake downloading site and grey-market remote access tools to distribute multiple ransomware families. The campaign was thwarted by pooling resources and jointly analyzing the attackers’ tactics.

 External sharing

It struck me in discussing this with Budd that the joint task force approach directly aligns with Obama’s call for stronger alliances on the part of the good guys. Notably, Sophos X-Ops from day one has actively participated in external sharing, via the Cyber Threat Alliance (CTA)and the Microsoft Active Protections Program (MAPP.)

The CTA is a coalition of some two dozen companies and organizations, led by Cisco, Palo Alto Networks, Fortinet and Check Point, committed to sharing actionable threat intel in real time. Members proactively share information on emerging threats, malware samples and attack patterns.

With MAPP, Microsoft aims to share fresh vulnerability patching alerts with security vendors before public disclosure. This gives the security vendors a head start in developing patches and affords them a head start in distributing patches. This strengthens the overall Windows ecosystem, Budd noted.

As cyber threats continue to evolve and scale up, the urgency for companies and government agencies to do much more of this is intensifying. The good news is that the advanced technologies and vetted best practices required to completely dismantle security silos as well as to  extend external sharing far and wide, are readily available.

This all aligns with the notion that deeper levels of sharing must coalesce if we are to have any hope of tempering continually rising cyber threats. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

A woman's attempt to hire an assassin online backfires badly, it's scary just how cheap it is to buy information about US military personnel, and trolls and tattoos don't mix. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner. Plus don’t miss our featured interview with Jason Meller of Kolide.