Monday, February 13, 2017

Morning One at RSA

Leaving the impending Nor'easter behind in Southern NH, after teaching the family how to hook up and start the generator, I boarded a puddle jumper from Manchester to Detroit, and Detroit to San Francisco --the annual trek out here for one of the largest security conventions in the world.  Anyone who knows me will tell you that I'm tolerable of small crowds for a small period of time but large crowds, even for a short period of time make me absolutely nuts.  This morning it appears, the conference and most of the sessions are closed. Even the expo floor opens later tonight. So....

I'm hanging out under Moscone North, shaking hands with old friends as they make their way down for coffee. I've become a tea drinker of late but the coffee stand still attracts the geeks --and I love talking to them.

More to follow as we run through the conference, but for now, in the smaller crowds, I'm having a great time reconnecting --and writing.

Saturday, February 11, 2017

What's happening at Wapack Labs this week?

I'm running a bit late today. I'm preparing for yet another snow storm up here in New Hampshire, crossing my fingers that I'll actually make it out of here tomorrow --heading for San Francisco for RSA. I don't plan on writing a deep blog but thought I'd cover some of the highlights of the week.

Wapack Labs Threat Analysis Center:  We unveiled a new offering this week, allowing companies direct access to our normalized raw intelligence using tools that you know; keyloggers, sinkholes, early warning tripwires, and more.  Red Sky Alliance members will now have access to our tools, where they can create dashboard, reports, analyze our data, or pull our data into their own Splunk, SEIM, or analytic tools.  Need help? Reach out to the team through the Red Sky Alliance portal or Instant Messaging for real-time direct access to the team. Need a new source? Ask us. We'll capture it and get it into the system for you. 

The system is in early adopter mode with three or four customers testing it as we speak.  We're offering it up as a SaaS-based and MVP today.  I'll be showing off pieces of it during demos at RSA this week, so if you see me, grab me. I'll show you! 

Threat Day: Our next Threat Day is rapidly approaching. This one will be a little different than others. We're offering the first couple of Threat Intelligence University training modules and training on the new Wapack TAC system. We hold these quarterly --some onsite at a member location, some virtual, but we've had questions about how we do some of the things we do --so, we'll show you!

Upcoming conference - CyberRx/Wapack Labs: We've partnered with CyberRx to deliver intelligence into the local BWI/DC SMB markets. We're co-hosting a conference on April 19th where we'll be setting up terminals at the conference and scheduling 10-minute meetings with each participant.  We'll open up the databases and tell them what we know about them and their industry.

This week and last, we seem to be busier than usual. Most years, we have a little bit of activity before RSA and then get really busy after. This week, however, seemed to be crazy. From companies calling into seeing increased hits on our blog, website, etc., we (I) have been non-stop. We love that. 

So two fun things. First, I'm flying into SFO tomorrow night. My plan is to meet with folks Monday and Tuesday, but Monday night I'm looking forward to drinks with friends at the Marine Corps Club. It's a small place, but really nice.

Second, if you've ever considered one of those 'driving experience' days, we've got one for you. On March 3rd, we're bringing some friends together to do a driving school at Team O'Neil Rally Sports in the north woods of NH. This is a tactical driving school that teaches rally car racing. There is a cost, but if you're interested, drop me a note. We've got a few (6) spots left.  The day is meant to be fun and exciting. Interested? Drop Pamela a note. She can send you logistics. 

We know you guys have many (MANY) choices in where you get your intelligence. We also know (at least according to Ponema) that the CISO and Incident Responders aren't the only ones who read it.  There are only a handful of companies that I know of, that offer intelligence written for both the technical and non-technical audience --and we're one.  Drop me a note or grab me at RSA next week. 
I'd love to show you.

Have a great weekend and if you're heading for SFO, travel safe!

Saturday, February 04, 2017

What is Intelligence?

A great paper came out of the Ponema Institute yesterday. It went hand in hand with messaging I'd heard from a CISO earlier this week --"I have so many dashboards, I don't look at any!"  These were his exact words when I asked him "to what extent to you consume and use intelligence?"

