[Midway] Hacked Your Beat_ Asking the Right Questions When Cybercriminals Target Your Community
3:46PM Jun 22, 2021
Welcome to our session about cybersecurity at ONA 2021. I'm so happy to be here with you. Before I introduce my guest, Katie, I want to say a little bit about the global cyber Alliance and myself. My name is Julian Hayda. I'm the Newmark journalist scholar at the Global Cyber Alliance. We are a global nonprofit that works to mitigate cyber risk. And my job as part of the Craig Newmark Internet Democracy Program is to inject a little bit of journalism into the cybersecurity dialogue that is happening. And hopefully a little bit of vice versa, as well. Just as a note, the fellowship is open, please replace me, be the new me. The fellowship the program is a lot of fun, and I've been really happy to do it for the last year. So with me is Katie Nichols. I'm going to have Katie, introduce yourself. But we're here to talk to you about how do you cover cybersecurity in your local community. When cybersecurity hits the community, when a cyber attack or cyber event, we're going to talk about terms in a minute. arrive in your community these are the nuts and bolts. This is a how-to, how do you report on breaking cyber news in your community. So with me, it's Katie Nickels. Katie, take it away. Why am I talking to you, you know everything.
I am so happy to be here, Julian. My name is Katie Nickels. I'm the director of intelligence at a cybersecurity company called Red Canary. We do software as a service, we are a security ally, help people find intrusions on their networks, quite simply. I'm also a fellow at the Atlantic Council. I teach for a company called Sans provide cybersecurity training. And I'm really fortunate in my work that I get to talk to a lot of journalists. And so my pleasure to be here today to talk about some of the things that I've seen go really well in cybersecurity journalism, that haven't go gone so well, to hopefully help you all out as you cover all of these many cybersecurity stories that are breaking every day now.
Yeah, to say the least. I you know, 2020 is a heck of a year. I mean, it goes without saying 2021 is stacking up to be just about the same. But this presentation is directed towards mostly beat reporters, right. So when I think of beat reporters, I think if people cover education, health, business, government. Any sort of beat has, at one point or another in the last year been touched by some sort of cybersecurity story. So, you know, you don't need to be a tech reporter necessarily. You don't need to be a cybersecurity reporter, since those beats existed, often because of big papers, national papers, TV networks. But if you're working for a local newspaper, or a local radio station, and you cover schools, well, 400 schools, experienced cyber attacks in the year 2020. Your local school could be shut down as everybody is at home studying virtually What does that do? What does that mean? How do you report on it? Hospitals do you cover health? Last thing you want is for the for the systems to fall at the hospital? And and how do you report on that? How does healthcare get interrupted? And how do you kind of know how to address that? So there's a lot of examples. And here's just a few of why this can become a very local story and the cybersecurity can go from being a tech story covered by the national papers and TV stations, very much into your local community. And we want to help you cover it. So I have a couple of questions. Katie, you're you're on the other side of the microphone, on the other side of the notepad often. So first of all, what are some of the questions What are the right questions that journalists should be asking when their local school, hospital, government, business, whatever, has experienced a cyber attack.
So the good news is you can rely on your classic five W's and the H. A full disclosure, I was really into journalism in high school and college so I'm familiar with these. The one thing I wanted to point out, though, is that, okay, these same questions that you'd apply to any story can really apply to cyber stories, too, but they're going to be a little bit different. So for example, everyone wants to know who, who is behind the keyboard, who's behind this cyber attack. Be aware that that's not always very easy. You know, in physical crime, it's much easier to say cool, we found the human fingerprint, we found the adversary or the criminal, but online, the who might be unknown, especially when a first story first breaks.
The what? This is where I feel like a lot of reporters, especially who are new to cyber get intimidated. What happened? Well, Oh, my gosh, I have to know all the bits and bytes and exactly what happened with the malware. Don't worry too much about those technical details, right At a high level, what happened? Some common things data was stolen, data was leaked, there was downtime for a company, right? Think about that high level what?
When? To another thing that might be unknown again, in cyberspace. Sometimes figuring out how long these intrusions or attacks happened for when did they happen if they've been in there for six months, six years, that takes a lot of time for researchers to figure out so be aware that your when, the date that it was discovered, might not be when it started.
The where? This is another one where you know, we always wanted a location of attacks, a lot of law enforcement is designed for physical locations. But in cybersecurity location does not matter as much in terms of Hey, I could be compromising someone anywhere in the world right now. It might have implications for you know, what countries are doing what, who's harboring criminals for law enforcement. But in terms of where, be aware that okay, just because maybe, you know, cyber attack came from an IP address in a certain country, doesn't mean that's really where it originated. I could pretend that my computer was coming from China or Russia or Iran or anywhere right now.
