Author Archives: Amanda McKeon

Fears of GDPR-Triggered Spam So Far Unfounded

Chances are you’re familiar with GDPR, the European Union’s General Data Protection Regulation. It went into full effect back in May of this year, with the goal of improving the privacy and security of European citizens in particular, but the global community overall as well.

One of the impacts of GDPR was that it made the WHOIS database private. WHOIS is the searchable online directory of domain name registrations, and some security researchers had concerns that spammers might take advantage of this anonymity to increase their registration rate of domain names, making it easier for them to send out their spam.

Allan Liska is a senior security architect at Recorded Future, and he analyzed several months’ worth of data on spam rates to see if the expected uptick came to pass. Allan wasn’t alone on this project — he had assistance from his son, Bruce, who interned at Recorded Future this past summer and co-authored the report. We’ll hear from Bruce as well.

This podcast was produced in partnership with the CyberWire.

The post Fears of GDPR-Triggered Spam So Far Unfounded appeared first on Recorded Future.

     

Protecting the Brand, Products, and People at Perdue Farms

Perdue Farms is a major U.S. agricultural business, best known for its processing of chicken, turkey, and pork, and is one of the nation’s top providers of grain. Founded nearly a century ago as a “mom-and-pop” business with a small flock of chickens, today the company marks sales in excess of $6.5 billion a year and has over 20,000 employees.

Chris Wolski is head of information security and data protection at Perdue Farms, and he joins us to describe the unique intersection of cyber and physical systems he and his team help protect.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 73 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Perdue Farms is a major U.S. agricultural business best known for their processing of chicken, turkey, and pork, and is one of the top providers of grain. Founded nearly a century ago as a mom-and-pop business with a small flock of chickens, today the company marks sales in excess of $6.5 billion a year, with over 20,000 employees.

Chris Wolski is director of information security and data protection at Perdue Farms, and he joins us to describe the unique intersection of cyber and physical systems he and his team help protect. Stay with us.

Chris Wolski:

My first computer was a little Bally game system. It came with a basic cartridge, and that’s how I started learning about programming. And if you look up a Bally game system, you’ll see how old that makes me. From there on, my grandmother had continually upgraded my capabilities by buying newer computers, and eventually, we integrated off of using the family television for the monitor and actually had a real monitor on a desk. I graduated high school, joined the Navy, got into information security through data collection and data classification, and then after 20 years, retired.

I went back into the Navy as a civilian. I did a little time over at the Joint Chiefs of Staff doing incident response for them. For me, that was a long commute. I was still living in Delaware and had a two-hour commute to Washington, D.C. every day. From there, I’m like, “Well, there’s got to be something closer.” Then, Perdue Farms came and said they were looking for an information security analyst, and that’s how I ended up here at Perdue. Since that time, I’ve promoted up, and now I am the director of information security at Perdue Farms.

Dave Bittner:

Give us some insight into what the contrast is between the time you spent with the Navy and in the government to the private sector.

Chris Wolski:

The contrast I see most is something actually kind of unfounded. I thought there was going to be a significant political difference between the two. There’s actually … It still exists in the private sector, it’s just how it’s handled that is different. That’s the contrast. The political games that you have play within an organization — a private organization such as Perdue — it’s more personal. In the government, I felt that there was more hierarchy. You cannot talk to somebody unless you have permission up the chain and different tree level to be able to talk to somebody.

Here, once I’ve established myself, I’ve been able … I could go and talk to others within the organization and, if necessary, I can backfill my supervisor. It’s nothing for me to be able to go talk to the CEO and say what’s on my mind and then backfill the CIO.

Dave Bittner:

What are the differences in the types of challenges that you’re facing day-to-day between the government and in the private sector?

