Saturday, May 27, 2017

Stutzman assumes new role...

What's that all about?

I've been running Red Sky and Wapack Labs since Feb '12 after leaving the government to join my old friend Jim McKee. I enjoy building new things, but long term? I needed a break. I keep finding myself with one foot in the analytic camp and one foot in the management camp, but as the company grows it becomes harder and harder to do both things well.

This week I told my partners that I felt like I was getting dumber with every day that passed, and
every minute that I dealt with prospecting, taxes, managing the team, and all of the other things that go along with being CEO, I miss out on time spent staying sharp on the things that I really love doing.

So on Monday, I turned over to Jim McKee, anointed him President, and started writing analysis.

My first task? I convened a fusion cell and authored a weekly report —one that we push out to customers who use us for tailored intelligence. I'd forgotten how much fun it is, but also it's like going back to working out after being off for a while —your muscles hurt afterward! Yes, my brain hurts tonight but it's a good hurt.

So, CEO? Not me. Chief, Intelligence Operations? Oh yeah…

Tanqueray Martini. Shaken, not stirred.

CloudHopper? Systemic... AND Stutzman assumes new role!

This is an excerpt from a piece we authored for our membership. CloudHopper, first discussed about a month ago by PwC UK and BAE are targeting Managed Service Providers for VPN and RDP credentials. Brilliant. When I first read the piece I assumed this to mean Managed Security Service Providers had been targeted.. which would be bad, but colocation facilities? Not a new TTP but still brilliant. 

"CloudHopper, a new name for APT 10 has been identified stealing VPN/Remote Desktop credentials from Managed Service Providers in an effort to obtain administrative level direct access to network infrastructure mechanisms. In our opinion, this is significant. In almost every presentation, at least one financial presenter talks about “systemic threat”. This, we believe, is the epitome of systemic –get the administrative credentials to the network perimeter, change the authentication, and obtain unfettered, unchallenged access to any of the MSP’s customer base. (View the full report:"

This actually scares the hell out of me. 

Four years ago we rented colo-space for a malware analysis sandbox. The colo-provider had all of the right words in their list of certifications —ISO 27001, PCI, HIPAA, etc. After a walk-around of the facility, we signed the contract for a two year stint. 

Within a month we started noticing fun things happening on the box. Fortunately for us we hadn't opened it up for our Red Sky membership; we were still very much in our testing phase. It was clear to us however that the machine had been compromised —so we drove to Boston, removed the server from the rack and brought it back to Manchester where we mounted it locally. We found that the colo had the necessary tools to monitor the systems, but not monitor the security. In fact, they had all of the right tools and skills, but never monitored for the things that would have allowed them to see unauthorized access —something we'd paid for. 

The idea that VPN/RDP credentials are stolen and pathways are used is not at all new. In fact, these were the first cases that I can remember after building my APT team when I worked at 'that really big defense contractor', over ten years ago. These accounts are most prized, and in many cases in large companies administrative credentials —domain credentials —those that most often have VPN and RDP access to many many servers across the horizontal become one of the single most effective vectors for systemic breach. And when it's done in a colocation facility where small and medium sized companies are most likely to host? Not new, but still brilliant. 

When asked why he robbed banks, Willie Sutton replied, “I rob banks because that’s where the money is.”  Why target colo facilities? Because that's the pathway to small company innovation and potentially, larger accesses. 


This may or may not be a surprise to many of you, but I've been running Red Sky and Wapack Labs since February 2012 when I joined my old friend Jim McKee in building Red Sky. 

This week I told him that I felt like I was getting dumber with every day that passed, and that every minute that I dealt with prospecting, taxes, managing the team, and all of the other things that go along with being CEO, I miss out on time spent staying sharp on the things that I really love doing.

So on Monday I anointed him President, and started doing analysis again. I'd forgotten how much fun it is, but also it's like going back to working out after being off for a while —your muscles hurt afterward! Yes, my brain hurts tonight but it's a good hurt.

My first task? We write tailored weekly products as an intelligence provider to some big companies. Yesterday I wrote my first one in nearly six months. There are several more to come. 

So, CEO? Not me. Chief, Intelligence Operations? Oh yeah…

Tanqueray Martini. Shaken, not stirred.

Saturday, May 20, 2017

#WannaCry - To Pay or Not to Pay. That is the question...

I'm not always sure that the government offers the best advice… and the press simply repeats it.

Earlier the week I was interviewed by the local ABC Affiliate. The next day, my team pulled together roughly 40 Red Sky Alliance members for a  —largely on my request to better understand and make sense of all of the noise in the press. 

