Saturday, August 27, 2016

No cure for the common cold...

Walk through the cold and flu isle at Walmart, and you'll find hundreds of products that all tout their abilities to sooth even the most savage of symptoms -some snake oil, others not bad, but all missing one key attribute --none solve the common cold.

This analogy was told today in a conference call when a "friend of Wapack Labs" explained how we differ to a prospective customer. The friend --Bill Vajda, explained that while nobody has yet to cure the common cold, the new API is very helpful in getting raw, highly useful information into the hands of those who can actually do something with it.

He's referring to our new Cyberwatch(R) API.  We've been working hard to get it rolling. We found that we're not very good UX guys, but wanted to find a way to push intelligence --really useful intelligence, into more hands. It's in beta testing right now with a couple dozen Red Sky Alliance members. The feedback so far has been pretty consistent --typos, a bit more context, and a feature request or two, but every piece of feedback proclaimed how much they like the product.

I talked about this two(?) weeks ago. We're experimenting with different ways of selling without selling. I told my team today that I'd read a book --the Accidental Salesperson. I wasn't born able to sell. Sometimes I still wonder if I can --maybe it was simply market forces, or maybe it's just because I'm so good looking! Either way, I'd never learned a formal process for selling, and as a result have found myself reading things like "Question Based Selling", the "Accidental Salesperson", "The Challenger Sale", and just about anything I can get my hands on that'll teach me the best way to attract new customers. And here's what I found... give a customer what they want, in a way that makes it really easy to use or integrate, without the need to add extra staff (or better, make money with, or reduce current operating expenses), and it'll sell itself.

This is what we're attempting. Red Sky Alliance is a great place for those who need questions answered. Prioritization is a major issue with security folks --pushing all of those rules, signatures, behavioral patterns, and context into one HUGE box just is not going to happen.  Reading 50 page technical intelligence documents that require massive translation from techie speak to English (or, pick your language), also isn't going to work. Heck, even for those of us who like reading that stuff (like me), at some point, they all sound the same. However, everyone knows how to use a mouse, enter a domain, and read the results. There are over a hundred intelligence vendors, and over 1600 security vendors, and in every case, each one does something different, with various levels of quality... yet, nobody has yet to find a cure for humanity's most basic problem... the common cold --and delivering the right information, at the right time, to the right person, in a way in which they can take action on it, in the easiest possible way.

Stand by folks. You're in for a surprise.

In the mean time, please follow We're announcing every product that we author on the blog. If you really need a place to call and ask questions, we're here. Need more? Check Red Sky Alliance. Machine readable data? offers finished indicators in a JSON output.

Until next time,
Have a great weekend!

Saturday, August 20, 2016

By the numbers

What's the graphic? VirusTotal detections over a 24 hour period, ranked by the number of times each engine detected a submission.

Why should you care?

I read the Wall Street Journal every morning. Most mornings (depending on time) I also read USA  Today and a bunch of security news.  USA Today isn't as much on my required reading as the WSJ, primarily because much of USA Today's news comes from the Associated Press, and that many of the other papers available use the same news services. The WSJ also uses some of them, but as well, provides their own reporting. There is a small overlap in reporting but I've got to read two papers, plus my security reading to feel like I have enough information.

The same holds true with cyber intelligence.

We're partnered with Anomoli, and we like them --for the most part, but one thing struck me yesterday as we were looking at their marketplace.  We were dropped in the middle of the app marketplace pack, our logo sat next very close to one antivirus vendor that we'd recently tested our indicators against, and I thought it odd.

Why? Because when tested, they detected only 14% of our indicators of compromise! You read that right... 14%!

You see, we've been testing our finished intel against some of the AV and endpoint companies, and here's what we found.. Their words not ours:
  • We tested 3000 lines with a global AV vendor over two weeks during the holidays last year. They detected only 18% of our feed.
  • In June, we tested a sample of data that was almost two years old with another company --a California based AV and Endpoint company.. In this two year old sample, they detected only 7% of what we'd provided them.
  • And when they didn't believe our stuff was real, we pulled fresh information, straight off the wire and tried it again. They detected 14%.
In previous tests, we were compared to two network security companies using our network based indicators (snort rules, IP's, etc.) with the same results.

Why? Many 'intelligence' companies buy data from aggregation companies --who dump a bunch data together in a blob in EC2 and resell it over and over and over --and many of the companies that you buy from today use the same data.  Most of it comes directly from open sources on the internet --rarely tailored for the actual customer who's buying in.  For many of the lower detection products shown in the graphic, they SHARE the same indicator information.  It's a cheap way to make a product --great for revenues, bad for the buyer.  You might as well go buy your security tools at Bob's Discount Furniture. You'll have better luck with a hardwood door on your datacenter than you would by relying on those old reused indicators!