The paper explained, as I've heard from so many CISOs explains that security teams are feeling the data overload. Why? They're being bombarded with news, intelligence supporting vendor pitches and aggregators of every IP under the sun, dumping it your lap and calling it actionable intelligence.

If that isn't intelligence, what is?

We didn't have much time. It was a 30-minute meeting, but he asked me how we're different.  I told him that we actually follow an intelligence process.

And so I explained, as I often do, by telling a story:

Many of our members operate in Eastern Europe and Ukraine.  In 2014 we tracked, in near real time, election manipulation in Ukraine.  The campaign wasn't just cyber however, it was full-spectrum information operations; psychological operations, influence operations, and propaganda, military actions for diversion (remember Crimea?), cyber, and intelligence monitoring the entire thing to ensure the desired impacts. There were actions against banks who supplied funding, and those associated with those banks. Military action was used to take over cellular communication nodes, and throughout, telephony denial of service (tDoS) and DDoS were used in conjunction with trojans and remote access control to take over communications.

There were several tools used by one side against the other (I say 'one side against the other' only because it's often times hard to know who's who). Little did we know that one of those tools, BlackEnergy would later become famous. We did some of our own work but one of our peer intelligence companies had authored a great report on BlackEnergy.  We issued reporting to the Red Sky members that told the GEOPOLITICAL story (the 'why should we care' piece). We reverse engineered the tools identified and included in our reporting detection methods, and metadata.

Fast forward to Christmas 2015. BlackEnergy was believed used against power companies in Ukraine, and this time, unlike the previous time in 2014, it hit the press. Now, every Energy producer, distributor, etc., wanted to know how to protect themselves from attackers using BlackEnergy.

Back to the question. "What is Intelligence?"

I explained the idea of "Data, Information, Knowledge, and Wisdom". I explained that most intelligence feeds offer "data" (IOCS) but no real context about why it should be important or how it should be used.

I went on. Intelligence is the idea that we can collect a ton of data and that we boil it down into a form needed by a reader. In this case, we simply wanted to keep our finger on the pulse of the activities occurring in Ukraine.  Why? We have members who operate there. We felt we might be able to offer insights on things that might affect them, and at the same time, pick up some lessons learned about how those in the area operate against each other... and there were!

Our reporting and follow-on blogging (in the Red Sky portal) offered several pieces of highly valuable, highly actionable intelligence:

  • We told a story of how the attacks unfolded, thereby understanding where cyber fit in, how it was used, and who (specifically, by company name) was targeted. 
  • We identified several tools used, and by whom; 
  • We provided metadata on the tools, allowing security personnel the ability to protect; 
  • And we offered go-forward recommendations for operating safely in the future --not just security related, but things like monitoring political exposure of key executives in the area; 
    • Recommendations on courses of action are the hallmark of good intelligence. In some worlds, it's called 'strategy', but it's all based on some kind of solid intelligence foundation.

In this case, intelligence was realized by monitoring sources, collecting a ton of data and then boiling down into something consumable --the story of election manipulation in Ukraine, and how/why our members may be impacted. It was written in a way that any person could understand it. offered specific protection and go-forward recommendations.
  • When the question came up in 2015, we had intelligence on BlackEnergy from a year prior.
  • In the Carbanak campaign, when a few dozen banks were compromised in Eastern Europe, the story was told as compromises in American and Australian banks.  We'd had intelligence from six months earlier that showed the story to not be entirely true (and we'd reported it out with the FS-ISAC at the time).
  • Last week a Florida port (Port Everglades) and Cuba made a deal to allow Cuban ships in Florida ports but the deal fell apart when the Governor threatened to cut off state funding to the port --resulting in a politically motivated DDoS. This will happen again. We learned something from this one --it's good intelligence. 
  • We're tracking yet another PLA cyber unit. Why? Because we want to know what they target and how. This is intelligence.  As more information becomes available, we'll analyze it and report. Until then, members can search through over five years of intelligence written and published in the Red Sky portal.

Intelligence is about assisting decision makers, in our case the CISOs, with protective strategies. We tell the stories, often times before they hit the news. We then, when possible, obtain the tools used, reverse engineer them and offer our members the technical data needed to protect themselves from the stories we've told. 