Chris Wolski:

I think it’s the same. Challenges are the same when it comes to money. The differences are, we still do color money. We have capital and we have opex, and the challenge that comes in is, where, what flavor money, or what color money we’re going to use for this year. What is acceptable? Are we looking more to spend operationally, or are we going to do more of the capital expense? The other issues that we have are the awareness part of it. Within government, it’s pretty much mandated. Everybody understands cybersecurity or has to understand cybersecurity as part of their job. It’s much easier to implement policy because it’s a “do as I tell you” mentality in the government, in the military. Working as a civilian in the private sector, it’s much less that and more of, okay, let me help you understand and kind of guide you toward understanding what cybersecurity is.

Dave Bittner:

Now, I’m certainly familiar with Perdue Farms, having grown up here in Maryland and taking trips to the eastern shore, to Ocean City, every summer as a child. You would drive by the Perdue Farms there, where chickens were raised. Sometimes you’d be traveling down the highway and a truck full of chickens would drive by, which for a kid from the suburbs, was something to see. Can you give us an idea of the scope of Perdue Farms from a cybersecurity point of view? What kinds of things do you have to deal with day to day?

Chris Wolski:

On a day-to-day basis for cybersecurity at Perdue, we’re really looking at protecting the brand name. Brand — to be the most trusted name in agriculture — applies to the cybersecurity realm here. We don’t want to have the Perdue name dragged down because of a cybersecurity event. At the same time, we want to ensure that we’re protecting our employees to prevent an accidental phishing click or to inadvertently introduce malware into our environment. We typically look at Perdue as having four different, I guess, “opponents,” if you want to say it that way. We have to deal with the hacktivists because we have people that don’t like how we raise chickens, or, like, the chickens in the truck, or don’t like to eat meat. We have those people that we have to protect against.

We have nation-state actors that we need to protect against. While it’s not a large threat, it does exist. And then we also have, of course, the internal user that we have to worry about. And finally, like every other organization, the cybercriminals that are out there and trying to make a quick buck off of some ransomware or account takeover, whatever the case may be.

Dave Bittner:

Now, how do you handle dealing with third-party risk? You have a lot of suppliers, you work with a lot of farms. It’s a huge industrial operation that you have there. How do you approach that?

Chris Wolski:

With third-party risk, we look closely at the documentation that they have. We try to find third parties that have completed some sort of SOC documentation, SOC 1 or SOC 2, that can attest to their level of cybersecurity. Really, we want to make sure that we’re dealing with third parties that understand where we’re coming from as far as security, and that we can also understand what they’re having. Additionally, we look to researching our third parties through the Recorded Future threat intelligence product, and we also do some web searching to see what’s out there for that company to make sure that we’re dealing with a company that’s legitimate. As far as the farmers, the farmers are all independent contractors. We don’t provide much in the way for them, but they have some access to some external sites, but nothing internal.

Dave Bittner:

Can you describe to me what your process is? How do you approach communicating with the folks who are above you in the organization? The board of directors, the people that you have to report to — how do you take care of translating that message when it comes to security and budgets and things like that?

Chris Wolski:

When talking to the board or to people that really don’t understand cybersecurity or the technology or the terms, I use a lot of analogies that they can relate to. It’s bringing back kind of a storytelling mentality, like, “If we did this,” and putting it in a term that they’d understand, “then we can protect this.” It’s kind of like medieval terms, going back to the castle and the moat. Help them understand that Perdue Farms is the castle we have to protect. Analogies like that. Or when I’m talking with the transportation folks, putting it in terms of how they operate so that they can understand it, and then once they get it, then you can see that light bulb come on and, “Oh okay, now I understand what you’re trying to say.”

Dave Bittner:

How about in terms of incident response? When things do happen, how do you all prepare for that? Do you practice ahead of time? What’s your approach to that?

Chris Wolski:

For incident response, we have a proactive plan in place. One of the things I brought with me from the Department of Defense is a tiered-level response. Something as simple as malware showing up on a device does not require an entire incident response team to go and activate and run like kids toward a soccer ball. What we do is … It’s very measured, and then as the incident grows, if it’s something that cannot be handled by my team, then we start looking at bringing in other team members, like infrastructure or legal, and then if it’s something that cannot be contained internally, then we’ll definitely reach out to a third party to assist us. It’s very measured. It’s efficient and actually has kind of a flowchart mentality or function to it.