The why? Julian, we're gonna hop in there on the on the where.
Nice. It's, it's kind of unsettling, because if there's a crime in your local community, and you're a crime reporter, you show up at the scene, and you pretty much have some of those answered, answers figured out. But it's it's not so cut and dry.
Yeah, yeah. The Where's also interesting, because if you're covering, you know, a local story, with schools or hospitals, right, that's local, but for example, with hospitals, your local hospital might be effected, but it could be part of a huge compromise from a larger, you know, hospital community that's that are all connected. So, yeah, that were is a tough one to think about.
In terms of the why, you all know this, you work with people, why do humans do what they do? It's also a tough question to ask. In cybersecurity, you'll often hear, you know, the big motivations are broken down into things like, you know, espionage, stealing secrets to financial gain, or hacktivism kind of a form of activism. Those can be helpful at a high level, but be aware that those aren't necessarily mutually exclusive. Adversaries might be, you know, stealing information for their day job espionage, and they might be going off and stealing credit card numbers to so be aware of oversimplification on the why. And then that how, again, don't get intimidated by every single technical detail. Think about the overall big picture explaining what happened, how did it happen to the average person who is going to be reading your stories.
Yeah, things like they got in or something like that. Does that work?
Yeah, that works.
Yeah, it's a great points and you know, I think to your point, Julian, using the right words like this is not Something that I, as a cyber security person have to tell journalists, but who really matter, you know, saying something was compromised? What was it compromised? Or was there a social media influence campaign? Those are different things. And in general, you know, I would encourage everyone to ask the questions that you have. I try not to judge cyber security reporters questions saying, Well, why do you do? Why do you ask that? But one thing that I would encourage you to think about is not asking leading questions is a good journalistic press practice in general, right? Thinking, sometimes I'll be asked, for example, like, Why are things getting so much worse? So be aware of like the hyperbole kind of that hype cycle? So that's one thing I kind of lean away from those kind of questions. Why is this so bad?
Sure.A lot of this stuff also has a lot of jargon. I mean, there's a ton of jargon. And so, you know, what are some need to know terms? And maybe how do you explain them to a lay audience?
Yeah, and that's one of the things I really try to do when I'm talking to reporters is break these things down. But a couple terms to be aware of. The first one kind of funny, the term hackers, watch how you use that. A hacker is just someone who uses something for an unintended purpose. And so in cybersecurity, we talk about what we call white hat hackers, who are people who their job is to figure out how systems are broken, so they can be fixed. And so a lot of people in this community have sort of a negative reaction to the term hacker being used to mean a criminal. So think twice before you use the term hacker to mean that. Some terms that I'd consider instead of hacker might be adversary or actor, operator, or whatever your style guide says. That's the first one hackers Watch out for that. On the next one, we've thrown this term around already attack. That word attack, it's tempting because it's kind of scary. And you know, your editor might throw that into a headline to make the story a little more engaging. Watch out for that word, because in the cybersecurity community, there are a lot of people who interpret an attack, a cyber attack is having some kind of maybe destructive or tampering component. It's a recent example, that Microsoft came out with a blog a few weeks ago, about how this group called Nobelliam had sent phishing emails to a bunch of organizations and think tanks. Well, some people might have reported that as a cyber attack. Well, malicious phishing emails, which we'll talk about come in pretty commonly. And so is that really an attack? Just be aware of that word kind of has a certain connotation to some people. So maybe think about compromise or intrusion or influence operation, try to hone in on what actually happened rather than just saying attack in general.
It's kind of like the difference between an attempt versus a successful kind of intrusion, right? Like, everybody gets phishing emails, that doesn't mean you means you're attacked in some senses, your your, you know, but you don't fall for it. So yep, that's kind of an extinction.
That word attack has a lot of baggage. So tread cautiously. Some other terms, right malware, you'll hear that any kind of malicious software code, you know, you'll often hear about adversaries living off the land, which means using normal tools like in Windows in bad ways. So malware might refer to any kind of malicious code use.
Course, we're all familiar with ransomware unfortunatel. Ransomware generally describes when adversaries get into a network, and then they encrypt files, so users can't access them and demand payment before you can get access. That's sort of the traditional ransomware. But one good thing to be aware of, that we've seen more recently, in the past year or so from ransomware, adversaries will not just encrypt data, but also steal it, and then say, pay us or we're gonna leak it to the world.
