Saturday, January 14, 2017

Botnets, swarms, operating at scale, sharing notes

"Imagine ubiquitous, intelligent robots collectively performing complex tasks. By combining intricate algorithms, defined rules, and continuous sensor data, swarm behavior can emerge. Entrepreneurs are using this collaborative intelligence to develop applications for drone swarms in the air, on land, and by sea. Watch out, Drone Swarms are coming!" ( 

Last week we held our first "Big Broadcast" a live audio event in which we talked about our thinking on futures —and swarms are one of those things I think about 3-5 years out. Not swarms of bees or drones or swarms of strike fighters or humanoids, but the computers, and I'm not sure we have the ability to protect against what's to come. Let me explain...

If you are a security organization, what’s the most significant thing you can do to combat threats from cyberspace? Work at scale. Are we there yet? Not yet.

In late last month, the cybercrime platform “Avalanche” was taken down by an international consortium of law enforcement agencies. It was an investigation that took four years to come to fruition, and would not have been possible without cooperation from and collaboration with 30 different countries. If you’re familiar with cybercrime history you know this sort of action isn’t new, but the scale of it is impressive. 

A total of five people were arrestedOver its eight-year lifetime, Avalanche is believed to have caused losses well into the hundreds of millions of dollars. Campaigns run through Avalanche impacted systems in over 180 countries. Avalanche had control over as many as 500,000 systems, every day, across the world. Five people!  

Reports don’t reveal how many law enforcement agents, attorneys, technicians and participants from the private sector were involved, but it’s a safe bet that we’re talking about at least mid-to-high hundreds. From the perspective of scale, the bad guys still have us beat hands-down.

Avalanche was a semi-automated, semi manual process, relying heavily on money mules, but was the favored means for delivering Zeus and ZpyEye malware — he tools used to clean out accounts. The manual link of requiring money mules, limited the amount of damage that could be done at any given time. 

Now consider this: what if Avalanche were fully automated, autonomous, using peer-to-peer communications and coordination between those 500,000+ drone computers? What if a user simply enters the name of a system into a point and click interface and those 500,000 computers took over attacking one victim organization at every vulnerable point using a range of poisons that allow the attacker to use the system for whatever they choose in future operations?

Our folks have participated in a number of botnet takedowns. No, they didn’t last long, but such efforts are merely the initial steps in our ability to skew the economics of this sort of malicious activity. Right now it takes a lot of time and effort to take down a Zeus botnet or a cybercrime platform like Avalanche, but that won’t always be the case.  But at the same time, the idea of automation and targeted botnet swarm attacks will continue to inch toward reality.

Takedowns are rare today, but as the negative impact of cybercrime grows, and once the good guys begin to promulgate lessons learned, such efforts will become more common. We hope that efforts of good guys outpace the efforts of bad guys, but to date this has not been the case. Momentum is building but protection (and liabilities) of your networks resides solely on the owner.

How do you do this? How do you protect yourself against botnets, future potential swarms (or at least higher velocity, higher frequency attacks) outpacing the ability for authorities to keep up?

Work on your technology. Develop your methodology and processes. Perfect your as-a-Service offering. Learn to operate at scale. When given the chance, don’t hesitate to participate in a collaborative effort to fight cybercrime. All boats rise on the tide. Security is no different. If you can think of a new way for groups of us to band together in efficient and cost effective ways, you’re making a greater contribution to the good fight than you will likely do on your own.  

Red Sky Alliance is one of those places, with intelligence, collaboration, sources and tools. If you'd like to see some of the kinds of reporting that we push to our Red Sky members, have a look at our readboard or the Wapack Labs blog. This is where we announce products that get pushed to our members. When they need help or have questions, they use Red Sky to ask. When they need help, we refer trusted partners for the strategy, consulting and/or incident response. For more information, contact us. 

Until next week,
Stay safe in the ice storm!

Saturday, January 07, 2017

Spend money on Insurance or Insights?

