Saturday, December 03, 2016

Why Intelligence?

(Ghost-posted for Micheal Tanji) At the close of my first month at Wapack Labs, and as the company prepares to surge ahead for 2017, I thought it was a good time to articulate a couple of things I 
thought were important for everyone who is struggling with cyber security and trying to understand what role intelligence can play in overcoming those struggles.

First, the basics. 

Intelligence is not a “feed.” In a nutshell, the content hierarchy goes like this:

·         Datum
·         Datum + Datum = Data
·         Data + Data = Information
·         Information + Context + Methodology = Intelligence

Intelligence provides you with meaning, which is something that only human insight and intellectual rigor can provide. That X happened on Y date at Z time is news; who did it, why, and what implications X has for you, your people, or your business is intelligence.

You need intelligence to combat cyber security problems because intelligence helps you make decisions. Anything that complicates your decision-making process isn’t intelligence, its noise. Its more hay on the proverbial stack.

To produce good intelligence you need two key things: solid sources and sound methodology. Without good sources, you’re not even telling people news, you’re giving people your interpretation of the news based on what a guy who heard the news through the headphones of a guy he was sitting next to on the train told you.

The full spectrum of analytic methodologies is far beyond the scope of this post, suffice it to say that a true provider of intelligence subjects its sources and the data they produce to a range of processes and intellectual approaches to help derive facts, reduce ambiguity and provide the kinds of insights that consumers of intelligence so desperately need. That rare, clear signal amongst the ocean of noise.

It would also be a mistake to think that producing good “cyber” intelligence stops at technical analysis. Cyberspace is its own domain, but its underpinnings are physical and increasingly so are its impacts. Cyber-attacks are carried out by human beings, with myriad motivations. Only an analytic team that has “cyber” skills as well as cultural and linguistic skills, awareness of a range of geo-political dynamics, knowledge of economic, financial, legal and other matters can put all those bits and bytes into the proper context. 

Finally, there is no substitute for experience. You can run the smartest people through the most rigorous training and give them the most advanced tools, but they’re journey as intelligence professionals has only started. This is not an issue of gray-beards having better “guts” for the work (which is itself an intellectual trap that analysts can fall into – also, we could stand to lose a few pounds), but a factor of knowing what works, being able to enforce discipline and rigor in the process, and to understand that we are not writing book reports, but occupy a position of trust. That we’re a “civilian” intelligence organization doesn’t reduce the seriousness of what we do.

If you’ve spent money on something called intelligence that doesn’t meet the aforementioned criteria, you’ve bought a feed. You’ve made it that much more difficult to find the needle, and increased the probability that you’re going to get poked somewhere sensitive. It’s a common mistake because marketers treat “intelligence” like “APT” or insert your own buzzword here: they strip it of meaning and re-define it to match whatever they’re offering.

If you’re drowning in data, if you find it increasingly difficult to make good decisions about your cyber defense, if you’re struggling to define ROI for your security spending, intelligence – real intelligence – can help. And I’m glad I’m back in a position where my training and experience can make a difference.  

Saturday, November 26, 2016

Who else knows?

We did a victim notification on the eve of Thanksgiving --about 8:30 PM EST, with a US-based online accounting firm. The firm boasts hundreds of clients on their website, although after looking at their data, I actually know how many clients they have. There are some good ones;  every one was listed in the financials shown in unencrypted emails that were harvested and sent from their systems, and although I didn't tell their customers that their outsourced, online accounting firm had suffered a data breach of nearly 80G of their accounting data, customer lists, and payroll information, at some point soon they're going to find out.

So after a call to their customer support line (my call was actually forwarded to a human), and two emails to the CEO, he called me on Thanksgiving morning.  I explained what'd happened.

So as we speak, on the weekend, two days after Thanksgiving, we're preparing a formal report for the accounting firm, detailing the simple actions that offered the penetration into this small scale systemic breach, with the names of those who'd been exploited and harvested.