Intelligence is not the aggregation of everyone else's stuff. It's about helping that one company, that one time, make an informed decision. This is what we strive for.  

Have a great weekend.

Saturday, January 28, 2017

Lunch talk —Cyber Threat? Business Intelligence? Geopolitical?

I had lunch with a guy in Boston today --a smart dude, and as I ate my bento box and him his tuna
maki, we talked about some of the creative ways that I've been wanting to use cyber intelligence data for a long time.

As we brainstormed some of the options, and I told him stories of the kinds of things we're writing about,  He asked me... what do you actually do? Are you a cyber shop? Are you a geopolitical shop? Business Intelligence? 

I told him that I've been experimenting with ideas of running comparisons between a measure we call "Cyber Threat Indexing" (patent pending) and key performance indicators associated with running a business.  What's that mean? If you owned a manufacturing company you'd probably worry about the uptime of your manufacturing line, right?  So what if you Splunked (yeah, I'm using it as a verb!) the number of times your company was mentioned in the intelligence space with the output measures of uptime off of your manufacturing resource planning systems?

You might be able to show genuine business risk as they relate to cyber risk —right? This is a security holy grail stuff! As a CEO (albeit, of a small company), I know we do our best to protect the operation but wonder, how does our external threat profile match up to our attack footprint, and how does that translate to my ability to run the company?  

Why do we measure geopolitical risk he asks? Because where there's geopolitical risk there will always be a cyber risk. We monitored hackers stockpiling tools during the nuclear talks last year.  In this case, we monitored cyber risk and identified potential targets that could be seen as political retribution targets --our Wall Street Bankers (some of whom are our customers), and companies operating in the Middle East (also some customers).

The cyber risk to our members was real.  Motivation would be political retribution on opportunistic and targeted potential victims.  Our expectation was that targets would be chosen (by groups we were monitoring), and those targets would likely be those thought impactful —not because of simple compromise, but because they might send a message. Attacks never occurred, but if they had, our members would have already had the protections from our reporting. 

We monitored the manipulation of the Ukranian Presidential Election.

Why? Again, we had several Red Sky members who operate in the area. What'd we get? Cyber tools used in 2014 that hit the press in a big way over Christmas 2015... our members had proactive information on a tool used in the future against others (maybe them).

In all three cases, we used an all-source intelligence approach to understanding the cyber threat to our customers.
  • The first measures business process interruption as a result of cyber activities and risk.  
  • The second and third, we monitored geopolitical activity because although not exclusively cyber activities, there were massive cyber threats posed to our customers working in the areas. 

Are we a cyber threat intelligence shop? Absolutely. But we don't see things quite the way others do. If you're pulling lists of indicators of compromise (IOC), you're looking at every tree —examining each for potential compromise.

We are a cyber shop but we do it through "all source" intelligence processes,  not just from incident response data. We like to tell the story and then tell you how to identify and protect against it, not how do you indicators of the attack with no context as to what they're being used to find. How in the world do you know what's most important?

It's like that bento box! The whole is the sum of it's parts. IOCs are the parts, the sum is the context and the story. Call us. We can help.

Want to be part of our new mailing list? Subscribe here:

Have a great weekend!