A colleague recently circulated a link to a report that claims that the cyber insurance market is going to top $14B by 2022. My rather glib response at the time was something to the effect of, “if cyber insurance policies are still a thing by then.” When pressed for an explanation, I gave the following analogy:

If I get supplemental life insurance I tell the agent that I'm so tall, weigh so much, don't smoke, don't drink, don't participate in high-risk activities, etc. He gives me a quote. Then he sends a nurse is to my house. She determines that I'm not quite that tall, I'm certainly not that thin, the house smells of Borkum Riff, the recycling container is overflowing with empty bottles of Jack, and the walls are covered with pictures of me skydiving, BASE jumping, and running with the bulls. Oh, she also takes my blood pressure, draws blood, and takes an EKG. 

A few days later the agent calls me back and says, “Yeah, that quote I gave you, it’s going to be a bit higher and the coverage, a bit lower.” I don't want my wife and kids to starve if I get hit by a bus so I sign and I pay.

Cyber insurance providers don’t send a nurse to your house. Some carriers make an effort to understand your IT enterprise and others basically take your word for it. In both cases, they ask you to pay A LOT of money in premiums for not a lot of coverage. The way most enterprises of any size operate, it is very easy to get out of compliance with your policy, which means the probability your claim will be denied in the wake of a hack is very close to 1.

Even if your claim isn’t denied outright, there is undoubtedly a cap on your coverage, which means that you’ll still have considerable out-of-pocket costs even if insurance pays out. In high-risk cases, you’ll end up paying first before insurance pays outOut-of-pocket doesn’t mean pocket change either. If insurers are forced to pay out too much, they’ll just stop writing new policies and cancel existing ones. Does no one remember when cyber insurance was a thing 5-6 years ago? You don’t? It was, they lost money, and they stopped doing it. The past is almost assuredly prologue.

You’re CEO of a company in an industry that is at high-risk for cyber-attacks. You could spend several hundred thousand dollars a year on insurance premiums or you could increase the budget of your cyber security team. Which do you choose?

I would argue that in fact you have a third choice: pretend there is a nurse at your house.

Spending a little time and money to assess your true digital health would be exceedingly enlightening. To paraphrase former Secretary of Defense Donald Rumsfeld, you don’t know what you don’t know when it comes to existing and potential liabilities. With this information in hand you have a much better idea of where to spend your limited security dollars to reduce risk, mitigate threats, and identify where insurance actually makes sense and how much. 

I would also argue that you can take things one step further my looking at the data and findings of your existing security testing regime and determine cyber security spending ROI, which would further reduce your exposure. For example, if you regularly conduct pen tests make sure they tell you what they tried that didn’t work (you’re spending enough money/have the right defense there).

Insurance is one tool of many that every enterprise should use to fulfill its risk assessment and reduction responsibilities. But corporate leadership also needs to appreciate that they can do a lot themselves, relatively cheaply, with the same insights that a nurse acquires when she uncovers difference between your image of your enterprise and reality.

Saturday, December 31, 2016

2017 and beyond?

I've been a little lazy about running metrics and probabilities on my 2017 predictions. The reason?  It's actually kind of boring! The idea of writing predictions for 2017 is very much like saying "it'll be dark until morning and then it'll be light".  As I look at 2017, I really calling this a no-brainer. My belief? 100% probability on each.