Dave Bittner:

Now, what about your own management style? When you’re working with your team, what’s your leadership style?

Chris Wolski::

I’ve learned to become — being that Navy chief petty officer — I’ve really come to be a coach and mentor. I sit with my team. I’m not off in some office somewhere. I work with them, and when they have questions, cybersecurity related or incident response related, I’m right there with them. I help them answer the question. And then I give them the tasks, day-to-day tasks, and expect them to do it, and I don’t hover over them. I’m not micromanaging or standing over their shoulder, making sure they click the right button. If they have questions, they know they can come approach me and they’ll get answers in a way that helps them learn what the best process is. Or maybe, sometimes, I’ll even learn from them because they’re like, “Oh, well how about this way?” And I’m like, “Oh, that’s pretty cool. Show me that again.” And then we improve our process.

Dave Bittner:

You mentioned mentoring, and I know that’s something that’s important to you. Can you describe to us why you think that is important? And how do you take on that task of mentoring people?

Chris Wolski:

When mentoring, it’s about helping the person get to their goal. It’s not doing it for them. For me, to mentor somebody, I’ll point them in the right direction, maybe give them a little bit of something to research, but at the same time, giving them a little support that backstops them and helps them grow on their own. Mentoring is one of those things that the person then starts feeling some sort of self-achievement when they’ve completed something on their own, when they’ve been directed and pointed in a way that somebody can understand the whole process. I think it sparks innovation in some ways because when you’re mentoring, like I say, you’re not giving them the entire answer, you’re giving them a direction to go in and then maybe sometimes they come up with their own solution, and that definitely can help improve the business and help the department and information security as a whole.

I seek out mentors to help me in gaining my next level. It’s not something that’s looking at that for me to provide, but I also use mentors to help guide my decisions personally and professionally.

Dave Bittner:

I want to talk about threat intelligence and how you view it — the importance it has to you. I know you use the Recorded Future tool there at Perdue. Can you just describe to us how you approach threat intelligence?

Chris Wolski:

Threat intelligence is another member of my team — especially the Recorded Future tool. It gives me time to be able to focus on the issues I have here in my office and at the same time, use the tools and the other sources out there to keep me abreast of what’s going on in the industry, what could be going on with our threats. And being able to provide that information to the people in my organization that really could use it to protect us physically. Sometimes we learn about protests in advance because of the threat intelligence, and then additionally, we find out when something has been leaked out onto the internet that shouldn’t have been leaked out. It allows us to be proactive and at the same time, reactive.

It’s one of these things that has proven its value in a very quick, short time frame. We’ve only been with Recorded Future for probably about six months now, and the subscription that we got has already paid for itself just with the visibility that we’ve gained that we didn’t have before.

Dave Bittner:

Now, what would your advice be to someone who is considering using threat intelligence? In terms of shopping around and dialing in, what is the best approach for them?

Chris Wolski:

Understanding what your threat intelligence requirements are. What is it that you’re looking for? What is it that you’re trying to answer? For us, it’s brand protection and understanding the tactics and techniques of the threat actors against us. Understanding what those requirements are will help you in deciding the best product for you. If it’s something where you’re looking at just being able to understand different indicators of compromise, maybe finding something that provides that would work for you. Whereas, if you’re looking for something that’s a little more strategic — and in my case, being able to present something to the board — that provides a strategic roadmap to address the different threats that we face … It really depends on what you’re looking to do with that information, that intelligence.

Dave Bittner:

It’s a really interesting point you bring up about the intelligence coming through what we would consider to be a cyber domain, through something like Recorded Future, but you’re getting real-world intelligence as well. You talk about things like potential protests, which are physical, non-cyber events, but you get the information from them through that information domain.

