Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.
The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.
Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?
Yes, but how?
This former federal prosecutor with over 27 years experience details the disparate criminal prosecutions applied to the have and and have-not suspects of financial crime. And this isn’t just occurring at the federal level, it’s all prosecutions. “Practically everyone knows, on some level, that the rich get better treatment than the poor. But I saw it so clearly: The wealthy live in a different legal reality entirely, one in which blatant financial fraud routinely goes unpunished. For the poor, even the merest transgression can lead to ruined lives.” Yes, everyone does know. Now, how do we change it? https://www.theatlantic.com/ideas/archive/2021/05/prosecute-tax-fraud-financial-crimes-garland/618914/
Yay! More SAR’s.
The Biden administration is pushing to mandate the reporting of any transaction over $10,000 conducted using digital currency. The rule already exists for transactions made using cash. The move is intended to combat money laundering. Of course, those of us who work in the field are fully aware that only legitimate businesses file SAR’s; and criminals don’t need to utilize legitimate businesses to move cryptocurrency. https://arstechnica.com/tech-policy/2021/05/crypto-payments-above-10000-would-be-reported-to-irs-under-treasury-plan/
Sweat the small stuff!
No cyber element here, but a very important story line for business and the criminal justice system as a whole. Retail theft has become such a problem in San Francisco that it is literally driving businesses out of the city. Shoplifting losses has forced Walgreens to close 17 stores in the city. This is what happens when prosecutors fail to enforce the laws for “petty” crimes. They grow into bigger issues. One person stealing a $20 item is tolerable for a business. 20 people stealing a $20 item, everyday, over the course of a year, will shut a business down. Now consider organized retail theft crews that are hitting stores for hundreds of dollars at a time. From the article, “thieves are obviously choosing locales based on what the consequences are, if there are no consequences for their actions, then you invite the behavior. Over and over.”
https://www.nytimes.com/2021/05/21/us/san-francisco-shoplifting-epidemic.html
https://www.sfchronicle.com/local-politics/article/Out-of-control-Organized-crime-drives-S-F-16175755.php
Phishing and Vishing
Armorblox details a new email attack targeting Amazon customers. The attack starts with an email that solicits the recipient to call a phone number for additional information. The company examines two phishing emails their customers obtained and show how to determine the malicious intent of the sender. Of course, if you ever tried to contact the real Amazon you know the last thing they want is someone calling them - so it should be immediately suspicious if they are inviting a call. https://www.armorblox.com/blog/amazon-vishing-voice-phishing-attacks
The other side…
The debate whether to pay the ransom or not has intensified over the past week after it was announced that Colonial Pipeline paid over $5 million dollars to the Darkside group. Being on the law enforcement side, I mostly adhere to the ‘we don’t negotiate with terrorist’ credo. BUT, since I work with victims everyday, I completely understand why some choose to pay, or have no option but to pay. Roger Grimes from KnowBe4 explains why it may be in the best interest to pay the ransom. https://blog.knowbe4.com/paying-the-ransom-is-not-just-about-decryption
The Rest…
The FBI warned that a group is attempting to phish Truist Bank customers. https://www.bleepingcomputer.com/news/security/fbi-spots-spear-phishing-posing-as-truist-bank-bank-to-deliver-malware/
ID Agent attempts to answer the question “how often should businesses run cybersecurity training?” https://www.idagent.com/how-often-should-businesses-run-cybersecurity-awareness-training
CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack in March. https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
Search LinkedIn like a pro! https://booleanstrings.com/linkedin-search-operators/
Tools
A sneaky little tool to get around paywalls…https://text.fish/
OSINT focused Linux distribution CSI Linux has been updated. Spin up the virtual appliance in VirtualBox and give it a try. https://csilinux.com/download.html
Job Alert
Head of Financial Threats - Global Fraud Prevention, Citi Bank (unfortunately it doesn’t look like remote is an option)
“IF YOU HAVE ALWAYS DONE IT THAT WAY, IT’S PROBABLY WRONG” - someone smarter than me.
Thank You for reading another edition. Make your best friend a better friend and share this newsletter with them.
Matt