  • Ransomeware is being called out in just about every other predictive out there. No-brainer. Where there's easy money there'll be simple criminals; and since the vast majority of the attackers out there are simple criminals, ransomware poses a low-risk high payoff activity, and yes, it will cost you money --either to fix, or to pay them off. The upside? There are some tools out there that can help. Cybereason and others have published endpoint tools that watch for anomalous behavior, and claim to be able to stop Ransomeware before it begins. You tell me.
  • Voter manipulation??  Folks, you've seen only the tip of the iceberg. We've been talking about this stuff here for the last two years. A blog first appearing here was the reason for a story in the Christian Science Monitor two years ago, that received very little attention. Georgia, Ukraine, Bulgaria, more.  The NCCIC IOC list listed Carberp and BlackEnergy V2 and V3; tools we reported on in 2014 as we watched other elections unfold and those elections get tampered with. If you think this is new, you're missing the boat, and if you think this is going to stop because 35 Russian Spies and their families are booted from the country, you're mistaken.  Every country in the world will be using cyber as the equalizer. Russian breaches into Wordpress sites run by the DNC are easy targets, ripe for, at a minimum, understanding what's to come. 
  • Internet of Things? I think more about unprotected Cable Boxes! It's funny. Yes, I think about the Nest thermostat in my home and the fact Alexa (I got one for my birthday last year) listens all the time bothers me slightly, but that swarm of IoT devices doesn't bother me nearly as much as the idea that every cable modem gets deployed with the same user name and password; and then, even though the wireless is protected from the inside out using some form of WEP, WPA, etc., that generic user name and password can be logged into and used to turn off any security --all without the homeowner (or business owner) knowing, or being alerted. Worried about swarm attacks? You should be. That cable modem is likely one of the contributing factors. And it's only going to get worse in 2017 (and beyond). Cable modems. Really Stutzman? That all ya got? No, but the fact is,  users need higher bandwidth devices that will provide comms pathways for IoT, ICS, and tons of applications that will run through these little grey chokepoints, and those little grey chokepoints have nearly no protection. I think about this alot.
  • Hackless hacking is the idea that key logged systems are ubiquitous, and logging in with legitimate user credentials has become easier than ever. Shells, old DoS net commands, and legitimate credentials are not new, but they're making a reappearance and they're easy as hell to deploy and use. Drop in on a VPN to a local IP, use a legitimate user's name and password and viola, you're in. 
  • APT? It's still out there, but its pushed down from focusing on the big companies who've learned to defend themselves over the last few years into the smaller companies who can't. We signed our first small DIB Supply Chain company into the Red Sky Alliance this week. The CEO of a 20 person high tech manufacturing company came into the portal. He knows all about APT, but only from what the press has told him. Small defense companies around the world are in trouble --they manufacture low cost very cool things that keep the prices of new tech down, and at the same time create many of the innovations. Houston, we have a problem.. and it's not just in the US. The idea that state sponsored espionage can steal or manipulate your data by reaching into a smaller third party, partner, or supplier is not just a prediction, it's happening now.
  • Cyber Warfare --yes, I went there. I don't think I've EVER called this out before because I don't believe that there truly was ever (to date) a cyber war, but I believe we'll see the next great war fought in cyberspace using unmanned drones, robots, and turning on and off (and destroying, degrading, disrupting, etc.) critical targets via wire. I believe the cyber cold war has already begun with countries cordoning themselves off from the Internet and Vermont Electric companies finding evidence of alleged Russian hacking (now of course proven false --although it passed the Washington Post test!) and Iranian use of cyber, and don't forget us. To the rest of the world, the US is the APT. So yes, I believe we'll see rapid escalation of rhetoric and cyber warfare posturing --pre-warfare activities; we used to call it IPB --Intelligence Preparation of the Battlespace --shaping and preparing the battlespace to allow forces to operate effectively; identifying Order of Battle (OOB) --inventorying enemy forces; and looking for ways to both access, and measure damages.  
The upsides?
  • Cloud? Interestingly enough, cloud providers seem to be getting the message. While contracts still don't take responsibility for security, and the stacks are different from provider to provider, they do seem to be building more and more security controls --both customer controlled and baked into the cloud environments. I see this as a very positive sign. One really good thing I see? Containers are being built that (maybe) will help with security in cloud and software defined computing. I'm not even close to being called an expert in cloud or SDN, but the opportunities are ripe for new types of penetrations and the idea that folks are thinking about this as they build containers is a positive sign.
  • Training! One of the coolest things that happened this year is Ron Gula's new gig, Cybrary. I wish I'd thought of it. Training is available for free and I've got every one of my folks running through a curriculum --some are learning python, others more in-depth. If you've followed my blog, you know we built a small veteran training program. They're all in a Cybrary training pipeline --A+, Net+, Security+, and Python. This is a very good thing.
  • Intelligence is as old as he hills. It doesn't mean buy a list of aggregated data, pull it in using STIX/TAXII, and dump it straight into a red (or green, or blue) box. The upside? We're seeing (and hearing) from many many CISOs that they want intelligence, and they actually know the difference between the aggregated feed and intelligence. Even those who've never been exposed are coming around asking questions about what's effecting them. We love this.  
Unfortunately 2016 was the year where I scratched my head and asked myself, how the hell did we get here? We spend billions of dollars protecting our networks and the information we hold most dear, but every piece of tech is nothing more than another layer of stuff, built on the same operating systems and network architectures that got us here in the first place! 

Moving into 2017, what can you expect to see from us? 