Chris Wolski:

That’s correct. For example, if there’s a protest planned at one of our facilities, I can lead that off to the physical security officer here so that he can make sure that there’s guards in place and that communication is put out. The company is ready to respond with a public communication or whatever steps necessary to protect the company and the associates with the company. So, the employees, as well.

Dave Bittner:

Our thanks to Chris Wolski from Perdue Farms for joining us.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

The post Protecting the Brand, Products, and People at Perdue Farms appeared first on Recorded Future.

     

Russia’s Vulnerability Database Focuses Inward

Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity vulnerabilities, and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future’s research team recently set their investigative sights on Russia’s vulnerability database to see how it compares.

Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 72 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity threats and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future’s research team recently set their investigative sights on Russia’s vulnerability database to see how it compares.

Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found. Stay with us.

Priscilla Moriuchi:

We’ve done a bunch of research in the last year on various countries’ national vulnerability databases, particularly the U.S.’s and China’s, and we realized over the course of the last year that there are a lot of things you can learn about — not just vulnerabilities and how fast countries publish, but about the countries themselves, how they approach information security. From an intelligence perspective, we found that there was invaluable data for anticipating and maybe even preventing a cyber intrusion. So, we decided to apply that same technique to Russia’s national vulnerability database, which is run broadly by its military.

It’s a completely different setup. I don’t even know if I would call it a database, broadly, because it’s so incomplete, but it’s really a different setup than either the U.S.’s NVD or China’s, so we just dug into using kind of the same techniques — how they publish, when they publish — all kinds of stuff like that.

Dave Bittner:

So, before we dig into how Russia does what they do, can you give us a little brief overview of how the U.S. and how China handles theirs and the parts it plays in their overall attitude toward defense?

Priscilla Moriuchi:

So, the U.S.’s national vulnerability database, or NVD, was the first one to be stood up. The U.S. NVD is run by NIST, or the National Institute of Standards and Technologies, and it’s part of DHS and the Department of Commerce, jointly. It’s run mainly as a transparency function so that general consumers and businesses in the U.S. and across the world have a centralized repository for looking at vulnerabilities on their computers, responding to them, installing the patches, and upgrading their information security.

For most of the IT world, the U.S. NVD has the gold standard in terms of the content it publishes, the type of vulnerabilities it addresses, and the comprehension of its database. The other one we’ve taken a look at is China’s national vulnerability database, or CNNVD. This one is different from the U.S. NVD in that it’s run by their equivalent of the CIA, which is the Ministry of State Security. It’s run by an intelligence service. China’s vulnerability database is very fast in publishing vulnerabilities broadly. It’s faster than the United States. It includes some vulnerabilities that the United States database does not, but broadly, China’s database is used by its intelligence services to look for vulnerabilities that the intelligence services could be using in their own cyber operations.

So, China has done quite a poor job of balancing the kind of transparency and public service mission of a vulnerability database with the intelligence mission of the organization who runs it. So there’s quite a different application of vulnerability management than the United States database.

Dave Bittner:

And these databases are widely available to anyone? You don’t have to be a resident of a particular country to be able to see what’s in them?

Priscilla Moriuchi:

No, no, they’re available to everyone. It’s just a language barrier issue for most people. The U.S. database is in English, China’s is in Chinese, and Russia’s is in Russian.

Dave Bittner:

All right, well, take us through the background. What happened when Russia decided to spin up their own here?

Priscilla Moriuchi:

Yeah. So, Russia decided to start their own vulnerability database in 2014. That was about 14 years later than the United States, and at that point, you know, there’s 14 years of vulnerabilities for them to catch up on. Their database is sort of broadly known as the BDU. There’s not a great English translation for it, so just call it the BDU.

So in 2014, they started reporting vulnerabilities. There were about 1,000 reported that year, and then they really ramped up publication in 2015. Then, after that, publication went down again in 2016, ‘17, and ‘18 to much smaller … Maybe two to 3,000 vulnerabilities per year.