So be aware, there are a few different things that ransomware operators are doing nowadays in operations. Others to we already mentioned phishing, right? Phishing is just any kind of use of social engineering trying to trick a victim into doing something like clicking the link, opening an attachment. You could fish someone via phone, but usually when we say phishing, it's going to refer to a phishing email. The other term that I wanted to introduce you to is called a denial of service sometimes called a DoS, or Distributed Denial of Service if you hear the term DDoS. So this is basically when a network or a system is just overwhelmed with a whole bunch of connections coming in. And usually the goal is to cause it to go down. So if my company has a public website, and maybe activists say I don't like your message, they're going to organize. I would call this an attack where they all come come in from a bunch of different addresses, and the website goes down, that's a denial of service attacks. So these are a couple of the terms that you're likely to hear. Of course, there are many more, but hopefully that kind of gets you started.
I mean, they're very different, right? Like denial of service is kind of preventing some sort of public facing work versus ransomware has to do with like records and files and like access to your own stuff. So that's, that's kind of also the breadth of it is can be kind of overwhelming sometimes.
So I want to talk a little bit about the process, like how does a local institution suffer from an attack like this? Whether it be ransomware or something else? What do the adversary is? Or the attackers or or the people doing this kind of this, this activity against an institution? How do they do that?
You're choosing your words carefully. This is great. It's like you listen, you didn't say hackers. Yeah. So something that I think, you know, a lot of people don't realize is that these cyber intrusions don't come out of nowhere. That adversaries go through different phases. And you're gonna hear a lot of these terms. So to kind of continue that terminology thing. A lot of times, you know, cybersecurity people will talk to you about this Kill Chain, cyber Kill Chain or attack chain. For example, adversaries have to gain initial access, they have to get into a network, somehow. They might do what's called lateral movement, which is basically just jumping from machine to machine might hear command and control these things sounds scary, but it just means the adversary is trying to phone home, right ET phone home, communicate with some other system to get instructions on what to do. And so the really important thing about this is that there are different phases, right, as we talked about just gaining initial access, you can stop that intrusion there and it may not proceed further.
So moving to the next slide, I wanted to kind of break down a common ransomware type of intrusion. So a lot of times, right, people don't think about ransomware doesn't go poof, magically just appear. Adversaries often will get in via initial access, something like a phishing email, they'll do reconnaissance, they need to learn about the environment, what is here, then they like to move around the network, do that lateral movement to try to figure out okay, how can I cause my maximum damage? In ransomware, as I mentioned, a lot of adversaries will exfiltrate they'll steal data, and then they'll encrypt it to do something we call double extortion. And so what's so important about this chain concept is, right, if you're covering a story where data was exfiltrated, and encrypted, that's so much different than if you know, an organization just had initial access, just had some phishing emails, and then they stopped that intrusion. And so this is something that I try to explain to a lot of journalists I talk to, right. It's different phases. There's a whole chain of events that happens to happen, that happens in these intrusions.
And I just want to hang a little bit on the lateral movement part, because for example, if we think of like, you know, a government, like a local government might be working on some sort of sensitive information, say, it's like a, you know, police investigation or something like that. But in their parks department, they work with a contractor who uses you know, uses password for their password. The lateral movement, meaning that the contractor or the parks department has a bad password. They get into the city systems and the lateral movement, you know, kind of can can can open up for example, more sensitive information, right? So that's kind of what you mean by lateral movement. And then what gets exfiltrated has nothing to do with the contractor in a bad password. It's it's the police investigation into something very sensitive. So like, that's the kind of situation you know, where happen naturally might happen locally. Yeah. Or
does a lateral movement from one organization could be the initial access into another so you can start to chain the chains. And like, that's a whole nother discussion, though.
Cool. Well, another one of the challenges is when you're reporting locally is, oftentimes you want local sources, right? And you want sources who know what they're talking about, and reporters, especially if it's not their beat, right? If they're not on a cybersecurity beat, they're on an education beat. How do you find someone to talk about cybersecurity to comment on this story where, you know, all of the kids in your school district all their data has leaked, or all of their, you know, they can't access their lesson, you know, anything like that. Who do they talk to? Who do reporters talk to in this case?
Yep. So for cybersecurity stories, right, go back to your traditional who's involved, call them. Be aware that if you call a company that got breached, you you know, call up your local FBI field office, they're probably not going to comment. You always should ask but they might not. So good idea is reach out to subject matter experts, cybersecurity people who can help you try to understand what happened, interpret whatever little information to do to find those people. Look at who other reporters are talking to. This is one common thing, you know, follow a different cybersecurity news sources and see who are they talking to.
If you are looking for someone local, which this is a great opportunity that you have as a local beat reporter, maybe to elevate people in your own community who are knowledgeable about this. There's an organization called ISSA of information security professionals. go search for your local SSA. They're also a local security conferences called besides that are all around the world. go search for your local Bsides conference, see who organizes it, and then just find them on LinkedIn or Twitter. Right.