We're hosting a "Big Broadcast" on Jan 11th. It'll be a conversational forum moderated by an old friend, Jay Healey, talking about issues we see coming in 2017.  Care to join us? Sign up here.

As well, Red Sky members will be seeing some changes that I think you're going to like. More on that later. 

Is all lost? No. But we need to figure out how to get our arms around some of the easy stuff. Where's the big red switch that changes all the passwords on the cable modems, and the basic authentication and security for those internet of things devices? How do I make Alexa stop listening? APT? Better be ready. This train isn't slowing down, it's speeding up. 

So, on that note... Happy New Year!

Saturday, December 24, 2016

2017: The Year of the Better Metaphor?

If the holidays are known for anything, it's heated discussions about the same contentious issues
with the same bone-headed relatives who don’t know what they’re talking about; and why did my sister marry that guy; and when grandma is gone I’m never coming back here…..
Likewise, nothing says you’re about to get into a heated discussion on cyber security like the use of a bad metaphor.
Since so few of the people involved in cyber-security actually know anything about computers to a sufficient level of granularity, or by the same token understand the wider social implications of their ‘simple’ technical fix, everyone falls back on their half-remembered high school history to try and help make sense of it all. Herewith our most misused and abused metaphors, and some suggestions to help make actual sense going forward.

Digital Pearl Harbor

What people think they’re saying: “We don’t want to be caught unaware by a surprise cyber-attack.”
What they’re not getting: Private sector, governmental, and critical infrastructure systems have been under attack for decades. We’re not in danger of being caught unaware, we’ve been hitting the snooze button and acting surprised and annoyed when it goes off…again and again and again.
Suggested alternative: Digital Trench Warfare (or Digital Ypres, if you must). The good guys are over here, the bad guys over there, and between them is this very risky area. Sometimes the bad guys are strong enough or lucky enough to make it across that area, in which case the good guys have to work very hard and expend a lot of blood to kick the bad guys out.

Manhattan Project

What people think they’re saying: “We need a multi-disciplinary effort to come up with a better way to do X, where X is some defensive/protective mechanism.”
What they’re not getting: The Manhattan Project was a multi-disciplinary effort to build the world’s most deadly offensive mechanism. That mechanism was only used twice, and the planet has lived in collective fear of it being used again every day since.
Suggested alternative: Cyber CERCLA (a/k/a Cyber Superfund). Back in the day we didn’t care two whits about the environment. The Valley of Drums and Love Canal (and a crying Indian) changed all that. In cyber security they don’t call DFIR-types ‘digital janitors’ for nothing. I’m not saying we tar-and-feather the founders (what they built made sense at the time), we just need to accept that bringing what used to be OK up to the standard for what is OK now is going to cost a metric-***-ton of money, and if we care about security we should be prepared to pay for it.

Digital Maginot Line

What people think they’re saying: “You need defense in depth because static defenses don’t work because the bad guys will just go around them.”
What they’re not getting: The Maginot Line was not supposed to stop invaders, it was supposed to slow them down and/or channel them to a point where the smaller and weaker defenders could rally in strength in order to put up a half-decent fight. The Line did exactly what it was supposed to do.
Suggested alternative: Use “Digital Maginot Line” properly. Defense in depth has its issues, and no one is suggesting you unplug your computers and lock them in a vault, but let’s be honest: if someone devised a system that delayed and channeled attackers into a zone where you could more effectively fight them and keep them away from your most precious data/valuable resources, you’d buy that today.

Digital Magna Carta

What people think they’re saying: “We need to protect ourselves from oppressors who would arbitrarily punish people without due process based on what they say or do online. Come and see the violence inherent in the system.
What they’re not getting: If you say these words from a country with a governmental system that is more liberal-democracy than autocracy, dictatorship, or kleptocracy, you have no idea what oppression looks like. The fact that you get to say those words in public or in print and still walk the streets is proof enough of that. Your good wishes and strongly worded demarches aren’t advancing the cause of freedom.
Suggested alternative: Digital Jedburghs. Foreign regime using digital means to enhance their ability to find, detect and oppress dissidents and you’re not down with that? Stop writing manifestos and start putting some skin in the game. Give people the means to not only resist but fight back. A word of caution: this might come back to bite you in the ***.