So, on average, you see, even though Russia started their vulnerability database quite a deal later than the United States, they only report about 10 percent of vulnerabilities that are identified globally. They only published 10 percent. Their vulnerability database, like I mentioned before, is run by the Russian military, by an organization there called Federal Service for Technical and Export Control, or FSTEC, as we refer to it.

The mission of that organization is not like the U.S. NIST. It’s a military-run organization. Its mission is to protect the information systems of Russia’s government and critical infrastructure. So, with Russia, our research dives into the fact that they don’t even pretend to have a public service mission like China does. They publish only vulnerabilities that are used on Russian information systems or in Russian critical infrastructure that they are concerned about protecting. So that’s a real contrast to both how the U.S. approaches vulnerability management and to how China approaches it as well.

Dave Bittner:

Now, the Russian database — does it end up being a subset of the U.S. database? It’s interesting to me that they didn’t start out by just vacuuming up our database and using that as a starting point.

Priscilla Moriuchi:

Yeah. It’s an interesting study because they could have very well done that, because like you said, especially the U.S. vulnerability database — it’s open to everyone. You can harvest the information from it. So, they could have started out with … I think at that point, in 2014, the U.S. had somewhere around 80,000 vulnerabilities, so they could have started out from that point.

Russia’s vulnerability database, also, is really slow. On average, the delay between the time that a vulnerability is revealed and by the time it’s published in the Russian database, even though they only publish 10 percent of all vulnerabilities, is 95 days. So it’s over three months, which is really substantial and it doesn’t make a lot of sense for anyone to really rely on that database.

Broadly, too, if you look at the technologies that they focus on — what we would call “over covering” — there are a number of technologies that they cover substantially more than 10 percent of the vulnerabilities for. These include widely-used software and hardware technologies and vendors like Adobe, Linux, Microsoft, Apple, Mozilla, Google, those types of things.

From our perspective, because of Russia’s overt mission, this database is explicitly for protecting Russian information systems. You can really learn more about what Russia has and what Russia runs on their own state information systems, than really about what Russia is seeking to target for cyber operations abroad.

Dave Bittner:

So this is more inward facing, I guess, to people within the organization to point out, “Hey, these are the things that deserve your attention.”

Priscilla Moriuchi:

Yes. So I think the other thing that we’ve learned is, there’s a couple of missions for FSTEC, this parent organization to the vulnerability database. First is publication of these vulnerabilities and providing what we would call a “baseline” for Russian information systems. They all must have patched all of these vulnerabilities, and the vulnerabilities in the BDU form that baseline. So there’s a standard baseline across Russian government information systems. Here is what it is — it’s in the BDU. Find it and do it.

The second part of this, though, is that the larger mission of FSTEC is to do what’s called these “reviews” of technology, or technology licensing. This is a technique that’s used to a certain extent by China as well, in which the government — the Russian or Chinese government — has mandated technology and product reviews of particularly foreign information technology that companies would like to sell in their domestic marketplaces.

And in this case, the government, FSTEC, requires that people or companies get a license, and in order to get that license, they have to subject their software or hardware to these technology reviews that are conducted by FSTEC. The reviews, in many cases, require a source code review by members of Russia’s military, which FSTEC is, and then they’ll hand out a license for a company to be able to sign in Russia.

The BDU is also a baseline of security for these technology licensing reviews, but it also provides a legitimate cover for the Russian military to point to and say, “Look, we also run this vulnerability disclosure program. We need to discover any vulnerabilities in your software to keep our own country’s information technology secure.”

So in that sense, it’s not just an ineptitude that Russia covers only 10 percent of vulnerabilities, or it’s not just that they’re concerned only about Russian information systems — which they primarily are — but it’s also a function of this technology review program and providing this kind of legitimate cover to say: “Here’s what we require. This is the technological security baseline for you. Look at our database. We are a legitimate public service organization as well.”