Yesterday, I picked up flowers at a local shop, when one of the owners approached. She'd seen me on WMUR and wanted to tell me that she'd also experienced a WannaCry incident. This was the third such mention by someone who'd been infected. None of the three had full backups. All three told me that because 'they' (meaning the press, largely because of circular reporting) had instructed victims to not pay the ransom. I handed them a business card and told them to call me Monday.

I have a few thoughts. 

1. Don't pay? Be careful. Large companies, and those smaller companies who are prepared for such an event might be fine not paying the ransom. What's 'prepared' mean? It means that you can completely restore lost data from tested backups. In these cases, none of the three had complete backups. They will soon. Each lost far more revenue than they would have if they'd have just paid the ransom.

2. Make your own decisions. The government doesn't run your business. The press only reports what others tell them. Many times those opinions are based on something reported by others —often times coming directly from the government. In this case the government urges people to not pay the ransom. The US does not negotiate with . I would urge you to make you own decisions. 

3. Who did this? I'm not sure anyone has any real evidence. One report compared WannaCry with Lazarus, but in our work, we found only six lines of code in common —largely machine generated; and our opinion, not a good indicator. We discounted it. We do however have theories… we rarely look at attribution at the country level (i.e.: Russia, China, N. Korea). I prefer to look for individuals. In this case, I think the story will unfold. My team, and our Red Sky members, are watching to see if this is a test. My bet? There'll be more. 

WannaCry encrypted over 200,000 computers. Last heard, the attackers earned slightly over $75,000 US. Not a bad payday if you're sitting in someones garage punching a keyboard. Not so good if it's a country attempting to steal money (N. Korea?). 

The bigger lesson? I have two. First, small business owners listen to the government, but in this case, the government (and repeated by the press) didn't give adequate guidance to small businesses. In fact, Here's what the US-CERT offered as guidance:

"Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."
One, me, might argue that in this case, this guidance is only partially true. Let's break this down.
Paying the ransom does not guarantee that the encrypted files will be released...
 this to me demonstrates a lack of basic understanding on the part of US-CERT. Ransomware is a customer service business. A few weeks back, we paid a ransom for a client --roughly $30,000. When we couldn't decrypt servers we contacted their tech support. YES! They have TECH SUPPORT!. If someone pays and still can't get their stuff back, victims will stop paying. It's bad for business!
…it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information.
I'm sorry. Did I miss something? In which case did WannaCry take someones banking information? Here's the way you buy a BitCoin… Go to an exchange, pay the money, take a picture of yourself with a note that clearly states that you want to purchase the BitCoin (the picture/note combination will be given to PayPal or your credit card company in the event that you try and reverse the purchase). You then get credited with the BitCoin —in a personal digital wallet. Send the bitcoin to the bad guy, and you're done. So where does my bank account get stolen?
In addition, decrypting files does not mean the malware infection itself has been removed.
This is absolutely true. Even if you pay, you'll want to burn that machine to the ground and reload it. 
Two of three pieces of guidance offered by US-CERT were not completely true, and in fact (again, Stutzman's humble opinion) poorly worded guidance. If US-CERT is going to be cited as the authority (and they SHOULD BE!), they really need to pay attention to their audience. Never, EVER give guidance to one company and expect it'll hold true to another. 
I'm certain there are victims out there still reeling from the encryptor. Drop us a note

Saturday, May 13, 2017

Hacking back: A viable strategy or a major risk?

I spent yesterday at a conference at the Kostas Research Center at Northeastern University.  

I don't normally spend my time in the midst of so many government folks anymore but I did yesterday. I gave my "Daily Show" talk —the talk of massive key logger exploitation in the Maritime space and sat a panel later in the afternoon. 

Yesterday morning however, something BIG happened —a massive ransomeware campaign #WannaCry ransomware was used in targeting healthcare and other industries in roughly a dozen countries around the world.

If you've heard me talk recently you know that one of the things I talk about are threats 3-5 years out… I call it my Futurist talk. What should we be thinking about beyond the end of next week? One of those things I talk about often are swarm attacks in cyberspace… the idea that massive computers can communicate swarm, and attack a target computer, system or network and insert code, drop systems, etc., taking any opportunity to implant something that denies, degrade, destroys, or simply embeds.

During the panel, one question came up —a question that always comes up.  A strong offense is often times better than a strong defense.  Should we be offensive in our defense?  Should we be hacking back?

I think about this a lot, especially as it relates to ideas that in three to five years, even the most mature security teams (in my opinion) will not be able to keep up with the overwhelming amount of data that will be needed to actively, in real time, defend from these swarm attacks, attacks that I call the nuclear option, and cyber laser guided bombs.