Going Dark

What people think they’re saying: “If we don’t preclude the use of encryption, or weaken it to the point that (the appropriate authorities) can break it, the world will be overrun with ISIS and  pedofiles.” 
What they’re not getting: This being America, investigations (of citizens) is supposed to be hard. If literally the only thing stopping you from keeping a monster off the streets is his PGP pass phrase, you’ve not done a very good investigation. And not for nothing, but encryption didn’t help the 200,000-odd sex offenders currently in prison, nor does encryption help every jihadist in the sights of USAF UAV weapons officers.
Suggested alternative: Fourth Amendment After Next. I’d much rather we focus our energies on rights and liberties and not crime and punishment. When you define the former its easy to identify the latter; when you come at it the other way around it doesn’t work out nearly so well. “After Next” is a military think-tanky way of saying “these are the issues we think we will face in the war after the next war we fight.” The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures in the information age could not be more important. Courts are already beginning to realize the problems with things like the border exception, and as we step tentatively into the age of implantables, this is an area that is only going to get more complicated and dangerous if we don’t get it right.
By the same token, if you think political dissent and child abuse are both worthy of equal protection under math, you’re not someone I want to meet in the new year.

Cyber Arms Control

What people think they’re saying: “If we can impose a layer of control over the things you need to make (dangerous things), we can stop those less responsible/polite/sane than ourselves from getting and using (dangerous things).”
What they’re not getting: Since nuclear arms control became a thing, more countries have the bomb than before it was a thing, and keeping a handle on code is infinitely more difficult than keeping track of fissile material.
Suggested alternative: Nothing. This is the most ridiculous idea in computer security. The sooner we stop talking about it, or proposing things remotely like it, the sooner someone will come up with a more practical approach to the issue.


This was a bit heady for the morning of Christmas Eve, but it's something we talk (laugh?) about in the office and over beers, and at just about any opportunity, I get the questions often --I had the question a few weeks ago while on the podium briefing the commander of US TRANSCOM. The question was "What should we be thinking about a national policy level?" This is a simple list of some of those thoughts. It seems every few years someone rolls out, and the ideas start all over again. Ever seen the moving Groundhog Day? It's the story of a weather man who repeats groundhog day over and over until he gets it right, and then he's released from the daily loop.  Ours seems a little longer, but we're stuck in the loop --and the new young iron majors have the same ideas over and over and we see history repeat itself, and while public reaction has become largely ignorant bliss, we hear the same stories over and over from vendors and the government... 

So let's lighten this up a bit. It's the morning of Christmas Eve. We at Wapack Labs very much wish you the happiest day. Me? I'll be doing two masses tonight (three if you count praying at the alter of the New England Patriots! Go Pats!).

Merry Christmas (or if you prefer, Happy Holidays!) from the team at Wapack Labs!

Saturday, December 17, 2016

Raison d’etre (Why Are We Here?)

"We are here to produce finished intelligence reports. A good intelligence report provides a customer with insight, meaning, and context that mere data, “feeds,” or news cannot. Intelligence reports help people understand complex issues and explains why those issues may impact them. In an ideal situation, an intelligence report tells someone something they do not already know, or puts seemingly disparate things into a perspective that they did not envision."

This is the first paragraph in our newly drafted writers manual and style guide, and in one paragraph it tells the story I've been screaming from the rooftops for five years. 

This week I had lunch with a really smart, highly qualified security sales professional (I
normally would say sales guy, but this guy qualifies in my mind as a pro).  He was skeptical when I told him we were looking for a sales guy (a pro) to help sell our upgraded vision --that of a premium provider of finished intelligence,  he told me he'd sat with a number of other (ahem) intelligence companies who all tell the same story --they run honeypots, sinkholes, and pull data from all over the world. They aggregate, they correlate, (heck, they even julienne fries!) and then send it out. He commented that in every case, when he asked how each individual company was different from the rest, none had an answer --they all sell the same information, aggregated from the same sources, and sold with slightly different pitches. And when he talks to his customers about it? They all have the same feedback  --it's junk

I showed him ours --pictures of bad guys who target banks, defense supply chain
companies, oil and gas, SWIFT.  I showed him technical analysis of malware submitted from a defense company, but reported out in a way that's useful to many; and I showed him geopolitical stories of election tampering with real lessons learned (written because we had customers who operate in the area!); and I showed him how we distill that information into finished intelligence; the story, the motivation in many cases, the targeting, and the tools --broken down into actionable indicators, snort and yara rules. 