We're a bit different. We have an information sharing group who, for the most part can do the analysis on their own.. They just want our raw data.  But for others, we take  their security requirements, go find sources of information that would give us the answers, collect the data, answer the questions in the form of intelligence (futures thinking) or analysis (post-incident), and feed it back in a useful way --human readable, delimited, JSON, STIX/TAXII. It's called the intelligence cycle, and it's targeted by the company.

In all three tests, the companies were given information that we directly observed or pulled from our own collections/analysis.  The results were provided by them, to us, in a decision process to figure out of they should OEM our indicators in their reputation lists.  In both cases, the companies didn't purchase our stuff because they had such a low detection rate! HELLO?!

If you're receiving our Cyber Indications and Warning Reporting in the Red Sky portal, you'll never see the companies at the bottom of the list show up in the top five.  And now you know why... they aggregate data instead of hunting for it smartly and analyzing it before sending it out... and I don't mean data science. I mean good old fashion QA.

The upside?  You can be protected from the other 84% that they didn't see.  If you don't want to buy it from us (starts at $40/month), there are several companies use our intel to protect their customers.. Wapack Labs is built-into Solutionary, AT&T's MSSP, Arbor, FlowTraq, E&Y, and Morphick. We're also available for purchase through Anomali, ThreatQuotient and ThreatConnect. 

Look, friends don't let friends by junk. Give us a shout. Let me show you how we're different.

Want to get a feel for what we write about? Have a look at the Wapack Labs blog. Every technical report shown in the blog has indicators that were derived by us for a customer. We share them out so others may benefit. 

OK folks. I've got a Sleep Number bed to return. My back is killing me.
It's not going to take itself apart!
Have a great weekend!

Saturday, August 13, 2016

1.47 seconds

A friend of mine -- a retired CIA covert guy, who now lectures, drives race cars, sits on a few boards,
and has dinner with me occasionally, does a two hour lecture that he calls "1.47 seconds". 1.47 seconds is the amount of time between the Boston bomb blast and when people in the ally behind were hit with schrapnel from the blast.

The questions he postulates is, what, or how, could people outside of direct contact of the bomb have been warned in that 1.47 seconds to make them take cover?

It's an interesting question, and one I think about often when I write a blog, publish a report, or, send a victim notification.  In fact, one question I consider often is even if I tell them, will they listen? Will they know what to do with the information I'm providing them?  For the customers we're used to serving, the answer is yes, but for many (probably 90% of the market) the answer is a resounding no.

So why does "1.47 seconds" stick with me? Because I watch the market churn --and the same companies targeted over and over by noisy marketers hawking some of the best, and some of the worst products, and I wonder to myself, what in 1.47 seconds could we do to cut through all that marketing b*ll sh*t, to get a real message out with real impact? What could we do to get the word out in such a way that it's easily understood, easily consumed, and actually used?

So we've been experimenting with a couple of non-marketing techniques --yes, I realize my blog has a bit of a slant --we're a cash flow company --no investors. We can't hire mountains of marketing people and sales people in every city, so, my blog becomes a bit slanted. It's literally the only marketing we do (except maybe sponsor an occasional high school robotics).

Our latest experiment is fairly simple.

  • We've been posting the executive summary and product meta-data in the Wapack Labs blog. It was time to move readership from my personal blog to the company blog. 
  • We've focused much of our analysis on being proactive. Instead of simply analyzing past events, we look for indicators of coming events --and yes, we've been quite successful.
  • We're focusing our intelligence team on 'desired objectives by select bad guys' before the event occurs. That way, companies know what's coming, and we sometimes know who and how before it happens.
  • And we've been working intelligence as a team sport --converged with the needs of physical and industrial security personnel. 
Every time a new product gets published, the executive summary gets posted to  Every product that has indicators, has a link to our indicator database (Threat Recon) or our Soltra Edge instance ( 

We've offered up our raw collections (key loggers, sinkholes, etc.) to others who'd like to use them in their own analysis --that API should be up shortly, but today, roughly a hundred people have run queries against our backend.  

So, 1.47 seconds? Stand by. More to follow... That's where we're heading. 

In the mean time, please follow We publish almost daily. The reporting is a mix if cyber, physical executed via cyber, or intelligence collected via cyber.  