Anyway, we started on my right. The first panelist talked of legal issues. The second spoke of mis-targeting (the old.. what I hit the baby milk formula factory?!), the third? Heck I don't remember. When it was my turn, I gave the answer that I always give. I generally have two analogies:

  • "If I get into a bar fight, I'll make a decision to either talk it down, defend myself, or run…  depending on who's picking the fight, whether or not I'm outnumbered, surrounded, etc." Generally, the other guy doesn't know that I've been a black belt for years, and if he pushes to hard, well…  Maybe I'll buy the guy a beer to try and de-escalte the situation, but if that fails, if I think I can defend my self and win, I'll fight. If not? I'm asses and elbows outa there!
  • The second analogy? The one I used yesterday... "I live in New Hampshire. If someone break into my home in the middle of the night and attacks my family.. I'm going to shoot them dead ---and nobody is going to care. I was defending my family."

So why is it that in cyberspace, I'm not allowed to fight back?

Police aren't charged with, or equipped to protect you from cyber crime and the government isn't going to come to your rescue unless you're a member of a critical infrastructure, and even then, well....  So what are you to do?

Hackers often times learn their trade by sharing tactics and many times, hacking each other —for fun or profit —live… yet defenders are expected to build expensive labs, take training, follow process, be good citizens, and stay within the law.

At some point, the tables have to turn. I'm not saying this is an answer that everyone should pursue. I am saying that if you feel you can defend yourself —and win, go for it. There may be legal consequences, and you might get a cyber broken nose, but for those who believe that they have the skillsets to actively defend themselves, my feeling is, they should be able to do so without fear of prosecution. 

This is a topic of discussion that I both enjoy, and have talked about both inside Red Sky and in public. In fact, Wapack Labs publishes an intelligence product that we call the Targeteer(R) report --dossiers on bad guys that we've identified over the years that pose threats to our membership. We identify them through good old fashion research. These guys are the wolves closest to your sleds.

We want to know if someone is a threat, and when we find out, we want to know how they work, where they live, how they connect to the internet, where they operate from, etc.  Why would we not use this information to our advantage? It's good intelligence and it can be used for many things —hacking back, legal or HR, freezing credit cards, and more.  This is good intelligence work and we publish it to our Red Sky members.

Should you fight back? Probably not. Should you have the right to? Absolutely.

Interested in hearing my futurist talk? Drop me a note. We'll set something up.

Monday, February 13, 2017

Morning One at RSA

Leaving the impending Nor'easter behind in Southern NH, after teaching the family how to hook up and start the generator, I boarded a puddle jumper from Manchester to Detroit, and Detroit to San Francisco --the annual trek out here for one of the largest security conventions in the world.  Anyone who knows me will tell you that I'm tolerable of small crowds for a small period of time but large crowds, even for a short period of time make me absolutely nuts.  This morning it appears, the conference and most of the sessions are closed. Even the expo floor opens later tonight. So....

I'm hanging out under Moscone North, shaking hands with old friends as they make their way down for coffee. I've become a tea drinker of late but the coffee stand still attracts the geeks --and I love talking to them.

More to follow as we run through the conference, but for now, in the smaller crowds, I'm having a great time reconnecting --and writing.

Saturday, February 11, 2017

What's happening at Wapack Labs this week?

I'm running a bit late today. I'm preparing for yet another snow storm up here in New Hampshire, crossing my fingers that I'll actually make it out of here tomorrow --heading for San Francisco for RSA. I don't plan on writing a deep blog but thought I'd cover some of the highlights of the week.

Wapack Labs Threat Analysis Center:  We unveiled a new offering this week, allowing companies direct access to our normalized raw intelligence using tools that you know; keyloggers, sinkholes, early warning tripwires, and more.  Red Sky Alliance members will now have access to our tools, where they can create dashboard, reports, analyze our data, or pull our data into their own Splunk, SEIM, or analytic tools.  Need help? Reach out to the team through the Red Sky Alliance portal or Instant Messaging for real-time direct access to the team. Need a new source? Ask us. We'll capture it and get it into the system for you. 

The system is in early adopter mode with three or four customers testing it as we speak.  We're offering it up as a SaaS-based and MVP today.  I'll be showing off pieces of it during demos at RSA this week, so if you see me, grab me. I'll show you! 

Threat Day: Our next Threat Day is rapidly approaching. This one will be a little different than others. We're offering the first couple of Threat Intelligence University training modules and training on the new Wapack TAC system. We hold these quarterly --some onsite at a member location, some virtual, but we've had questions about how we do some of the things we do --so, we'll show you!