Dave Bittner:

Now, one of the things that you look at in your research here is, you contrast the database against known Russian APTs. Can you take us through what you learned there?

Priscilla Moriuchi:

Yeah, so this was really interesting, I think. What we did is, we tried to apply one of the same techniques we used with the U.S. and Chinese research, which was to identify vulnerabilities exploited by each country’s APTs or certain groups, and to determine how many of those were reported by each country’s vulnerability database, and try to figure out what that means. So, for China, for example, very few of their vulnerabilities were reported in a timely manner by CNNVD. And during that publication line, we discovered in a number of cases that there were Chinese APTs actually exploiting those vulnerabilities in their own operations.

For Russia, interestingly enough, it was the complete opposite. So in this case, we identified 49 vulnerabilities that Russian threat groups were actively exploiting. And among those, 49, 30, or 61 percent were actually published in the BDU, so that’s substantially higher than China. Among those 30 that were published, which is well over half, APT 28, which is attributed to Russia’s main intelligence director, or the GRU, was published in the BDU. That’s a substantial amount, and it amounts to FSTEC publishing 60 percent of vulnerabilities being actively exploited by the Russian military.

In this case, we think that there are two fundamental reasons for that. The first could be that, since FSTEC’s mission is to protect Russian government information systems, the Russian government systems also utilize these programs because they’re very widely used software and hardware vulnerabilities. So the same vulnerabilities that Russian APTs are exploiting are also present on Russian information systems, and they’re using the BDU to patch them and clean them up.

The second is — which I think is also likely — that military intelligence services are obligated to protect Russian information systems with the knowledge that they possess on vulnerabilities, in addition to their offensive cyber operations. They have a dual mandate. In this case, our assessment that the GRU, for example, has this dual mandate for one, obviously, to use cyber operations to conduct intelligence operations and collect information on foreign intelligence targets abroad, and second, for this information security and defense mission in which they’re also obligated to use the information and the knowledge that they have about offensive operations to protect the Russian government information systems.

But I think that’s not the most likely scenario that we see. What you can learn from the BDU database, is that one, what kind of information systems and technologies are in Russian government, but two, that the GRU also has these balancing mandates, protecting Russian state and offensive cyber operations.

Dave Bittner:

Right. Saying to everybody, “Hey, this is where we’ve placed the virtual landmines, so heads
up.”

Priscilla Moriuchi:

Yeah, kind of. And that’s not entirely unusual. Many U.S. intelligence agencies also have those dual mandates. A part of them conduct foreign intelligence operations overseas and the other side conducts the defensive mission. So it wouldn’t be unusual for an intelligence service to balance those two dueling mandates.

Dave Bittner:

Now, you sort of wrap up your research here by asking the question, “Why does FSTEC publish so few vulnerabilities?” You’ve walked through some likely hypotheses, so can you take us through those?

Priscilla Moriuchi:

Sure. So, broadly, we struggled for a long time with, why put the effort in to report so few vulnerabilities? Our broad survey of — we would just be both searching the internet and also talking to some of the contacts that we knew in information security and corporate world. Nobody utilizes the BDU. It’s not a primary source for any company or any person or organization. So, we just kind of struggled with, why does Russia even devote the resources to publishing this meager amount, this 10 percent that they do? So, we came up with three hypotheses and we scratched off two.

So, our first one was that FSTEC is just vastly under-resourced, and it only has the ability to focus on very key technologies that Russian users utilize. So, the hypothesis there is, they’re all under-resourced and overworked, and they can’t possibly do everything. We ended up crossing that one off the list because its own documents say that FSTEC has over 1,100 employees, and that most of those employees are responsible for this technology review and vulnerability information security mandate. That’s more than NIST, which runs the U.S. NVD, currently has. That was a hypothesis we crossed off quite quickly, because it was clear that FSTEC was not under-resourced.

