The Kids Are Not Alright
9–16–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, September 16, 2024. Fall is quickly arriving, so if you’ve got things you want to do that don’t involve a screen but do need decent weather - probably should get those on the calendar.
The Kids Are Not Alright
There’s been a good bit of news over the past week about the very real impact of teenage criminals.
In particular, I’m talking about an attack on Transport for London, known as TfL in the UK, who are in the midst of cleaning up after a massive attack - the details of which we’ll get to in a moment.
After suffering a cyber attack last week, the National Crime Agency (NCA) in the UK announced the arrest of a 17 year old “in relation to the attack, which was launched on TfL on 1 September.”
This attack, which took TfL down entirely for multiple days, is being attributed to the same group - Scattered Spider - that has successfully attacked MGM and Caesar’s casinos in Las Vegas.
While TfL has literally been able to keep the trains running (due in no small part to network segmentation, one imagines) has recently adjusted their previous public stance that no customer data was impacted, updating their status page “line that previously said, “There is no evidence that any customer data has been compromised,” and replaced it with, “The security of our systems and customer data is very important to us.” Because of course it is. The have since updated on of their pages to note “we’re contacting customers directly about steps being taken regarding their data.”
In response to the attack, Transport for London has locked and reset all 30,000 of their accounts and is in the midst of resetting each of them. Manually. By having employees come into the office. This is a massive undertaking, and they’re providing updates via a newly registered Wordpress site at “tflemployee.com.”
I’m not passing judgement on them for their approach - in fact, I’m impressed that they’re willing to undertake such a burdensome process in the name of security.
Would you and your organization? Probably not.
So, instead, we need to focus on defeating this attack. As a reminder, the main tool that Scattered Spider / LAP$US uses is the fact that they’re native English speakers and simply call up the Helpdesk, pretend they’ve lost their phone, and need the MFA reset.
This means you’ve got to have a playbook for this - known as “MFA Stripping” - to ensure that you aren’t literally giving the attackers access.
This aligns with the findings released last week by CISA, the Cybersecurity & Infrastructure Security Agency, whose “Analysis of FY23 Risk and Vulnerability Assessments” showed that successful attack rates were dominated by simply using “valid accounts” to gain access - at over 41%. #2 was closely related - phishing - at a success rate of over 26%.
Defending against this threat may mean taking the hard stance of asking (or requiring) employees to come into the office to re-add an MFA device. It also means empowering your Helpdesk employees to be willing to push back on employees who are suffering a productivity hit and are probably embarrassed and otherwise upset about the hoops they have to jump through.
Let’s be clear: asking employees on a one-off basis to come into the office when a device is lost FAR preferable to asking all employees to come into the office in a single week. This just seems prudent to me.
In this same space, there was also news out of the Netherlands that a 19 year-old was arrested for a wide-spread phishing campaign - his FOURTH arrest.
Reporter Brian Krebs has a deeply researched piece on his site about the nexus between disaffected young men online and these so called “harm groups” - that are having real world consequences. The read is a bit heavy, so fair warning. Then article explores how “Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.
While not purely a cybersecurity issue, of course, the nexus between threats, attacks, and real world harm - plus being a parent of kids in the digital age - makes this an issue that is harder and harder to ignore.
Once you finish updating your playbooks for MFA resets, go give your kids a hug.
Fundraising
From a fundraising perspective, we’re back to the big leagues, friends. More than $27.5B in newly committed capital, led by ICG, who raised $17b for its fifth European direct lending fund, the largest of its kind ever to close in the region.
We also saw Bain Capital Life Sciences raised around $3b for its fourth fund, and a host of billion dollar-ish commitments driving this big week for dry powder.
Also of note in this space was a good article from the FT about VC activity in China, which laid out a thesis about why “In 2018, at the height of VC investment, 51,302 start-ups were founded in China, according to data provider IT Juzi. By 2023, that figure had collapsed to 1,202 and is on track to be even lower this year.”
It all boils down to involvement by the state, including not only making up reportedly 80% of the capital allocated in this space, but also directing investment to or away from industries that align with Xi’s vision for economic prosperity moving forward, notably away from “biotech, consumer technology and education” and towards “energy, integrated circuits and new materials.”
Macro economic nerds, this story’s for you.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cisa.gov/sites/default/files/2024-09/InfographicFY23RVA508.pdf
https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-the-com/
https://www.ft.com/content/1e9e7544-974c-4662-a901-d30c4ab56eb7