Upcoming conference - CyberRx/Wapack Labs: We've partnered with CyberRx to deliver intelligence into the local BWI/DC SMB markets. We're co-hosting a conference on April 19th where we'll be setting up terminals at the conference and scheduling 10-minute meetings with each participant.  We'll open up the databases and tell them what we know about them and their industry.

This week and last, we seem to be busier than usual. Most years, we have a little bit of activity before RSA and then get really busy after. This week, however, seemed to be crazy. From companies calling into seeing increased hits on our blog, website, etc., we (I) have been non-stop. We love that. 

So two fun things. First, I'm flying into SFO tomorrow night. My plan is to meet with folks Monday and Tuesday, but Monday night I'm looking forward to drinks with friends at the Marine Corps Club. It's a small place, but really nice.

Second, if you've ever considered one of those 'driving experience' days, we've got one for you. On March 3rd, we're bringing some friends together to do a driving school at Team O'Neil Rally Sports in the north woods of NH. This is a tactical driving school that teaches rally car racing. There is a cost, but if you're interested, drop me a note. We've got a few (6) spots left.  The day is meant to be fun and exciting. Interested? Drop Pamela a note. She can send you logistics. 

We know you guys have many (MANY) choices in where you get your intelligence. We also know (at least according to Ponema) that the CISO and Incident Responders aren't the only ones who read it.  There are only a handful of companies that I know of, that offer intelligence written for both the technical and non-technical audience --and we're one.  Drop me a note or grab me at RSA next week. 
I'd love to show you.

Have a great weekend and if you're heading for SFO, travel safe!

Saturday, February 04, 2017

What is Intelligence?

A great paper came out of the Ponema Institute yesterday. It went hand in hand with messaging I'd heard from a CISO earlier this week --"I have so many dashboards, I don't look at any!"  These were his exact words when I asked him "to what extent to you consume and use intelligence?"

The paper explained, as I've heard from so many CISOs explains that security teams are feeling the data overload. Why? They're being bombarded with news, intelligence supporting vendor pitches and aggregators of every IP under the sun, dumping it your lap and calling it actionable intelligence.

If that isn't intelligence, what is?

We didn't have much time. It was a 30-minute meeting, but he asked me how we're different.  I told him that we actually follow an intelligence process.

And so I explained, as I often do, by telling a story:

Many of our members operate in Eastern Europe and Ukraine.  In 2014 we tracked, in near real time, election manipulation in Ukraine.  The campaign wasn't just cyber however, it was full-spectrum information operations; psychological operations, influence operations, and propaganda, military actions for diversion (remember Crimea?), cyber, and intelligence monitoring the entire thing to ensure the desired impacts. There were actions against banks who supplied funding, and those associated with those banks. Military action was used to take over cellular communication nodes, and throughout, telephony denial of service (tDoS) and DDoS were used in conjunction with trojans and remote access control to take over communications.

There were several tools used by one side against the other (I say 'one side against the other' only because it's often times hard to know who's who). Little did we know that one of those tools, BlackEnergy would later become famous. We did some of our own work but one of our peer intelligence companies had authored a great report on BlackEnergy.  We issued reporting to the Red Sky members that told the GEOPOLITICAL story (the 'why should we care' piece). We reverse engineered the tools identified and included in our reporting detection methods, and metadata.

Fast forward to Christmas 2015. BlackEnergy was believed used against power companies in Ukraine, and this time, unlike the previous time in 2014, it hit the press. Now, every Energy producer, distributor, etc., wanted to know how to protect themselves from attackers using BlackEnergy.

Back to the question. "What is Intelligence?"

I explained the idea of "Data, Information, Knowledge, and Wisdom". I explained that most intelligence feeds offer "data" (IOCS) but no real context about why it should be important or how it should be used.

I went on. Intelligence is the idea that we can collect a ton of data and that we boil it down into a form needed by a reader. In this case, we simply wanted to keep our finger on the pulse of the activities occurring in Ukraine.  Why? We have members who operate there. We felt we might be able to offer insights on things that might affect them, and at the same time, pick up some lessons learned about how those in the area operate against each other... and there were!

Our reporting and follow-on blogging (in the Red Sky portal) offered several pieces of highly valuable, highly actionable intelligence:

  • We told a story of how the attacks unfolded, thereby understanding where cyber fit in, how it was used, and who (specifically, by company name) was targeted. 
  • We identified several tools used, and by whom; 
  • We provided metadata on the tools, allowing security personnel the ability to protect; 
  • And we offered go-forward recommendations for operating safely in the future --not just security related, but things like monitoring political exposure of key executives in the area; 
    • Recommendations on courses of action are the hallmark of good intelligence. In some worlds, it's called 'strategy', but it's all based on some kind of solid intelligence foundation.