Saturday, January 21, 2017

Cyber Security Through the Lens of an Election

Inauguration day has come and gone, giving us some time to reflect on both the previous election process as well as what lies ahead for the next four years. There are a number of parallels between running for office and running a cyber security operation, and a few lessons learned from the former can help those involved in the latter.
It’s a Campaign, Not a Day Hike
Depending on the office you’re running for, your campaign might start years before the winner takes the oath of office. Likewise, it is likely to take years to reach the ideal end-state for the IT enterprise you’re responsible for protecting. To further complicate things, technology in general and security threats specifically will change over time, which means the probability you’ll see the end of the race is very close to 0. Not running is not an option, so pace yourself.
You Need a Team
Every chief executive needs a team to get things done. In government, it’s called a “cabinet” and in business the “C-suite.” Regardless of the nomenclature, the purpose is the same: they are the people who specialize in certain things who help you formulate and execute policy. If you’re lucky you’ll get a team that buys into your vision, trusts you implicitly, and has the resources necessary to get the job done. More than likely you’re going to have something more akin to a Team of Rivals, but not ones you got to pick.
 (All Kinds of) Experience Matters
There is no one-size-fits-all career path that leads to the White House. People that get into cyber security have a wide range of backgrounds. Yet in both fields people love to poke at perceived shortcomings of those who aspire to (or end up in) top positions. We pick on Michael Daniel or Rudy Giuliani for their lack of technical acumen, forgetting that George Washington never went to high school and his first job was blue collar. Being able to cast a vision, manage people under stress, manage limited resources, and inspire confidence; none of those things requires a given type or level of education, and all of them can be developed in a variety of ways.
Everyone is a Constituent
If you’re in security, everyone is “your people.” You don’t have a party, you don’t have a faction, you have to make everyone happy. At the very least you have to keep everyone from revolting. Everyone has a different agenda, different needs, different outlooks. You will make enemies, and different people will be your friend or foe depending on the situation. Success depends on keeping all those factors in balance so that you can move the center forward.
It’s a great parlor game to try and figure out what the next four years are going to be like on the political front, but the fact of the matter is we have no real idea how things are going to go. In that sense politics is a lot like cyber security: you prepare for the worst, you assume every day is going to be rocky, but sometimes you get pleasantly surprised.

Hail to the Chief! All of them.

Saturday, January 14, 2017

Botnets, swarms, operating at scale, sharing notes

"Imagine ubiquitous, intelligent robots collectively performing complex tasks. By combining intricate algorithms, defined rules, and continuous sensor data, swarm behavior can emerge. Entrepreneurs are using this collaborative intelligence to develop applications for drone swarms in the air, on land, and by sea. Watch out, Drone Swarms are coming!" ( 

Last week we held our first "Big Broadcast" a live audio event in which we talked about our thinking on futures —and swarms are one of those things I think about 3-5 years out. Not swarms of bees or drones or swarms of strike fighters or humanoids, but the computers, and I'm not sure we have the ability to protect against what's to come. Let me explain...

If you are a security organization, what’s the most significant thing you can do to combat threats from cyberspace? Work at scale. Are we there yet? Not yet.

In late last month, the cybercrime platform “Avalanche” was taken down by an international consortium of law enforcement agencies. It was an investigation that took four years to come to fruition, and would not have been possible without cooperation from and collaboration with 30 different countries. If you’re familiar with cybercrime history you know this sort of action isn’t new, but the scale of it is impressive. 

A total of five people were arrestedOver its eight-year lifetime, Avalanche is believed to have caused losses well into the hundreds of millions of dollars. Campaigns run through Avalanche impacted systems in over 180 countries. Avalanche had control over as many as 500,000 systems, every day, across the world. Five people!  

Reports don’t reveal how many law enforcement agents, attorneys, technicians and participants from the private sector were involved, but it’s a safe bet that we’re talking about at least mid-to-high hundreds. From the perspective of scale, the bad guys still have us beat hands-down.

Avalanche was a semi-automated, semi manual process, relying heavily on money mules, but was the favored means for delivering Zeus and ZpyEye malware — he tools used to clean out accounts. The manual link of requiring money mules, limited the amount of damage that could be done at any given time. 

Now consider this: what if Avalanche were fully automated, autonomous, using peer-to-peer communications and coordination between those 500,000+ drone computers? What if a user simply enters the name of a system into a point and click interface and those 500,000 computers took over attacking one victim organization at every vulnerable point using a range of poisons that allow the attacker to use the system for whatever they choose in future operations?

Our folks have participated in a number of botnet takedowns. No, they didn’t last long, but such efforts are merely the initial steps in our ability to skew the economics of this sort of malicious activity. Right now it takes a lot of time and effort to take down a Zeus botnet or a cybercrime platform like Avalanche, but that won’t always be the case.  But at the same time, the idea of automation and targeted botnet swarm attacks will continue to inch toward reality.

Takedowns are rare today, but as the negative impact of cybercrime grows, and once the good guys begin to promulgate lessons learned, such efforts will become more common. We hope that efforts of good guys outpace the efforts of bad guys, but to date this has not been the case. Momentum is building but protection (and liabilities) of your networks resides solely on the owner.