Wait.. did I say simple actions? Yes. This breach, like many others, could have been prevented by two things... knowing that the activity was ongoing (this is called cyber threat intelligence), and by taking the appropriate actions to prevent it.  The malware (a key logger) that was used is widely recognized by many of the AV vendors out there today, but it was dropped onto the machine of a senior account representative  --a sales guy!

I scrubbed the name of the machine from the screenshot on the right, but the "Installed Anti-Virus:" and "Installed Firewall:" lines were both blank when we found it. This SaaS company didn't have even the most basic protection mechanisms on their sales guy's computer, and for that, they had a bad Thankgiving.

I realize that there's an amazing amount of data coming in, and it's really hard to recognize which to act on now, which to wait on, and which to simply pass on. This is not an uncommon scenario. A couple of weeks ago I spent some time with a group of CISOs --all of whom experience --and don't know what to do about, the sheer volume of information.  As incident response companies, big data companies, and open source lists offer more and more information, the CISO in the smaller companies (small meaning 1 - 10,000 employees) are drowning in data and literally have no idea what's important;

And while I always talk about intelligence and information sharing, many still don't understand what it actually is, or means.  That night I offered a view into information sharing, and what it is --early warning, prioritization, proactive response, all supported by a group who's only job it is, is to monitor threat profiles of the companies in the information sharing environment, and report when they see something bad happening.

In this case, the company was not a Red Sky member.  As with many interesting nuggets, we found his data while pulling threads related to something else we were working on.  He asked where the data came from, and then the dreaded question... "Who else knows?"  In our case, the "Who else knows?" is simple. We tell the members of Red Sky Alliance. Some of them use this service and we want them to know that one of their vendors has a problem.  They may be able to help.


You're going to see a few changes in messaging moving forward.  Red Sky Alliance and Wapack Labs had been, from the start, two different companies. As of the end of the year, they're becoming one and will operate as Wapack Labs.  The Red Sky portal will become the focal point and delivery for Wapack Labs intelligence, and when a company enters the environment, they'll be met with a team of Wapack Labs analysts ready to assist.  As a Red Sky member, you'll have access to our malware repository, our CRITS (currently in beta testing and loading data after the build), full access to our threat intelligence, the indicator database (Threat Recon) and the raw intelligence search API. Red Sky Alliance will be a cyber intelligence concierge; an analytic hub and information sharing environment. We provide the sources and tools, you bring the questions and the know-how. Don't know how? Our analysts are standing by and ready to help.  You'll see the changes taking shape as we move into the new year,  and already, we've had five new organizations jump in.

On that, I'm off.
Until next time. Have a great weekend!

Saturday, November 19, 2016

My Hat's Off to Soltra

Normally when a company doesn't work out the way we'd hoped, we criticize and critique, and we Monday morning quarterback and we talk about all of the things they did wrong to make them go away. And certainly, my own company struggles like every other company out there with those competitive pressures, so I don't criticize. I look for the lessons, and the good that came from the experience and we drive on.

In this case though, when Soltra was announced as being discontinued, and Aaron Chernin's name showed up on LinkedIn with another company behind it, I thought to myself "What a shame"; and then I thought, Wow. These guys really made a difference.

Many of us have been fortunate enough to have had our fingerprints in tools, technologies, ideas, and processes that have stayed well beyond our initial participation. Soltra will be one of those ideas that I look back on and think to myself they left their fingerprint all over this...

Look, between the FS-ISAC and DTCC, the idea of Soltra was in my mind BRILLIANT. While I don't necessarily agree on all of the implementation decisions, there's one thing for sure. There needs to be a way to automatically share indicators in a way in which analysts at both end of the sharing stream can understand their importance, rack and stack confidence by source, and automatically ingest the information into a device that can use it without further manipulation, cut and past, or additional human man-hours.  I'll admit, we were a late adopter. As a cashflow operated company I wanted to wait until the dust settled. And even today, the idea of moving STIX from XML to JSON means many folks are going to have to do a bit more work... but...

Soltra Edge really pushed the ball up the hill. 

