Saturday, September 24, 2016

The Cybersecurity Triad

In the never ending argument over which source of data is more important to the defense of your
enterprise – the endpoint or the network – it’s important we don’t forget that external sources can be just as valuable in detecting compromises and combating threats.

A key construct of the Cold War was the “nuclear triad.” That is to say: our ability to deliver nuclear weapons via missiles, airplanes, and submarines. It was important that all three legs of this metaphorical atomic stool were equally strong because from both an offensive and defensive perspective, a one-two-three punch was better than a one-two punch, though we are talking about nuclear weapons here, so just one (from both sides) is more than enough.

There are many arguments in cybersecurity, not the least of which is whether you should focus more on endpoints or network traffic to better defend your enterprise. Both sides have strong arguments and powerful personalities serving as proponents. On the one hand, evil has to ask a system for cycles in order to work. If you can monitor those cycles you have a good chance of detecting evil. On the other hand, unless your attacker’s goal is destruction (rare) evil has to move through the network to exfiltrate what they’re after, which means if you can sort out good traffic from bad you also have a chance of detecting evil.

But both approaches have shortcomings. If either were perfect the market for the other would disappear overnight. When the things you cannot control fall short it pays to look to external sources. Yahoo recently found this out. In the fog-shrouded chaos that is the online underground, there is threat-related gold. As the story relates, there is also iron pyrite amongst the gems so you have to do your due diligence, but the presence of legitimate data of yours ‘in the wild’ that you didn’t know about is a sound indicator that you are sitting on a two-legged stool.

The buzz phrase for external sources is “threat intelligence,” but if you asked 10 threat intelligence vendors what they offered you’d probably get 11 different answers. The other commonality in this thread is that if you ask 10 different threat intelligence vendors, you’ll likely be overwhelmed with the vastness of information scraped from the open internet, with an opinion rendered on what the individuality of the 50 mil tea leaves collected that day actually mean.

That’s not intelligence. 

That’s data. Sometimes it’s big data. Most time just aggregation.

We do this for a living, and some of us have done it for decades, so consider this as you evaluate how to build your third leg:

Is the source credible? Data on 500M users is a pretty amazing set of data. You would be right to be skeptical if someone you didn’t know from out of the blue offered to provide you with such data.

Does the source have access? The tip that triggered the Yahoo investigation was reportedly not legitimate, which means the source didn’t have the access claimed (or implied).

Is the source reliable? People think that just because someone operates in the underground that they don’t have to deliver. Things like ransomware work because the bad guys, while being bad guys, are also professionals. The profits from ransomware dry up if the bad guys don’t provide decryption keys when they’re paid. Likewise the first time someone rips you off is the last time they have to make money off of you. Shady or not, this is how some people make a living. They live well and they want to keep it that way.

Good sources of threat intelligence must be vetted and it will take time for you to determine who you can trust. You will get ripped off, and you will be overwhelmed with meaningless information that you’ll have to wade through to find the real nuggets. That’s the price of admission to the underground. Not everyone in this business provides something worth paying for, but for those reliable, credible, trustworthy few, you have a makings of a beautiful (if wary) friendship.


Saturday, September 17, 2016

What do a Securities Regulator, an Investment Banker, and a Fulbright Board member have in common?

They all loved Cyberwatch.

I know. I don't normally like to market on this blog ;) but I can't help it. I'm so excited.  Between the ASIS/ISC2 conference in Orlando and the talks downtown Manhattan this week, I demoed Cyberwatch on my iPad at least 50 times.

This morning is a bit different. I came back from NY with a WHALE of a cold. My head's full and I feel like a train wreck, so I'm going to post the video that shows the basic premise of Cyberwatch, and then once again, I'll give you the URLs.

Here's the video. It's 2 minutes long.


There are two applications on this. The GUI is shown at cyberwatch.wapacklabs.com... we realized a few weeks ago that we weren't UX builders... I'm going to hire some talent for v2. 

However... the API is awesome. The API feeds the Cyberwatch app, and can be reached at api.wapacklabs.com. So far, we've had several companies call us, wanting to know if the results are real. Feedback has been amazing. We've fixed many of those issues in our code that needed fixing, and have a roadmap of features that we've also already started working.