A lot of times people have never been asked, they have a ton of knowledge to share. And they'll just be honored to be asked, I know I always am. I mentioned Twitter, look on Twitter, right? Who is talking about what. I am really active, I talk about things and reporters follow up. And that's great. And I love sharing knowledge. So search keywords, search about your story on Twitter, see who's talking about these things. One final note on sources. You all know this, but consider where your source works, what are their potential motivations? You know, a lot of people in cybersecurity work for vendors, people who sell cybersecurity things, which that's what Red Canary does, we sell things, and that's fine. that'll probably be a source of a lot of good quotes for you. But just be aware, what are their motivations? Do they have, you know, motivation to sell something in particular? And what's their visibility? You know, my company looks a lot at endpoint data, another company who looks at dark web data and might have a different perspective. So always keep that in mind. What visibility is your source have? What are their motivations? Sure.
Yeah. And I want to emphasize that local bit, because there I did some googling, I mean, there's there there Bsides everywhere, and there's cybersecurity experts everywhere. I mean, you could type in like, Bsides Des Moines, and there's, there's one, right? There's the Dakotas have an annual cybersecurity conference. So there's, there's people who, who practice cybersecurity everywhere. And, and it's, it's, it's just, you know, you don't have to look to like big universities or big cities to find that. Okay, last, our last little lesson is about pitfalls. What do you avoid? You don't want to confuse yourself, when you're a reporter. You don't want to confuse your audience. You don't want to mislead anybody, you don't want to make the situation worse. So what are some things that journalists can avoid to make things safe and good?
Yep. Yeah, a couple of things that I've seen. The first one I alluded to earlier, this idea of like getting so intimidated, it's the cyber stuff. I don't understand cyber things and like, thinking, you're never gonna understand all that. Don't think that way, right? It's your job as a reporter to talk to technical people and help them translate, right, all these things they know into things your readers can understand. So don't hesitate to keep asking questions. I love talking to reporters for this reason because sometimes I don't know if I can really explain something well, and I'll say something I think makes sense to my cyber security practitioner mind, then they're like, what does that really mean, Katie? and then we talk through and their questions, help me gain an understanding. So don't hesitate. If someone says an acronym or something you don't understand don't hesitate to keep following up, like cyber security, people are generally so happy to share their knowledge. So don't hesitate to keep asking questions.
I've also learned a lot from metaphors. Right. So yeah, I mean, I'm a journalist. And before coming to the Global Cyber Alliance, I knew very little bit other than kind of covering some victims of cyber attacks in Ukraine. You know, what, what, what, you know, how to explain these things. And metaphors help, you know, like intrusions kind of talking about a house, the key and things like that. I mean, so how would you have journalists address metaphors in being able to explain what happened to an audience without also misleading them?
I think metaphors are wonderful. And so if, as a journalist, you have an idea, hey, I think this could be like opening a door with a key, like, tell me that. And then what I can do is kind of adjust and say, well, that kind of works, but might want to think about that. So I love that. Like reporters are amazing because they help us explain things in ways that cybersecurity people just can't to the common person. Another point that's sort of an interesting one, talking about estimative language and an intelligence my field This is really important because we make assessments based on information and so this is something as a reporter watch out for this. If someone tells you that it's likely possible Chinese state sponsored actors, make sure to include those kind of hedging words. Those words of estimated probability really matter, because we talked about knowing the who is really difficult. So whenever you hear those words, those are wants to make sure you include hedge hedging things. Information changes, especially in cybersecurity cases.
And to your earlier point about sources having perhaps a perspective or motivation. Sometimes it would seem, you know, if their their partisan interests to make, you know, some foreign adversary look worse, or something like that, that attribution might come quicker, or more loosely. So it's important to kind of in terms of both attribution and your sourcing to understand perhaps where certain vested interests might be.
Yep, absolutely. And information changes. So if you use those, it's likely or possibly, that helps you too. And that actually brings us to the last point there, watch out to focus too much on attribution to a country, right. Everyone wants to know, is that Russia? Is it the US? is it China? But there's a lot more that you can cover in terms of cybersecurity stories beyond just what country is this and be aware, especially in early days, finding that country level attribution is so tough, and so be aware that there's a lot more you can cover, even if that's unknown, so that'd be my last pitfall to watch out for.
Cool. Well, thanks so much, Katie, we've covered so so so much. in such a short amount of time, I'm really thankful that you made the time to join us at ONA2021. Here's our contact info field, please feel free to reach out we're going to be answering some questions after the session. So please feel free to dive into that. The Global Cyber Alliance also helps journalists. And so if you ever need anything, visit our website, we do monthly office hours, in case you have questions about how to protect yourself from these kinds of attacks. We can also probably help you cover stories. Katie, you're a great resource to how do people find you?
Yeah, find me on Twitter at @likethecoins. I'm also on LinkedIn. So I love hearing from folks. Feel free to reach out with any questions and thanks so much for having me.