I believe at last count, Soltra had over 11,000 downloads. I'm certain many of those were not paid accounts, but at the same time, the idea that over 11,000 application downloads by 2900 organizations, who did something with it is absolutely amazing to me. And more, the idea that those users were primarily in the Financial Services and Security industry is even better.

There's power in numbers, and when those numbers are offered a solution by two trusted organizations, the FS-ISAC and DTCC, backed by the knowledge that many of the other financial institutions in the world will be downloading and using it, and then that many of the trusted security companies in the world (us included) will be using it... the sheer volume of warm potential users, all in one industry, supported by the security companies who with to sell into STIX/TAXII enabled environments made the viral spread of Soltra in the financial sector possible. And while it wasn't meant to be this time there are several options out there that will now take Soltra's place in the market; filling the hole that was left; but wait --did I say that there are several others who've taken on TAXII servers? I did, yes.

Being an entrepreneur is really hard. Being a tech entrepreneur is even harder. But being a tech entrepreneur who was selling a disruptive idea? Holy cow. You (Soltra) guys didn't just take someone else's stuff and make an improvement, you created a whole new way to share information! Ok, there were flaws. So what! We all fail sometimes. But sometimes even in failure we advance ideas that paved the way for even greater things. Soltra was one of those things.

And so, as I close, I come back to my original statement. Mark Clancy, Bill Nelson, Aaron Chernin, and all of those other names that I'll never know, My hat's off to you all!  

With Respect,
Bravo Zulu.

Saturday, November 12, 2016

We're growing! Partner Exchange Program, Data Analytics, Strategic Hires

First, let me say how happy I am that nobody resorted to cyber bombing during the elections. And although there was a short period during the morning after, where Anonymous put out the word, the results were peaceful physical protests rather than cyber. For that, I'm happy to say that my blog from last week entitled "Mutually Assured Cyber Destruction?" Didn't, in fact, come true.


A couple of years ago a friend came back from Afghanistan. He was an intel officer charged with identifying those folks building bombs that, maybe we should pay a visit to.

His big data output pushed roughly 800 targets to him every day, yet he could only visit a half dozen or so. So what'd he do? He sat up all night and picked a half dozen high probability targets for the next day. He was the guy who wrote the 'finished intelligence' from the big data picture that kept coming in from the aggregation and analysis shops supplying him with targeting information.

This became the norm and eventually, he came home.

Yesterday I sat with a small bank CISO and his deputy. I told them that in one of our past projects we'd pushed intel products to various organizations preparing in support of the National Conventions.  I even gave them one of the 60 or so short, tactical intelligence products that we pushed to folks involved in the setup. This one report talked about an assassination attempt on Trump that never seemed to make into the main stream news, but did make it into smaller outlets.

When I passed it off to the banker, he asked How'd you find this stuff? My answer? We read! And then we push it out in just about any form needed to get it into our customers inboxes.

In three weeks we'd pushed roughly 75 intel products with a bunch great stuff on the activities in Cleveland, then the Rio Olympics. 

Cyber intelligence was once the domain of larger companies who could actually do, understand, and act on intelligence; today however, smaller companies are asking the same questions.  But as they learn, many, like the larger companies we've worked with for so many years, really have no idea how to get it, what's good and what isn't, how do deal with the overwhelming amount of data, and rarely do they have an understanding of when they actually do get good stuff, what to do with it.  Even worse, the idea that they can even recognize the finished intelligence from the aggregated data is a question that often gets answered in the negative.

So I asked my new small bank CISO friend how he ingests all of the stuff that they get from their intel feeds, the list, etc. His answer?  "We don't. There's to much data and we really don't have time to figure out what's important and what's not."  Yikes. He relies on an MSSP and then uses sensors internally connected to a commercial SMB SIM; but if it's not getting pushed into the SIM by someone else, he reads what he can but the finished intel has no nowhere to go except the cutting room floor. Yikes. 

We wanted to find a way to help. So let's try this... 