OK, enough for now. Watch the video. Try the API. Plug it into whatever front end you use.

BT

We've been pounding the pavement getting ready for this weeks Threat Day. If you've not RSVP'd please contact Pam. Cigars in a private room at JR's the night before, and the meeting on Tuesday in the "Major Telecom" conference center with a tour of the Global NOC.  

Keeping it short. Keep an eye on announcements of products... wapacklabs.blogspot.com.

Have a great weekend!
Jeff

Saturday, September 10, 2016

Voter manipulation no big deal? Hey Cowboy, you may want to read this...

SOURCE: thehill.com

"Department of Homeland Security (DHS) Secretary Jeh Johnson on Thursday downplayed concerns about malicious hackers influencing U.S. elections amid rising fears about foreign actors trying to wreak havoc on Election Day." (thehill.com)

I'd like to comment... Just because DHS can't see it, doesn't make it true. That's not a knock on DHS but neither the US-CERT nor the NCCIC are equipped to handle the multi-disciplinary analysis required to see and read all of the tea leaves. 

Let me explain... here are a few things you may not have known. We tracked in near real time, the manipulation of the Ukrainian Presidential Election by hackers, military, and commandos. This multi-facted, asynchronous information operation followed what we believe to be an updated version of the Ivanov Doctrine --Putin's asynchronous warfare plan taken from lessons learned by watching the US operate against Iraq. We published reporting on this in 2014 and into 2015. Since the Crimean conflict, Wapack Labs has actively tracked cyber activities between Russia and their neighbors -but most specifically Ukraine.  The ability of DHS's NCCIC to have known about this would have meant they would have had more intelligence than just cyber coming into the center. I'm not sure if they do. 

The high level story goes like this:

(Russian) hackers trojaned the Ukrainian Central Election Computer systems.  When the Ukrainians find out, they take it offline. Telephony denials of service, computer attacks, and manipulation of election reporting on Russian State-owed Television station on the eastern border of Ukraine reported false outputs through the night of the election. The full report tells the full story, properly sourced, but the last time we mentioned this, it was reported by the Christian Science Monitor. We preferred to stay low-key in the article, but this story was originally tipped off by my original blog post. I remember having a discussion with Mark Clayton (the journalist) as he was pulling the piece together. He was aghast that the story of a Presidential Election manipulation hadn't received more attention here in the US.  My only thinking is, my team is small and nimble.. we operate very much in a multi-disciplinary fusion center approach.  I'm guessing that gathering lessons learned wasn't the priority at the time, and neither the press, nor our IC apparently connected the dots... or maybe Jeh just hadn't been made privy??  I don't know. I can't speculate on that, but I can make our original reporting available. 

If you wish to purchase the report, I've priced the short form Priority Intelligence Report at $1.  The 25 page document is priced slightly higher. Both are available for purchase at our digital storefront

BT

I'm preparing for my trip to Orlando tomorrow. I've never been to an ISC2 Annual Summit, and the fact that it's being hosted with ASIS makes this attractive to my cashflow operated marketing budget. I've got a great little announcement that'll be hitting the press while I'm there, and if you see me, ask me! I'm planning on having my laptop, running demos to anyone that'll want to see them. We'd built an early version that I demo'd all over RSA, gathering a great crowd, running demos on my phone until the battery finally died. I can't wait to show off the upgrade! 

On Wednesday we're presenting at the FS Consortium in NYC, and next week? Cigars with Red Sky Alliance members on Monday night with Threat Day at the Global NOC of one of the major telecom companies on Tuesday. We've got a great lineup. I'm running hard. It's awesome! Didn't get the invite? Shoot a note to Pam, our marketing guru. She'll hook you up!

So, until next time, 
Have a GREAT weekend. Maybe I'll see you in Orlando!
Jeff


Saturday, September 03, 2016

Ending summer. Kicking off Fall with a Bang (and a cigar!).