If we can help, call us. We're busy as hell, but that keeps us going!

Until next time,
Have a great weekend!

Saturday, July 23, 2016

Published: The Never Ending Campaign

This week we published one of the most contraversial papers that I believe has come out of Wapack Labs since we started. We called it the Never Ending Campaign paper because we examined the cyber threats to funding and the election during this VERY long Presidential election.

The paper details ideas of the complexity of American political landscape, and profiled the attack surfaces for any federal political operation. We discussed the difficulty of the assessment as campaigns adopt new marketing, social media, and fundraising methods. There are also different motivations for each cyber actor that may overlap.

We discussed exposures to the US financial services including the targeting of Personal Identifiable Information (PII), information of donors to the candidates, PACs, and national political committees. This is possible through the vendors hired by each campaign to managed and report donations. Exposure also includes the organizations involved in targeting the banks servicing the transactions for all of these organizations via business email compromise as well as those who have worked with the business or political assets belonging to each candidate.

Why controversial? This paper, even inside the team, created some of the most heated discussions, between authors, peer reviewers and editors. The paper early on started as a pile of information, but ended as a cohesive, no-kidding paper on practical items that companies can key in on to protect themselves from fraud schemes designed to leverage campaign fund raising. 

The paper is positioned free from political bias. My team performed well. The paper was published to the Red Sky Alliance and through the FS-ISAC on the 19th.


Other notes?

  • We introduced four new potential members to Red Sky Alliance this week. One financial, two maritimes, and a Defense Contractor.
  • We wrapped up our support to the Cleveland Police Department with over 85 intelligence reports written, and at least one preemptive action taken as a result of our reporting.  
  • I had the opportunity to speak at the Maritime Cyber conference at Johns Hopkins APL this week. Of course, I told the story of the key loggers in the Maritime space, and the idea that we're well over a million accounts in thousands and thousands of unique organizations around the world. 
More? There's tons but I'll hold for now. I'm preparing to have a great weekend --my 20th OCS reunion is tomorrow in VA Beach, and then off the grid in Maine for a couple of weeks. The timing is good.. I'm getting ready to cut the arms off my team like my daughter used to do with her Barbie dolls when she was having fits.

So I'm publishing this in absentia.. normally I'm up at 4AM writing my Saturday blog. Today however, it's Friday afternoon. My last meetings are in 20 minutes and again an hour after that, then.. off to Cancun Cantina for beer and cigars with buddy's and VA Beach tomorrow. My plan is to take next weekend off.

So, until the 12th of August? Have a great two weeks!

Saturday, July 16, 2016

Target and Home Depot - No Contractual Obligation?

According to the Wall Street Journal (June 27, 2016 - Technology section), in a peace entitled "Injury  Key Issue in Data Breaches", Target and Home Depot, while settling with customers over data breaches two years ago both fought the case claiming in court filings that stores owed no legal or contractual obligations to consumers to safeguard their data."

Apparently there've been an onslaught of law suits resulting from the massive number of data breaches, and while I have no issue whatsoever with a company looking for actual damage --injury to a customer --meaning a customer can show that a loss of their privacy data actually cost them money, reputation, etc...  I do have a problem with lawyers looking for the simple out by claiming that the stores owed legal or contractual obligations to protect a customers data.

So my question is this... is this legal wrangling or they really believe and practice this?

If this legal tract is real (I've not read the transcripts), this sets bad precedent. In this case both companies settled but still paid. Unfortunately there are many more breaches that I'm sure will end up in court with leagues of smart(er?) lawyers who'll figure out how to make effectively utilize this defense.

At the same time, at the other end of the legal spectrum, there's a movement afoot in the UK to hold CEOs legally responsible for ensuring that baseline controls are in place to ensure the security of computer-based data --which of course, is just about everything.


I'm keeping this short today. Heading out to WV to fly fish the Potomac with a friend. It's 5:30AM, so please forgive any typos. I attempted to get this written earlier in the week but...

Also, please have a look at the Wapack Labs blog. We've been posting analytic executive summaries. If we have indicators for the stories, we'll give you the link to either our own indicator database, Threat Recon, or our Soltra Edge location where you can pull indicators. It's a new form of publish for us. I'd love to hear your feedback.

So, until next time, I'm "Gone fish'n!"
Have a great weekend!