Wapack Labs collects nearly half a million victims every week including those hit with key loggers, botnets, and various APT and non-APT activities. When we detect them, we do victim notifications --at no charge; we shoot the victim automated alert form from our API.  At the same time, we've hired some new strategic people to assist in pushing the message out to those who need it, but may not yet be able to consume and act on it:

I'm happy to say, we hired Michael Tanji as the new Managing Director of a new Wapack Labs Partnership Exchange Program. The idea is simply this... when we see a smaller company in trouble, we let them know... generally through a partner who can help.  We don't charge for the service, rather generate revenue through partnership building.  Mike has been in the intel space for over 20 years. I've known him since we were in uniform, and I'm certain he's the right guy for building partnerships. We don't want to be in the break fix business, but if we can enable others while helping those who need help; well, we see that as a win-win. 

We hired Patrick Maroney to build new analytic tools and data analysis processes. Pat is the former Executive Director of the Defense Security Information Exchange (DSIE), the Chief Architect for CyberIQ, and before that a Director in Information Security at L3.   He's a long time evangelist and thought leader in the development and practical application of International Standards for Cyber Threat Intelligence Data Representation Models, Inter-Exchange, and the community development of tools, frameworks, and operational Reference Implementations, and has come to Wapack Labs as a Principal Engineer in charge of 'enabled analytics' --building analysis tools for analysts. 

And last, but certainly not least, as we grow, it's more important than ever to make sure we add quality cyber analysts to the team. One of those is a young woman who worked in my team at the Office of Naval Intelligence --shortly after my time, but will with the team. Liz Shirley is coming onboard to take on the role of Fusion Director for the intelligence team. Liz's has got a great background including having worked as a senior intelligence analyst Gestalt, iSight Partners, the FBI's National Cyber Investigative Joint Task Force (NCIJTF), Pacific Northwest National Labs, and Office of Naval Intelligence  She's going to make a great addition to our team and help lead and shape younger analysts.

We're growing, we're adding new offerings, and we're excited! The last few weeks have been busy for us, and as we head into the end of the year, I'm making one more trip to the BWI/DC area --with our new marketing manager in tow, meeting with customers, Red Sky members, and prospects one last time before we head into Thanksgiving. If you'd like to grab some time in person while I'm in town, drop me a note. If you'd like to schedule some virtual time to find out more about what we do and how we do it, we'd be happy to show you... and for the remainder of the year as we put on the full court press before the holidays, we're offering two months in Red Sky Alliance before you're billed for your first year.  Simply sign up and finish membership paperwork by the end of the year and you'll receive your first two months on us!

OK folks.. it's going to be a long day on the tractor for the last lawn mowing of the season before the deck comes off and the bucket loader goes on.. I've got work to do before travel.

So, until next time,
Have a great weekend!

Monday, November 07, 2016

Election Day Mutually Assured Cyber Destruction?

"U.S. military hackers have penetrated Russia's electric grid, telecommunications networks and the Kremlin's command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News. 
American officials have long said publicly that Russia, China and other nations have probed and left hidden malware on parts of U.S critical infrastructure, "preparing the battlefield," in military parlance, for cyber attacks that could turn out the lights or turn off the internet across major cities." 
I had a boss once who used to tell me "There are no unintentional leaks in Washington." so I'm guessing this is a question of mutually assured destruction in cyberspace, but does it really have to be telegraphed? 

Saturday, November 05, 2016

Cyber influencers on next week's elections?

We blogged last week on activity that we believe may be indications of potential upcoming election tampering. Tonight it was on the news. And while I'm sure they didn't get it from us, we've been watching election activities in Eastern Europe since the last Ukrainian Presidential election. 

We witnessed election tampering (hacking, DDoS, and telephone DoS) in the Ukraine, and then again DDoS in Bulgaria. We're also paying attention to Macedonia and Moldova --not because we had a dog in either fight but because there are massive lessons to be learned from watching the cyber interactions when we have customers who operate in both areas... and we have a global customer base that we believe have interests in the areas, and want to know.