I'm not going to spend a lot of time on my post this morning. It's the last official weekend of summer and after I go to the dump, we're heading for our last outing to the beach for the season, and then driving to MD tomorrow preparing for three weeks of hard travel and the official kickoff of the fall surge. We always get busy in the fall. Founded on 8/29/2011, we just passed Red Sky Alliance's 5th birthday, and every year is pretty much the same. In fact, we built Wapack Labs to start pushing intelligence into the Red Sky portal after our first summer, hoping, making sure, that after summer, our members would come back. It got so slow doing the first year that I thought we'd been abandon... we needed to find a way to add value to make sure they came back --and they did.

We kicked off operations in Feb '12 with two guys, three members, and a monster American Express bill, waiting, waiting, waiting, for that first check so that we could pay the Amex... and when it finally came in, we both (Jim and I) sighed a huge sigh of relief.

Since then, the Red Sky group has grown to roughly 35 companies participating, and even today, we maintain about 40% of our members checking in at least monthly. We've lost four companies in five years, and although we've shifted our stance just a bit --some companies still prefer to share privately --and do, others just don't care. The portal remains fully attributional.

How do we build trust? One of the ways we do it is by hosting quarterly get togethers --cocktails first, followed by a day of meetings where we share ideas and threat information. Our next will be held in New Jersey... cocktails at JR's. If you're a geek and want to stop by for a few minutes, please, by all means.

Threat Day will be held the next morning at the conference center at the (ahem) Large Telecom in the area... with a tour of the Global Network Operations Center. For those of you who remember doing this a couple of years ago --this is our second visit, this is one of the coolest locations for a conference that I've ever been to... I'd even have to say this is cooler than the underground conference center at the Pentagon... that's cool, but this place? It's a Geek's dream!

So here's the logistics: If you'd like to attend, please RSVP to our event coordinator. Not a member? RSVP anyway. If we run out of space, we'll let you know!

Join Us For Cocktails, Conversation & Cigars The Evening Before Threat Day!

The Red Sky Alliance & The Wapack Labs team invite you for cocktails, appetizers, conversation and yes, a cigar [if you would like :)] the evening prior to Threat Day. Join us at the Montecristo Lounge September 19th at JR Cigar. We will be in the Churchill room! Listen for raucous laughter and tall tales. Check out the link below. Looking forward to seeing everyone!

JR Cigars - The Churchill Room

301 Route 10 East
Whippany, NJ 07981
*Dress Code -- Business Casual 
http://www.jrwhippany.com/index.php/gallery/new-cigar-lounge/#prettyPhoto[]/3/
BT
The summer's always slow but we try to use it to build something insanely cool for release after Labor Day, and this hear is no different. Look for one of the coolest new tools you've ever seen to hit the streets next week. We've been working hard, beta testing in the membership, and loading context all in preparation for one of the absolute coolest tools. I'm not going to say any more --you'll just have to wait for it... but trust me... it'll be worth the wait! 
I've got a dump run and a beach waiting... so until next time,
Have a great weekend!
Jeff

Saturday, August 27, 2016

No cure for the common cold...

Props: pbs.com
Walk through the cold and flu isle at Walmart, and you'll find hundreds of products that all tout their abilities to sooth even the most savage of symptoms -some snake oil, others not bad, but all missing one key attribute --none solve the common cold.

This analogy was told today in a conference call when a "friend of Wapack Labs" explained how we differ to a prospective customer. The friend --Bill Vajda, explained that while nobody has yet to cure the common cold, the new API is very helpful in getting raw, highly useful information into the hands of those who can actually do something with it.

He's referring to our new Cyberwatch(R) API.  We've been working hard to get it rolling. We found that we're not very good UX guys, but wanted to find a way to push intelligence --really useful intelligence, into more hands. It's in beta testing right now with a couple dozen Red Sky Alliance members. The feedback so far has been pretty consistent --typos, a bit more context, and a feature request or two, but every piece of feedback proclaimed how much they like the product.

