This is the first of several pieces we’ll publish in honor of Cybersecurity Awareness Month, though it’s more Cybersecurity 365 for co-authors Josh Swarz and Andy Shane. Below is their interview with AJ Vicens, who covers nation-state threats and cybercrime for CyberScoop.
Since 2004, the President of the United States and Congress have declared the month of October to be Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity. At Big Valley Marketing, we work with the top cybersecurity leaders – and reporters – daily.
In recognition of the initiative’s 20th anniversary, we thought it would be interesting and helpful to take the pulse from a respected cybersecurity reporter on a wide range of topics pressing the industry: from threat intelligence reports (what makes a good report) to ransomware and nation-state attacks, and the ramifications from the recent SEC disclosure ruling.
AJ Vicens covers nation-state threats and cybercrime for CyberScoop, one of the leading media brands in the cybersecurity market. CyberScoop reports on news and events impacting technology and security, reaching top cybersecurity leaders online and in person through its website, newsletter, events, radio, and TV. AJ has over a decade of cyber experience – – reporting at CyberScoop for 2+ years and was previously a reporter at Mother Jones.
BV: Many vendors produce threat intel reports. What are some of the key ingredients that make specific reports stand out from others?
Vicens: I appreciate reports that convey unique insights or analysis, share as many IOCs/TTPs as possible, and contextualize the research with as much previous research on the topic as possible. Sadly, some vendors need to push out commentary or blogs related to every significant cyber incident, even if their data/insights/telemetry are not new or do not advance the conversation at all. I get the impulse, but as a journalist, it makes me view that particular vendor as more opportunistic than anything else. More disturbingly, some vendors are reluctant to cite previous work by competitors, even if that helps the reader gain more profound knowledge.
I also appreciate reports that try — as clearly and quickly as possible — to convey why the particular topic matters and how it might apply to the broader community. It can be quite time-consuming to get a report from a vendor and recognize that there’s likely a kernel of something interesting there, but have to take a lot of time going back and forth to pull out a) what’s new, b) why people should care, and c) what specific and unique data the vendor has. Geopolitical context can help ground the operations or observed activity in the real world.
I appreciate reports that convey unique insights or analysis, share as many IOCs/TTPs as possible, and contextualize the research with as much previous research on the topic as possible.
– AJ Vicens, Reporter for CyberScoop
BV: What are some of the immediate red flags of a report that might prevent you from covering it?
Vicens: Red flags for me are vendors who always try to speak on everything, whether through blogs or with commentary from company execs emailed over unsolicited when any significant story breaks. Also, the lack of citations of other vendors’ research indicates that the report is more marketing than substance. Sometimes, vendors imply that a victim or set of victims in a given circumstance would have been saved if only they used that vendor’s products, which is almost certainly untrue and comes off poorly in the moment.
BV: Thoughts on vendors coming up with different names for the same attack? Does it make covering attacks that much more difficult?
Vicens: This confused me when I started covering the beat daily, but I learned it makes sense. Each vendor has only a limited set of data on a given situation, a limited view, or a limited slice of the pie. It makes sense that they’d have different ways of tracking or grouping particular activity, even if it’s likely that they’re talking about the same thing as competitor X or competitor Y.
What’s helpful is when the reports say that what they’re talking about has overlapped with the name used by a different vendor for the same or similar activity, mainly when there’s detail about what those overlaps are. You might be surprised how often I ask vendors whether APT WHATEVER is the same as <INSERT NAME> from another group, and they have a hard time confirming that. It can be tricky, and the readers need to be served better. I appreciate when vendors say we call this group BAD GUY X, which overlaps with another vendor’s BAD GUY Y in these ways. It’s only sometimes possible to know everything that goes into another vendor’s analysis, but it’s beneficial for us to the extent possible, based on public reporting.
BV: There has been a steady increase in ransomware attacks over the past several years; where do things go from here?
Vicens: That’s a tricky question to answer. As long as organizations are paying ransoms, there will be people out there who will extort them for those ransoms. I’m not blaming victim organizations or suggesting that ransoms shouldn’t be paid (that’s a topic that people much smarter than I disagree on). Still, it’s an apparent criminals-go-where-the-money-is situation.
There has been movement toward a more cohesive deterrence and response approach from the international community, and we are seeing more proactive action from the US DOJ, FBI, and agencies in the UK and other nations to reach out and disrupt ransomware infrastructure, financial streams, etc., so progress is being made. Sadly, I think this problem will continue as it is wildly profitable for criminals.
BV: There has also been a lot of activity from nation-states – China and Russia come to mind. What are some of the key trends you’re seeing now?
Vicens: This could be (and is) the topic of multiple books, college courses, and more. But generally speaking, cyber operations (espionage, disruption, destruction) are one of several tools that states use as part of an overall policy implementation approach, both foreign and domestic.
In that sense, the cyber activity follows geopolitics fairly closely (at least the stuff that becomes public or that we end up finding out about from governments or original vendor research that makes it into the public domain). With China, we see an aggressive approach with intellectual property theft, cyber espionage operations around the world, disinformation and influence operations around the world, the monitoring of perceived dissidents domestically and around the world, and the use of technology investments as a means to gain insights and vision and intelligence into corporations and states (see Africa).
Russian operations are voluminous and constant, particularly concerning its war on Ukraine. Intelligence collection worldwide to gain insights into critical topics abound (supply chains, weapons aid, political discussions of support for Ukraine, etc.). But the Russians are also aggressive with respect to destructive attacks. A report out just this week from Ukraine’s top cyber defense agency detailed ongoing wiper attacks targeting public and private interests there.
BV: The SEC recently finalized its disclosure rule mandating that companies file their 8-K disclosure within four days of an attack. Will this do more harm than good?
Vicens: I have not studied this topic to the extent that I’d feel comfortable weighing in. I’ve heard the arguments on both sides, and it’s certainly an area worth watching, and obviously, whatever happens, going forward directly impacts public companies’ responsibilities. As a journalist, my default is to say that the public has a right to know in many cases, but I can appreciate that the situation is much more nuanced than that and other considerations loom large.
While Cybersecurity Awareness Month is a great opportunity to bring the need to ensure proper cyber hygiene to the forefront, we also believe that we cannot relegate this initiative to ‘just one month.’ Big Valley Marketing will continue reporting on various aspects of cybersecurity throughout the year and will do our part to ensure we bring you the latest perspective from reporters like AJ.
To learn more about how we can help your organization, contact Josh Swarz at firstname.lastname@example.org.