How do you do this? How do you protect yourself against botnets, future potential swarms (or at least higher velocity, higher frequency attacks) outpacing the ability for authorities to keep up?

Work on your technology. Develop your methodology and processes. Perfect your as-a-Service offering. Learn to operate at scale. When given the chance, don’t hesitate to participate in a collaborative effort to fight cybercrime. All boats rise on the tide. Security is no different. If you can think of a new way for groups of us to band together in efficient and cost effective ways, you’re making a greater contribution to the good fight than you will likely do on your own.  

Red Sky Alliance is one of those places, with intelligence, collaboration, sources and tools. If you'd like to see some of the kinds of reporting that we push to our Red Sky members, have a look at our readboard or the Wapack Labs blog. This is where we announce products that get pushed to our members. When they need help or have questions, they use Red Sky to ask. When they need help, we refer trusted partners for the strategy, consulting and/or incident response. For more information, contact us. 

Until next week,
Stay safe in the ice storm!

Saturday, January 07, 2017

Spend money on Insurance or Insights?

A colleague recently circulated a link to a report that claims that the cyber insurance market is going to top $14B by 2022. My rather glib response at the time was something to the effect of, “if cyber insurance policies are still a thing by then.” When pressed for an explanation, I gave the following analogy:

If I get supplemental life insurance I tell the agent that I'm so tall, weigh so much, don't smoke, don't drink, don't participate in high-risk activities, etc. He gives me a quote. Then he sends a nurse is to my house. She determines that I'm not quite that tall, I'm certainly not that thin, the house smells of Borkum Riff, the recycling container is overflowing with empty bottles of Jack, and the walls are covered with pictures of me skydiving, BASE jumping, and running with the bulls. Oh, she also takes my blood pressure, draws blood, and takes an EKG. 

A few days later the agent calls me back and says, “Yeah, that quote I gave you, it’s going to be a bit higher and the coverage, a bit lower.” I don't want my wife and kids to starve if I get hit by a bus so I sign and I pay.

Cyber insurance providers don’t send a nurse to your house. Some carriers make an effort to understand your IT enterprise and others basically take your word for it. In both cases, they ask you to pay A LOT of money in premiums for not a lot of coverage. The way most enterprises of any size operate, it is very easy to get out of compliance with your policy, which means the probability your claim will be denied in the wake of a hack is very close to 1.

Even if your claim isn’t denied outright, there is undoubtedly a cap on your coverage, which means that you’ll still have considerable out-of-pocket costs even if insurance pays out. In high-risk cases, you’ll end up paying first before insurance pays outOut-of-pocket doesn’t mean pocket change either. If insurers are forced to pay out too much, they’ll just stop writing new policies and cancel existing ones. Does no one remember when cyber insurance was a thing 5-6 years ago? You don’t? It was, they lost money, and they stopped doing it. The past is almost assuredly prologue.

You’re CEO of a company in an industry that is at high-risk for cyber-attacks. You could spend several hundred thousand dollars a year on insurance premiums or you could increase the budget of your cyber security team. Which do you choose?

I would argue that in fact you have a third choice: pretend there is a nurse at your house.

Spending a little time and money to assess your true digital health would be exceedingly enlightening. To paraphrase former Secretary of Defense Donald Rumsfeld, you don’t know what you don’t know when it comes to existing and potential liabilities. With this information in hand you have a much better idea of where to spend your limited security dollars to reduce risk, mitigate threats, and identify where insurance actually makes sense and how much. 

I would also argue that you can take things one step further my looking at the data and findings of your existing security testing regime and determine cyber security spending ROI, which would further reduce your exposure. For example, if you regularly conduct pen tests make sure they tell you what they tried that didn’t work (you’re spending enough money/have the right defense there).

Insurance is one tool of many that every enterprise should use to fulfill its risk assessment and reduction responsibilities. But corporate leadership also needs to appreciate that they can do a lot themselves, relatively cheaply, with the same insights that a nurse acquires when she uncovers difference between your image of your enterprise and reality.