I talked about this two(?) weeks ago. We're experimenting with different ways of selling without selling. I told my team today that I'd read a book --the Accidental Salesperson. I wasn't born able to sell. Sometimes I still wonder if I can --maybe it was simply market forces, or maybe it's just because I'm so good looking! Either way, I'd never learned a formal process for selling, and as a result have found myself reading things like "Question Based Selling", the "Accidental Salesperson", "The Challenger Sale", and just about anything I can get my hands on that'll teach me the best way to attract new customers. And here's what I found... give a customer what they want, in a way that makes it really easy to use or integrate, without the need to add extra staff (or better, make money with, or reduce current operating expenses), and it'll sell itself.

This is what we're attempting. Red Sky Alliance is a great place for those who need questions answered. Prioritization is a major issue with security folks --pushing all of those rules, signatures, behavioral patterns, and context into one HUGE box just is not going to happen.  Reading 50 page technical intelligence documents that require massive translation from techie speak to English (or, pick your language), also isn't going to work. Heck, even for those of us who like reading that stuff (like me), at some point, they all sound the same. However, everyone knows how to use a mouse, enter a domain, and read the results. There are over a hundred intelligence vendors, and over 1600 security vendors, and in every case, each one does something different, with various levels of quality... yet, nobody has yet to find a cure for humanity's most basic problem... the common cold --and delivering the right information, at the right time, to the right person, in a way in which they can take action on it, in the easiest possible way.

Stand by folks. You're in for a surprise.

In the mean time, please follow wapacklabs.blogspot.com. We're announcing every product that we author on the blog. If you really need a place to call and ask questions, we're here. Need more? Check Red Sky Alliance. Machine readable data? ThreatRecon.co offers finished indicators in a JSON output.

Until next time,
Have a great weekend!
Jeff




Saturday, August 20, 2016

By the numbers


What's the graphic? VirusTotal detections over a 24 hour period, ranked by the number of times each engine detected a submission.

Why should you care?

I read the Wall Street Journal every morning. Most mornings (depending on time) I also read USA  Today and a bunch of security news.  USA Today isn't as much on my required reading as the WSJ, primarily because much of USA Today's news comes from the Associated Press, and that many of the other papers available use the same news services. The WSJ also uses some of them, but as well, provides their own reporting. There is a small overlap in reporting but I've got to read two papers, plus my security reading to feel like I have enough information.

The same holds true with cyber intelligence.

We're partnered with Anomoli, and we like them --for the most part, but one thing struck me yesterday as we were looking at their marketplace.  We were dropped in the middle of the app marketplace pack, our logo sat next very close to one antivirus vendor that we'd recently tested our indicators against, and I thought it odd.

Why? Because when tested, they detected only 14% of our indicators of compromise! You read that right... 14%!

You see, we've been testing our finished intel against some of the AV and endpoint companies, and here's what we found.. Their words not ours:
  • We tested 3000 lines with a global AV vendor over two weeks during the holidays last year. They detected only 18% of our feed.
  • In June, we tested a sample of data that was almost two years old with another company --a California based AV and Endpoint company.. In this two year old sample, they detected only 7% of what we'd provided them.
  • And when they didn't believe our stuff was real, we pulled fresh information, straight off the wire and tried it again. They detected 14%.
In previous tests, we were compared to two network security companies using our network based indicators (snort rules, IP's, etc.) with the same results.

Why? Many 'intelligence' companies buy data from aggregation companies --who dump a bunch data together in a blob in EC2 and resell it over and over and over --and many of the companies that you buy from today use the same data.  Most of it comes directly from open sources on the internet --rarely tailored for the actual customer who's buying in.  For many of the lower detection products shown in the graphic, they SHARE the same indicator information.  It's a cheap way to make a product --great for revenues, bad for the buyer.  You might as well go buy your security tools at Bob's Discount Furniture. You'll have better luck with a hardwood door on your datacenter than you would by relying on those old reused indicators!

We're a bit different. We have an information sharing group who, for the most part can do the analysis on their own.. They just want our raw data.  But for others, we take  their security requirements, go find sources of information that would give us the answers, collect the data, answer the questions in the form of intelligence (futures thinking) or analysis (post-incident), and feed it back in a useful way --human readable, delimited, JSON, STIX/TAXII. It's called the intelligence cycle, and it's targeted by the company.