Saturday, July 09, 2016

First Chinese-Built Passenger Jet Goes Into Service

On June 29, 2016, the Wall Street Journal's Chun Han Wong reported "First Chinese-Built Passenger
Jet Goes Into Service. China's first home-built passenger jet entered commercial service on Tuesday... the Jet, the ARJ21 developed by the Chinese State-owned Commercial Aircraft Corporation of China, Ltd (COMAC) was originally due out in 2006 but was delayed by over ten years because of repeated production setbacks... " 

Normally I'd look at the piece and think to myself... I'd never invest in a company that was 10 years behind the market, but at the same time, I'm forced to wonder if those setbacks paralleled the increase in the security posture of COMAC's suppliers. And I'd have to wonder if another speed bump was dropped in the production plan with the 2014 creation of the Aviation ISAC...  At which point I'm betting ARJ21 project managers crapped themselves while their airplane sat in the red zone, staring, dreaming of that first taxi out to the runway, while they awaited final tech to come in from Bombardier, Rockwell, GE, Sukhoi, Antonov and others. 

Did I forget to mention? According to the WSJ, The COMAC ARJ21 competes directly with these companies --in a very crowded market --Canada's Bombardier, Brazil's Embraer SA and Russia's Sukhoi Civil Aircraft Company and was heavily influenced by foreign technologies including the McDonnell Douglas MD-90, avionics from Rockwell Collins, engines from General Electric, and wing designs by Ukraine's Antonov State Co.  I know for a fact that Bombardier, Embraer, Rockwell, GE and others have been harvested systematically for aircraft (and other) technologies. I'd bet a dollar that the state sponsored Chinese intelligence apparatus fed directly the creation of the state owned aircraft manufacturer in China --COMAC, and the development of the ARJ21... and I'm betting we'll see more airframes out soon.

Certainly the thought isn't completely out of the realm of possibility. There've been hundreds, if not
thousands of news pieces and blogs written over the last fifteen years calling out China (government and private) attackers as being the culprits behind a ton of illegal technology transfer.  The picture to the right shows a Chinese J-31 stealth aircraft that's essentially a knockoff of the Lockheed Martin built F-35. From Buick knockoffs to drones to satellite communication systems to toaster ovens and consumer electronics.  The shortest path to production isn't through the lengthy process of R&D, it's to use someone else's... Heck ever wonder why you find a Burger King within a mile of every McDonalds? McDonalds has a better research department! And stealing technology is no different. 

I guess, and as you're probably wondering (like I am), exactly how much of the designs were purchased from each of those vendors and how much was stolen?  With the company entering a crowded market ten years late... with design features coming from so many other airplane OEM's, and knowing damn well that each of the companies mentioned have suffered enormous losses directly related to Chinese cyber exploitation --heck, Boeing built the Aviation Information Sharing and Analysis Center (A-ISAC) to protect the aircraft OEM and industry writ large from prying eyes of Chinese state sponsored cyber espionage that had been occurring in their industry for over a decade.  

I read the Wall Street Journal every morning. I have since I was an Ensign in 1996. I've never been so surprised by lack of attention to detail as I was in this piece. Why would the author not do the work to identify the deeper story. Was this a success story? A competition story, or simply empty intellectual calories? Why would they not explore the idea that the industry's been getting their clocks cleaned while technologies looking very much like competitive technologies (and not just US technologies) are coming out of China on a daily basis --from warships and drones to knock-off cars to commercial aircraft. 

Who cares if it's ten years late when R&D cost almost nothing... right?


I've been writing about intelligence and APT for roughly the last five years --almost every weekend over my first coffee on Saturday morning, and while I'll admit, you get it a little rough, it's almost therapeutic. They say one of the best ways to relieve stress is to write a letter to yourself explaining the stressors that you're feeling --or write to a person who may have wronged you. In this case however, I've watched our space (the information security space) mature into a hodgepodge of technologies and vendors selling everything from snake oil to some amazing technologies, yet, I have to wonder why it is that when I ask a company how they ingest intelligence into their systems, they tell me they don't!

And when I look across the spectrum of governmental organizations, commercial companies (large and small), healthcare organizations, energy producers, and others --in every corner of the world, the realization is simply this.... we're losing this battle. Network defenders are getting CRUSHED by the sheer volume of attacks --successful and not --but those that are successful are costly in a big way. And as a result, we see folks like the banking CISO that I mentioned in my previous paragraph who are forced to simply rely on their managed security service to ensure their safety.

Why? Because CISOs still have a hard time talking to their management. Some simply haven't cracked the code on communicating the danger versus security versus ROI.  To help, we've added a couple of new offerings to our lineup, starting with the Executive Read Board.