The second hypothesis we tackled was that FSTEC has these dual offensive and security missions, and that it publishes similarly to China’s NVD — that it has to balance the demands of offense against the demands of defense. But in all the documentation that we review, we really found that FSTEC doesn’t have an offensive cyber mission. It’s really focused almost solely on defense, and the technology reviews are mainly secure Russian government information systems used to gain insight into these foreign technologies, not for offensive cyber mission operations.

So that left us with our last hypothesis, which was the most well supported, and that is that FSTEC is a military organization. It’s publishing just enough content in the BDU to be credible as a national vulnerability database, and FSTEC really just has a defensive mission. They’re just trying to protect Russian government information systems, and part of that is to provide this baseline for the information systems vulnerability management. The larger part of their database is simply to provide this cover right for their foreign technology inspections and their code reviews of foreign software. So unlike China’s national vulnerability database, for example, Russia does not — it doesn’t seem to — delay publication of a vulnerability so that the military can utilize it in offensive cyber operations before they publish it. We just saw no evidence to support that.

Dave Bittner:

That’s interesting. And I guess that ties into how long it takes them to publish anything.

Priscilla Moriuchi:

Right. They take a long time to publish anything, and if anything, the data actually points to the fact that Russia’s APT groups are actually utilizing vulnerabilities that are published in the BDU, not vulnerabilities that are not published in the BDU.

Dave Bittner:

Now, do any vulnerabilities show up in their database that don’t show up in the other two — the U.S. and China’s?

Priscilla Moriuchi:

Russia has a slightly different system that’s not completely analogous to the CVE numbers used by the U.S. and China. They report things by vulnerability, for example, and they have a different numbering scheme. So, it’s not 100 percent analogous. But broadly, I think there are almost no vulnerabilities in the BDU that are not in the U.S. NVD.

Dave Bittner:

So, what are the overall “take-homes” here for you? What do you walk away with in terms of being informed about how the Russians were approaching this sort of thing?

Priscilla Moriuchi:

So I think if you talk about why anyone should follow the BDU, or what we are learning here, there are a few takeaways. So, one, from an intelligence perspective, if you as a person or a company or professional are interested in what Russia is running on their own government information systems, then following the BDU gives you great insight into that.

Two, there’s a possibility that the over-reported technologies or the over-reported vendors — the technologies that Russia reports substantially more than 10 percent of — could also be the vulnerabilities that are exploited by Russian APTs, specifically the GRU and APT28. Because in that case, the data showed that over 60 percent of the vulnerabilities used by APT28 were being reported in the BDU. We don’t have a direct link that confirms that. I think it’s a moderate-confidence possibility and it’s something for defenders to be utilizing as a source of information anyway.

And third, that Russia military intelligence also have the same obligations in which they have the obligation to conduct offensive cyber operations for intelligence collection, but also, they are obligated to use their own cyber knowledge to protect Russia’s state information systems as well.

And then, lastly, that this database is being used as a cover for foreign technology reviews. As companies were seeking to sell software in Russia, you should be under no illusion of who you are dealing with. The FSTEC is the Russian military, period. The Russian military serves the interests of the Russian state, and of Russia’s national security, more broadly. Subjecting your technologies to inspection by this organization yields a number of secondary and tertiary risks to both your technology and to the potential customers and users globally.

So that’s another point that we want to foot stomp, that these technology inspections that FSTEC is broadly being used to legitimize are still run by the Russian military, and they’re not these benevolent inspections in which an entity is looking for vulnerabilities in their code. They’re requiring these inspections to get more information on these technology companies to support and protect Russia’s own government and information systems.

Dave Bittner:

Our thanks to Priscilla Moriuchi for joining us.

You can read the research that she co-wrote with Dr. Bill Ladd, also from Recorded Future. It’s titled “Pavlov’s Digital House: Russia Focuses Inward for Vulnerability Analysis.” That’s on the Recorded Future website in the blog section.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

The post Russia’s Vulnerability Database Focuses Inward appeared first on Recorded Future.