In all three tests, the companies were given information that we directly observed or pulled from our own collections/analysis.  The results were provided by them, to us, in a decision process to figure out of they should OEM our indicators in their reputation lists.  In both cases, the companies didn't purchase our stuff because they had such a low detection rate! HELLO?!

If you're receiving our Cyber Indications and Warning Reporting in the Red Sky portal, you'll never see the companies at the bottom of the list show up in the top five.  And now you know why... they aggregate data instead of hunting for it smartly and analyzing it before sending it out... and I don't mean data science. I mean good old fashion QA.

The upside?  You can be protected from the other 84% that they didn't see.  If you don't want to buy it from us (starts at $40/month), there are several companies use our intel to protect their customers.. Wapack Labs is built-into Solutionary, AT&T's MSSP, Arbor, FlowTraq, E&Y, and Morphick. We're also available for purchase through Anomali, ThreatQuotient and ThreatConnect. 

Look, friends don't let friends by junk. Give us a shout. Let me show you how we're different.

Want to get a feel for what we write about? Have a look at the Wapack Labs blog. Every technical report shown in the blog has indicators that were derived by us for a customer. We share them out so others may benefit. 

OK folks. I've got a Sleep Number bed to return. My back is killing me.
It's not going to take itself apart!
Have a great weekend!
Jeff

Saturday, August 13, 2016

1.47 seconds

A friend of mine -- a retired CIA covert guy, who now lectures, drives race cars, sits on a few boards,
and has dinner with me occasionally, does a two hour lecture that he calls "1.47 seconds". 1.47 seconds is the amount of time between the Boston bomb blast and when people in the ally behind were hit with schrapnel from the blast.

The questions he postulates is, what, or how, could people outside of direct contact of the bomb have been warned in that 1.47 seconds to make them take cover?

It's an interesting question, and one I think about often when I write a blog, publish a report, or, send a victim notification.  In fact, one question I consider often is even if I tell them, will they listen? Will they know what to do with the information I'm providing them?  For the customers we're used to serving, the answer is yes, but for many (probably 90% of the market) the answer is a resounding no.

So why does "1.47 seconds" stick with me? Because I watch the market churn --and the same companies targeted over and over by noisy marketers hawking some of the best, and some of the worst products, and I wonder to myself, what in 1.47 seconds could we do to cut through all that marketing b*ll sh*t, to get a real message out with real impact? What could we do to get the word out in such a way that it's easily understood, easily consumed, and actually used?

So we've been experimenting with a couple of non-marketing techniques --yes, I realize my blog has a bit of a slant --we're a cash flow company --no investors. We can't hire mountains of marketing people and sales people in every city, so, my blog becomes a bit slanted. It's literally the only marketing we do (except maybe sponsor an occasional high school robotics).

Our latest experiment is fairly simple.

  • We've been posting the executive summary and product meta-data in the Wapack Labs blog. It was time to move readership from my personal blog to the company blog. 
  • We've focused much of our analysis on being proactive. Instead of simply analyzing past events, we look for indicators of coming events --and yes, we've been quite successful.
  • We're focusing our intelligence team on 'desired objectives by select bad guys' before the event occurs. That way, companies know what's coming, and we sometimes know who and how before it happens.
  • And we've been working intelligence as a team sport --converged with the needs of physical and industrial security personnel. 
Every time a new product gets published, the executive summary gets posted to wapacklabs.blogspot.com.  Every product that has indicators, has a link to our indicator database (Threat Recon) or our Soltra Edge instance (redsky.soltra.com). 

We've offered up our raw collections (key loggers, sinkholes, etc.) to others who'd like to use them in their own analysis --that API should be up shortly, but today, roughly a hundred people have run queries against our backend.  

So, 1.47 seconds? Stand by. More to follow... That's where we're heading. 

In the mean time, please follow wapacklabs.blogspot.com. We publish almost daily. The reporting is a mix if cyber, physical executed via cyber, or intelligence collected via cyber.  

If we can help, call us. We're busy as hell, but that keeps us going!

Until next time,
Have a great weekend!
Jeff