[PG13] I joke about a measure of success; it's that point where I'm telling a story; when I realize the guy I'm talking to has only one hand visible above the table. You know that look? This guy ate his lunch one handed! [/PG13]

He commented throughout lunch that THIS is what EVERY CISO should be reading --especially if they need to brief the CEO or the board.  At nearly every turn, he commented on the idea that he could sell the sh*t out of this, because we showed pictures, and stories, and motivations, and also, like everyone else, indicators of compromise. The difference? Ours had meaning. 

We'll see if we hire this guy. He's expensive and we're a cash flow company, but he clearly got it. The value proposition was dead on for this lunch; and if he works for someone else? He'll be thinking about me ;) (Does anyone else hear an Alanis Morissette song playing in the background?)

In all seriousness, this is what we do...

We produce finished intelligence reports that offer readers insight, meaning, and context that mere data, “feeds,” or news cannot;  Intelligence reports that help people understand the complex issues that they face and explain why those issues may impact them

When we get the opportunity to tell our story to a techie, a CISO, CIO, or a board member, they get it. It takes very little convincing for them to understand why we're different.  

We're heading into the end of the year, and we're talking with folks who want and need more than just data --every CISO needs intelligence; not just a list of IPs or domains --that's data. You need to know how and why things are happening and then how to protect against it. 

Want to hear our story? Drop me a line. Let's schedule some time.

Until next time! It's snowing like crazy outside and I'm going to go enjoy a bit of it!
Have a great weekend!

Saturday, December 10, 2016

27 Chinese Hackers Profiled

Hacker use information sharing and collaboration, and there is a large community of Chinese coders are doing just that --exchanging ideas, and tools, and sharing software development.  This week, Wapack Labs published a study of 27 of the most active Chinese coders,  revealing the some common characteristics of this community:
  • These coders are not lone hackers.   They are mostly employed in major corporations or network security entities. This includes Alibaba, TenCent, and Huawei, and security entities KnownSec, Keen Team, and Evil Octal.
  • They are not anonymous.   Real names were found for 18 of the 27 coders studied.
  • Many are well known in China and abroad.  Several of those studied had more than 400 followers, and one had about 1,800.
  • Many are contributing regularly; Several updating ideas and code more than 200 times over a year period.
In addition, the white-hat posture taken by these coders appears to have been accepted so far by the Chinese government.  This community does not appear to fear suppression by the government, similar to the shutdown of the Wooyun vulnerability-hunter website earlier this year.

Why do we care?  We care because our customers need to know who's coming for them, how they work, and how to protect against them. 

We know who they are. We know their telephone numbers, employers, who they're influenced by and who they influence.  And we know what tools they've developed and are using... and with that information, we know the baddest of the bad, and how to protect against them. 

Why should you care? For years, the press has been reporting on various military technologies that have been stolen. I'm sourcing only one for this blog, but there are literally hundreds of pieces published in the last ten years.

What's been stolen? Tech. And then used to compete against non-Chinese manufacturers... what tech?
  • F35
  • Space, Sat, and Missile systems
  • Unmanned Vehicles
  • That really cool DDG that launched from Bath Iron works not long ago 
  • Need more? Try this.
What about non-military? ThyssenKrupp, one of the world's largest steel makers, said it had been targeted by attackers located in southeast Asia engaged in what it said were "organized, highly professional hacker activities". 

Remember RCA? GE Consumer Electronics? Both bought out by a $16 billion French company ..gone (saved from bankruptcy in 2012 by a French government bailout).

And those rare-earth minerals used to make your smart phone? Much of that comes from China.  In 2010 three Australian mining companies who compete with Chinese companies were hacked with attackers later convicted of spying and bribery.

ERP systems, MRP systems, CRM systems, Legal, air traffic control, food, chemicals, pharma... gonegonegonegonegonegonegone and gone.... shall I continue?

How do they do it? They work together. The share information and profit from it.  And as their information sharing processes get better, our global intellectual property losses will continue to follow suit --in an inversely proportionate way.

They share information.  And so should we. 