In this case, intelligence was realized by monitoring sources, collecting a ton of data and then boiling down into something consumable --the story of election manipulation in Ukraine, and how/why our members may be impacted. It was written in a way that any person could understand it. offered specific protection and go-forward recommendations.
  • When the question came up in 2015, we had intelligence on BlackEnergy from a year prior.
  • In the Carbanak campaign, when a few dozen banks were compromised in Eastern Europe, the story was told as compromises in American and Australian banks.  We'd had intelligence from six months earlier that showed the story to not be entirely true (and we'd reported it out with the FS-ISAC at the time).
  • Last week a Florida port (Port Everglades) and Cuba made a deal to allow Cuban ships in Florida ports but the deal fell apart when the Governor threatened to cut off state funding to the port --resulting in a politically motivated DDoS. This will happen again. We learned something from this one --it's good intelligence. 
  • We're tracking yet another PLA cyber unit. Why? Because we want to know what they target and how. This is intelligence.  As more information becomes available, we'll analyze it and report. Until then, members can search through over five years of intelligence written and published in the Red Sky portal.

Intelligence is about assisting decision makers, in our case the CISOs, with protective strategies. We tell the stories, often times before they hit the news. We then, when possible, obtain the tools used, reverse engineer them and offer our members the technical data needed to protect themselves from the stories we've told. 

Intelligence is not the aggregation of everyone else's stuff. It's about helping that one company, that one time, make an informed decision. This is what we strive for.  

Have a great weekend.

Saturday, January 28, 2017

Lunch talk —Cyber Threat? Business Intelligence? Geopolitical?

I had lunch with a guy in Boston today --a smart dude, and as I ate my bento box and him his tuna
maki, we talked about some of the creative ways that I've been wanting to use cyber intelligence data for a long time.

As we brainstormed some of the options, and I told him stories of the kinds of things we're writing about,  He asked me... what do you actually do? Are you a cyber shop? Are you a geopolitical shop? Business Intelligence? 

I told him that I've been experimenting with ideas of running comparisons between a measure we call "Cyber Threat Indexing" (patent pending) and key performance indicators associated with running a business.  What's that mean? If you owned a manufacturing company you'd probably worry about the uptime of your manufacturing line, right?  So what if you Splunked (yeah, I'm using it as a verb!) the number of times your company was mentioned in the intelligence space with the output measures of uptime off of your manufacturing resource planning systems?

You might be able to show genuine business risk as they relate to cyber risk —right? This is a security holy grail stuff! As a CEO (albeit, of a small company), I know we do our best to protect the operation but wonder, how does our external threat profile match up to our attack footprint, and how does that translate to my ability to run the company?  

Why do we measure geopolitical risk he asks? Because where there's geopolitical risk there will always be a cyber risk. We monitored hackers stockpiling tools during the nuclear talks last year.  In this case, we monitored cyber risk and identified potential targets that could be seen as political retribution targets --our Wall Street Bankers (some of whom are our customers), and companies operating in the Middle East (also some customers).

The cyber risk to our members was real.  Motivation would be political retribution on opportunistic and targeted potential victims.  Our expectation was that targets would be chosen (by groups we were monitoring), and those targets would likely be those thought impactful —not because of simple compromise, but because they might send a message. Attacks never occurred, but if they had, our members would have already had the protections from our reporting. 

We monitored the manipulation of the Ukranian Presidential Election.

Why? Again, we had several Red Sky members who operate in the area. What'd we get? Cyber tools used in 2014 that hit the press in a big way over Christmas 2015... our members had proactive information on a tool used in the future against others (maybe them).

In all three cases, we used an all-source intelligence approach to understanding the cyber threat to our customers.
  • The first measures business process interruption as a result of cyber activities and risk.  
  • The second and third, we monitored geopolitical activity because although not exclusively cyber activities, there were massive cyber threats posed to our customers working in the areas. 

Are we a cyber threat intelligence shop? Absolutely. But we don't see things quite the way others do. If you're pulling lists of indicators of compromise (IOC), you're looking at every tree —examining each for potential compromise.

We are a cyber shop but we do it through "all source" intelligence processes,  not just from incident response data. We like to tell the story and then tell you how to identify and protect against it, not how do you indicators of the attack with no context as to what they're being used to find. How in the world do you know what's most important?

It's like that bento box! The whole is the sum of it's parts. IOCs are the parts, the sum is the context and the story. Call us. We can help.

Want to be part of our new mailing list? Subscribe here:

Have a great weekend!