The Executive Read Board is a low cost subscription offering that offers technical analysis stories converted to easy readers by our on-staff journalist. Nancy had been an Air Force Journalist, turned news paper columnist and now works for us turning our stories into something that your executives can understand in a quick read --and everything is based on technical or intelligence analysis written in the lab.

I'd encourage you to have a look. We just completed the transition over from an old proof of concept site, and because of it's popularity, we took it mainstream. You'll find short pieces suitable for pushing directly to your management. If you need indicators, pull them from our indicator database Need more? Call us. We have a number of options from STIX/TAXII to an API to PDF reports. 

In the mean time, I'll be heading to the MD/DC area this week, home plating for a ton of travel over the next two weeks, but I can be found occasionally at Shelly's, smoking a cigar, drinking a great bourbon. If you'd like to join me and shoot the sh*t, drop me a note. If you'd like more information on Red Sky Alliance or the intel group, Wapack Labs, drop me a note. 

Until then, have a look at the Executive Read Board. There's a 14 day free trial, so please, have a read.  We'll be pushing more and more up there this week, but there are a couple of hundred articles already populating the new site.

Enjoy, and Have a great weekend!

Saturday, July 02, 2016

Training Day and Kicking off our Veteran Training program with the VA and SNHU!!

OPINTEL is the term used by the Navy to refer to tailored, all-source intelligence provided directly to operating forces. It focuses on a potential adversary's capabilities, his immediate intentions, and the environment. 

In the last few weeks we've been writing a ton of OPINTEL.  85(+/-) intelligence reports in the last month.  In one case, we're helping the CLE PD understand threats forming as they ready for the RNC. 

So yesterday was pizza, beer and training --early communism, exploring the formation of protest groups in the US, the Kent State shooting, and then bringing it forward to current day, comparing TTPs used by activism groups and how they form and operate.

I blogged recently about training returning veterans.  The group that we've formed (Team Jaegar --the hunt team) has been doing OPINTEL as the first step into cyber intelligence --what a great way for a company or customer to help the cause --by sponsoring the training of a returning vet who'll be dropped into an analytic seat on day one, shown the priority intelligence requirements, taught to operate safely in cyber space, and turned loose under the supervision of a retired CGIS Supervisory Special Agent who tutors them on writing actionable reports in a way that's understood by the most people and gets the message across quickly.  For those who need OPINTEL, every vet knows a threat when they see one... we just have to teach them what to do with it. The results? Absolutely amazing.  More on this in a moment.

While listening to the talk, as I looked around the room, I noted that the guys had taken a panel that we'd had printed for a booth at a conference in NYC from a couple of years ago --the intelligence cycle, and papered it up with sticky notes showing due times and battle rhythms.  I preach the intelligence cycle, battle rhythms, publishing deadlines and analytic rigor.  I taught intelligence cycle processes as part of our Threat Intelligence University at a customer location just last week... I thought my guys were getting sick of hearing about it, so and to see this team with sticky notes on the board showing due times, routines, etc... for this new, high producing, insanely focused team, makes me happy as hell.

And more? I'm happy to announce that our partnership with the Manchester, NH VA Medical Center (VAMC) and Southern New Hampshire University is underway. We've hired four vets on referrals from the VAMC, and our first SNHU veteran students (14 of them) start in the lab on August 8th and we can't wait. 

What're they going to get? We've taken our two day Threat Intelligence University firehose training program and converted it into university level modules, starting with Intelligence 101 (Threat Intelligence Cycle) and Intel 102 (Operating Covertly in Cyberspace) --all the way through scripting, malware analysis, detecting lateral movement, and advanced mitigation strategies. The interns will be receiving a number of these lessons and at the same be tasked with providing real analytics on real problems --OPINTEL first, then TCP/IP training, and then heading into full cyber. The students who are SNHU students get three credits for every 10 weeks they spend with us --some of the best OJT out there with the idea that if they make it through, we'll be introducing them into the Red Sky Alliance members for jobs... We've already had requests.

And last? We were visited by Frank Edelblut --Republican entrepreneur turned Angel investor and politician, running for NH Governor.  I'm not going to tell you that I don't straddle the political lines but I'm a fan of folks who've also walked the walk, so it was a pleasure to have Frank in to talk about his days as an entrepreneur, and his thoughts on moving into the governor's seat.

Enough for now. As we kick off this Fourth of July weekend, and I prepare to head to the beach with my family, I wish you all a great weekend. Be safe with the fireworks, eat as many burgers or lobsters as you can choke down, and take a moment to remember the birth of our independence!

Until next time,
Have a great holiday weekend!