The Defense Industrial Base's supply chain is under constant attack. Many of the big companies can handle themselves --or maybe some have nothing left of interest, or maybe it's SO easy to hack the supply chain that the bad guys simply pick easier targets; I'm not sure. What I am sure of is that the smaller companies are being targeted. 

Information sharing isn't free --not from the government, not from public-private partnerships, and not from information sharing and analysis centers.  The best intelligence isn't costly --because it's largely available to everyone; hiring smart people to collect it, analyze it, and publish it cost money, as do the systems. So pitch in.  What you get back will more than pay for what you put in. Information sharing --not buying a feed, but really talking, works

Want to know who these bad guys are? Join Red Sky Alliance. My guys are standing by, ready to answer just these kinds of questions.  Until then, keep following our announcements, sign up for our digital storefront, or join us in Red Sky Alliance

Are you a defense company with less than $3 bil in revenue who needs help?  Join Red Sky Alliance. If you've ever thought about joining an information sharing program, or need incident response assistance, call us. We're offering special pricing for defense industrial base companies who can't join other defense-specific information sharing groups. We offer private collaboration, malware analysis, tools, and a dedicated intelligence team; and when you need it, referrals to qualified incident responders who can help clean up, and keep you moving. 

Have a great weekend,

Saturday, December 03, 2016

Why Intelligence?

(Ghost-posted for Micheal Tanji) At the close of my first month at Wapack Labs, and as the company prepares to surge ahead for 2017, I thought it was a good time to articulate a couple of things I 
thought were important for everyone who is struggling with cyber security and trying to understand what role intelligence can play in overcoming those struggles.

First, the basics. 

Intelligence is not a “feed.” In a nutshell, the content hierarchy goes like this:

·         Datum
·         Datum + Datum = Data
·         Data + Data = Information
·         Information + Context + Methodology = Intelligence

Intelligence provides you with meaning, which is something that only human insight and intellectual rigor can provide. That X happened on Y date at Z time is news; who did it, why, and what implications X has for you, your people, or your business is intelligence.

You need intelligence to combat cyber security problems because intelligence helps you make decisions. Anything that complicates your decision-making process isn’t intelligence, its noise. Its more hay on the proverbial stack.

To produce good intelligence you need two key things: solid sources and sound methodology. Without good sources, you’re not even telling people news, you’re giving people your interpretation of the news based on what a guy who heard the news through the headphones of a guy he was sitting next to on the train told you.

The full spectrum of analytic methodologies is far beyond the scope of this post, suffice it to say that a true provider of intelligence subjects its sources and the data they produce to a range of processes and intellectual approaches to help derive facts, reduce ambiguity and provide the kinds of insights that consumers of intelligence so desperately need. That rare, clear signal amongst the ocean of noise.

It would also be a mistake to think that producing good “cyber” intelligence stops at technical analysis. Cyberspace is its own domain, but its underpinnings are physical and increasingly so are its impacts. Cyber-attacks are carried out by human beings, with myriad motivations. Only an analytic team that has “cyber” skills as well as cultural and linguistic skills, awareness of a range of geo-political dynamics, knowledge of economic, financial, legal and other matters can put all those bits and bytes into the proper context. 

Finally, there is no substitute for experience. You can run the smartest people through the most rigorous training and give them the most advanced tools, but they’re journey as intelligence professionals has only started. This is not an issue of gray-beards having better “guts” for the work (which is itself an intellectual trap that analysts can fall into – also, we could stand to lose a few pounds), but a factor of knowing what works, being able to enforce discipline and rigor in the process, and to understand that we are not writing book reports, but occupy a position of trust. That we’re a “civilian” intelligence organization doesn’t reduce the seriousness of what we do.

If you’ve spent money on something called intelligence that doesn’t meet the aforementioned criteria, you’ve bought a feed. You’ve made it that much more difficult to find the needle, and increased the probability that you’re going to get poked somewhere sensitive. It’s a common mistake because marketers treat “intelligence” like “APT” or insert your own buzzword here: they strip it of meaning and re-define it to match whatever they’re offering.

If you’re drowning in data, if you find it increasingly difficult to make good decisions about your cyber defense, if you’re struggling to define ROI for your security spending, intelligence – real intelligence – can help. And I’m glad I’m back in a position where my training and experience can make a difference.