Hello friend,
Was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open).
Monday blues (3/22/2021.
Late last week, I wrote a piece on a true apex threat-actor that burned through 11 zero-days in less than a year to launch exploits for cyber-espionage operations on the most up-to-date versions of Windows, iOS and Android devices.
On the surface, it’s a stunning story of Google’s ongoing visibility into the operations of an advanced APT operator that ran two campaigns last year with high-end exploits for the latest and greatest Phones, Android and Windows devices. Drive-by downloads, watering-hole websites, exploit servers, sophisticated encryption of iOS exploit delivery, multiple teams sharing code and infrastructure. It all reads like a fun hacker movie script.
Google’s reverse-engineering work and exposure of sophisticated exploitation techniques — particularly around mobile implants — is crucial to help defenders raise the bar and cost for attackers. But, I can’t shake the feeling that Google’s withholding of crucial data is yet another sign that the balkanization of security research is here to stay.
Two weeks ago in this newsletter, I griped about Google’s sudden secrecy around the latest surge in Chrome in-the-wild 0day attacks and it seems the latest research is more of the same. Google did not release IOCs (indicators of compromise) to help malware hunters look for signs of this actor in their networks. No hashes. No information on the watering hole domains. No technical details on the exploit servers. No YARA rules. No IDS signatures. No victim profile or geographic distribution. Nothing, actually.
Google essentially flexed about its visibility into this APT’s arsenal and infrastructure and told the rest of us that there are super-adversaries roaming around our devices, and there’s nothing we can do about it.
We need to be demanding better. At a minimum, these higher-impact threat-intel reports should include IOCs and YARA rules. Otherwise, we should treat them simply as the marketing reports they are.
On to this week’s newsletter.
Kim Zetter and independent journalism.
When the time comes to set up the security journalism hall-of-fame, there’s a small handful of names that are no-brainers for inaugural membership. Kim Zetter is one of those names. She’s an old-school reporter with a nose for news, a tough interviewer, and fact-checker who is so meticulous and careful, I sometimes wonder how on earth she ever hits a publishing deadline.
I watched closely as she compiled notes for the definitive book on Stuxnet (buy it, read it!) and I’m still in awe at the way Kim took a complicated technical story and told it in such an accessible and credible way.
As someone who’s bullish on the business of independent journalism, I’m thrilled to see Kim launch her own project that I know will lead to incredible cybersecurity coverage.
Go subscribe here: https://zetter.substack.com.
The first article is already live and, as expected, it’s high quality work advancing the Solarwinds supply chain story.
🎧 Listen here to my podcast with Kim Zetter.
Security marketing no-nos.
VP of Information Security at Netflix Jason Chan (listen to my podcast with Jason here) is so fed up with shenanigans from security marketers that he wrote a LinkedIn piece with some solid advice. The fact that some of these need to be said makes me cringe:
- DO NOT CALL ME ON THE PHONE. There is no situation where I’m looking to have this conversation.
- Don’t offer me a gift card, gift, or cash in exchange for a meeting. Just no.
The $25 UberEats gift-card offers in exchange for sales demos is particularly ugly but, let’s keep it a buck, there’s someone at the other end of these offers happily accepting the bribe. That someone is masquerading as a security leader and defender. Just another ugly thing about this industry.
Of unicorns and bootstraps
Two quick hits with two sides of this industry:
- Axonius, a company with $10 million in ARR, flexed its unicorn valuation with billboards in New York City’s Times Square.
- Thinkst Canary, a company with $11 million in ARR, celebrated the milestone with a blog post on bootstrapping and building a sustainable company without the VC hype-machine.
🎧 Listen to my podcast with Thinkt’s Haroon Meer on his approach to entrepreneurship.
Hacking the cloud.
Clint Gibler’s enjoyable tl;dr sec newsletter pointed me to these valuable tools for understanding cloud security.
Tangentially.
If you’ve ever wondered about the complexity of computing, this one will give you a kick. Someone wrote an entire game inside a font. It’s called Fontemon and you can play by typing letters on a keyboard.
Have a great week and reach out with things I should be doing better.
_ryan
PS: The podcast is available on all platforms (Apple, Google, Spotify and Amazon). As the kids say, like and subscribe, like and subscribe.