Saturday, January 26, 2013

Extortion of a 16 billion dollar company...

I tell this story often. It’s a story of a company -- a $16 billion dollar company, who in 2006, bet the farm on some specific technology. The company wanted to use the High Definition (HD) codec to replace a massive network of movie distribution. If it worked, the company would make billions.

You may recall, at the time, some of us owned HD players, others Blu-Ray. In this case, the HD company came under attack by folks backing Blu-Ray. Patent pending technologies stored in the “HD Company” (we’ll call them HDCo) were harvested systematically from their servers all over the world. HDCo executives were targeted individually --physically, cyber, psychologically. Their email accounts were taken over. They were forced to use throw-away cell phones. One exec even reported multiple occasions of harassment in the parking lot of her grocery store! This is what some of us know as ‘asyncronous warfare’. In the corporate world, it’s considered corporate espionage. I’d call it extortion.

The bullying, harassment, and theft went on for roughly two years. The company couldn’t survive.  In the end (Feb last year), this company rebranded. They’d lost nearly all of their stock value, dropping from a whopping $16 billion global diversified company in 2006 to $160 million company in 2012!

Why do I tell this story?

What’s old is definitely not new again... While many things are, cyber isn’t.

Fifteen years ago when I started my career in information security, I’d watch the FIRST list. We had roughly thirty of us sharing real time information through PGP encrypted emails. The information we shared among us was amazing. When I left the Navy, my FIRST membership went with it.

In 2005 I rejoined, remembering the successes I enjoyed in 1997. This time, there were hundreds of folks participating. The landscape had shifted. Moore’s law applies not only to CPU speed, it also applies to growth of the network. In that short period, FIRST grew from roughly 30 to over 300 --highly indicative of the number of victim computers, and the requisite number of incident responders needed to handle the massive, exponential growth of cyber victimization. Nearly ten times more people needed information, and were smart enough to seek it out.

What many didn’t know at the time, was not only had the number of machines compromised grow, requiring more incident responders, but the very nature of those attacks was shifting under our feet. In 2006 when I first was exposed to APT, it wasn’t like my early days in the Navy when one attacker broke into one computer. In 2006, one attacker might compromise
hundreds of computers over the course of only a few days. Today, thousands would be compromised using simple exploits with complex chaining of events. Attackers (even today) will use just enough tech and know-how to get what they want. When a defender ups the game, attackers do too.

  • Have you ever heard of a company who has to change the credentials on their domain controllers on a weekly basis? One CISO tells me that if he could change the credentials every 10 minutes, it still wouldn’t keep them out!
  • What would you do if you knew every week, every one of your servers running IIS was going to have their credentials harvested, and there’s not a damn thing you can do about it. (Read back in my blog. I described the Windows Credential Editor problem earlier.)
  • Have you ever changed a rule in your Intrusion Prevention Systems only to find it changed back twenty minutes later?
  • What would you do, if on a weekly basis, 3% of all of your company’s computers were found compromised, with nearly all sending data home? In the companies I work with, 3% means at least 3000 computers --every single week.
  • How would you feel, as CISO, if you were informed by the FBI today that you’ve been compromised, and when you did the analysis, found you’ve been completely owned --man in the mailbox, full exfiltration, and attacker control over any box in your network for years?
I talk with CISO’s nearly every day. I’m amazed that even today, with the massive advances in attacker TTPs (Tactics, Techniques and Procedures) in the last few years, that a CISO can look me, square in the eye, and believe with every fiber in their being that twenty year old information security practices --going it alone, simple firewalls, relying solely on antivirus, are going to save their companies from the complex chaining of these simple events --just enough, to breach their companies. I talked to one recently who had no idea what a wateringhole attack was. He was floored when I told him that his corporate webserver may well have been compromised, serving up poison water to every employee who visits.


This week was fantastic for the Red Sky and Beadwindow Alliances.


  • Two new companies joined Red Sky last week. Our provisioning guy has taken to drinking (heavily). I know in one day he did 28 new accounts!
  • This month alone (and it’s not over), our accounts receivable are more than all of the revenue we collected last year. It’s not a result of my good looks, or of our sales prowess, it’s a result of members telling others to join... and they are!
  • I’m happy to announce AJ Brown and Bob Hillery have all joined the Red Sky | Beadwindow team as Senior Members of the Technical Staff. I’ll announce the third next week. Bob is a retired Navy Commander, a long time SANS Instructor, and a founder of InGuardians. AJ came out of PC Connections as an IT Account Executive. Bob will be handling our intern program, and has already kicked off one major, (provisional) patent pending project that we hope to be using in our portal at some point in the future. AJ is pounding the pavement, charged with new member acquisition from the commercial sector. Both are great guys!
  • Our Annual Report FINALLY went to the printer. I’m hoping to have a stack of them on Rick when he goes to RSA.

What’s old is definitely not what’s new. If you’re a CEO, CIO, or CISO, and you’ve not stayed current, drop us a note. We’re scheduling threat briefs. We’d be happy to schedule an online or in-person threat brief for you and your team. You’ll see first-hand the kind of amazing work that comes from a group such as ours.  Live action. Real Time cyber intelligence through crowdsourcing, smart, easy to work with people, and good tools.

I’d like to invite you to join Red Sky Alliance. 
Please contact AJ Brown today.

“Red Sky at night, sailors’ delight... ”

Until next time,
Have a great week!
Post a Comment