In October (last month), Wapack Labs watched as Montenegro was hit with a DDoS and insurgency preparations as pro-Russian opposition tried to take hold in October 2016 elections.  


Wapack Labs believes with high confidence that there will be additional election tampering, but analytic rigor dictates that more data be collected.  We have five major elections in the near future where foreign interests may be manifested by some cyber activity – Bulgaria, USA, Macedonia, Moldova, Transnistria and France:

  • 06 November 2016 - Bulgaria. Presidential elections will be held in Bulgaria on 6 November 2016.[1] Bulgaria is a NATO member but has very strong pro-Russian fraction of the population. The incumbent President, Rosen Plevneliev, announced in May 2016 that he would not be running for re-election. Last year Bulgarian Central Election Commission and other governmental institutions were DDoSed as the country held municipal elections.[2] 
  • 08 November 2016 - USA.  Hacking of Democratic organizations, with release of the data, as well as intrusions to the Arizona and Illinois election commissions were mostly attributed to Russian APT hackers. 
  • 11 December 2016 - Macedonia. Early parliamentary elections will be held in Macedonia in on 11 December 2016, having originally been planned for 24 April and later 5 June. The elections were called as part of an agreement brokered by the European Union to end the protests against the government. From 20 October 2015, a transitional government was installed including the two main parties.[3]
  • Leading Moldovian Presidential candidate Igor Dodan
    meets with Putin (2014)
  • 13 November 2016 - Moldova. Second round of presidential elections will take place on 13 November 2016. The Socialist Party leader Igor Dodon, fell just short of the majority needed to secure outright victory and faces a runoff election.[4] Wapack Labs believes that Moscow will radically increase its influence on the ex-Soviet republic. Russia has troops in unrecognized Transnistria and this development might similar to country Georgia where pro-Western government lost land to Russia and then lost its power to more Russia-oriented coalition.
    Soviet-like Transnistria coat of arms
  • 11 December 2016 - Transnistria. Presidential elections, 11 December 2016[5]  Transnistria is part of Moldova, an unrecognized state with Russian military base and strong military influence. 
Moscow is courting both leading presidential candidates but is worried that their fierce rivalry and worsening economic conditions might lead to destabilization of this pro-Russian region.[6]
  • April and May 2017 - France. The next French presidential election is scheduled to be held in April and May 2017.[7] But the first primaries are this month already.  Marine Le Pen who’s National Front was taking Russian funding is predicted to gather between 28% and 30% in the first round, ranking first or second, and so to be qualified for the run-off.[8]

There's been much in the news about the potential for DDoS next week during the elections. We do not see this as much of a stretch. There are many who'd like to disrupt voting next week, including just about any kid who's got access to a botnet and credentials to the sensors in your thermostats and refrigerators. 

There are however, many geopolitical influencers supporting the idea that there will be cyber activities --Wikileaks is preparing to dump what Assange is calling the most damning dump yet. That's yet to be seen.

In the mean time, get ready folks. You've heard me say it before.. welcome to the new normal.

Have a great weekend!

[5] [article in Russian]

Sunday, October 30, 2016

Like Beer? Beer + Information Security + Intelligence = AWESOME!

I started a post about how I blew my entire $12.88 marketing budget last month on a rubber stamp
that I used at the ISC2 and ASIS conference in Orlando. That 12.88 rubber stamp got more action than a fox in a hen house.

...but now there's a horse race going on... I challenged my marketing person to come up with way of getting the word out about this nearly one year old offering. We've been publishing, but haven't really advertised it. So...

What's the Readboard? Like the graphic says, we hired a professional journalist to rewrite our more technical and intelligence reports into short format products, 1-2 pages written in a journalistic style. These products can be used when your boss needs fodder, or you need to explain in human what happened, or... whatever.

Sign on for a free trial by 11/30 and enter your name for a drawing for a Beer of the Month Club raffle --for a year! (That was MY idea. I LOVE beer!).

Scan the Sign-up QR code, or use this link...


Either way, sign up for the free trial, and win some beer!