Saturday, April 05, 2014

Red Sky Weekly - Can YOUR box serve whoopie pies?

My history, and cynicism are good indications that I'm long in the tooth in the space, although I've never been able to grow that grey beard. You can apply the codger moniker with high confidence based on the analytic rigor of multiple primary sourced blog entries by me over the years. Yes, I look at cyber in a very specific way and I've been around long enough to consider myself seasoned and experienced.

I had beers and cigars last night at the Cancun Cantina with three old friends. One of the guys was a Marine E6 when we met. I was a new LTjg. He's preparing to retire as a Warrant Officer now. Another was the head of Incident Response when we worked together, now, Chief Technology Officer. The last is the CISO for a local defense contractor.

Our talk sounded like sea stories. In the late 90s my Marine friend and I (and others) earned our stripes analyzing Moonlight Maze, Solar Sunrise, the downing of the EP3 in Hainan Island and just about any cyber event (they weren't called cyber at the time), or events with cyber consequences. Our team authored first models for behavioral analysis, spending countless hours with Suresh Konda coding thousands of compiled computer intrusions, to be used in the early days of SiLK models.

I was reintroduced to this world in 2006 as Titan Rain was wrapping down, and another set of intrusions (perhaps just renamed?) was ramping up --known by a name I believe to be still classified, I'll refer you to a link. Before any new attribution names were assigned to the new activities, my incident response buddy and I sat on opposite sides of the table. Me, the intel guy wanted to leave systems up to learn the lessons. His job was to get them back online. We joked about lots of beer, midnight Guitar Hero in our Mass based lab, and many, many near fistfights with wide open screaming mouths, and a LOT of spit flying over the table as we discussed ways forward.

The last, the CISO, has been doing this from the start, but we only met a couple of years ago. He's seen it all, developed all of his own tools, and takes pride in changing log-in credentials to offensive messages because he knows the attackers will read them.

It was a fun night. Working 166 of the 168 hours available during the week at the time burns you out fast, but looking back on it now, it doesn't seem so bad. The shared experience of having been on the cutting edge of this new era of cyber, while not good for computers, was a real learning experience for us. All three of us --and many others, had real impact on the way these events are handled today, and the lessons that will be passed to those who've not yet experienced their oh sh*t moment... that moment when you realize someone is in your network; you've never seen it before, and you have absolutely no idea what to do about it.

For us, I wish we knew then what we know now. In uniform, who we asked for help was easy. Unfortunately we were the experts! Roughly 10 years ago we joined FIRST, and looked for active places to share lessons learned and ask for help, but FIRST members hadn't been seeing the kinds of activities we were working, so out of sheer exhaustion, three companies signed NDAs and started sharing APT information. I believe they're up to about 60 or so now.. I've not kept up.

Today, there's no end to the number of places that'll sell you Indicators of Compromise (IOCs). You can read about much of the happenings in open source Google groups, an endless supply of links on LinkedIn. There is no easy button, but there are seemingly hundreds of vendors that'll sell you a box with a red light that lights up when spies or thieves are being gangster-slapped at the border router automatically by your new magic box, or a green light when that sexy magic box is humming along, bored, because it's not killing connections.

So yes, the codger moniker? The idea that I look at everything in this space with one eye closed, squinting with the other isn't just because my bifocals require their now annual update. It's because when I hear a vendor tell a customer that their magic 8 ball answers 'yes you can' to the question 'can I buy a box that'll kill every bad connection, allow every good' at at the same time fill all of the compliance needs, supply metrics required by management, and when asked, prepare and deliver a perfect whoopie pie in a little glass door that serves as both the ingestion spot for gobbling all of those IOCs and when needed, the dispensing door for that really awesome chocolatey creamy taste of heaven... I laugh... out loud.

Yup. I've been doing this a while. I need some intellectual tennis with people new to the space, so Monday morning before heading out of Manchester, I spoke to a class at the University of New Hampshire. The class had kids from all areas - computer information systems/science, liberal arts, business, and included a couple of veterans. I offered a talk, as I often do, on the state of cyber --What is APT? How is it that companies lose credit cards? ..a basic threat brief. I wasn't peppered with questions, but the ones I did get were good:

  • Are we winning the cyberwar? If not, why not?
  • What are my thoughts on Edward Snowden?
  • How do we get involved? What is the path to follow to get into information security?
Great questions all. I did my best to explain the complexity in current networks. Cloud, mobile, virtualization. Insourcing, outsourcing. They got the point. Complexity kills, and in this case complex cyber leads to holes.

I won't go into the others, but then I turned my question cannon on them...

"Should we be able to fire back?" I asked?

Without hesitation, a young (sophomore?), who looked like she should still be in High School, answered "YES!" Why? I asked.

"It's fun!" When someone hacks me, it's fun to hack them back!

I can't wait until she's ready for an internship! 


I'm running around the country this week doing face-to-faces with Red Sky members. It's two years in, and seems like a good time to get some honest feedback. As far as I can tell.. I've heard many times.. companies love our analysis products, and those who like to work in the portal --typically the deep tech folks, are always in the Red Sky portal, talking, working, sharing. We have power users. Others are less enthusiastic about logging into yet another portal. So as I meet with customers, I'm looking for good feedback on what they like, and what we could do better! 

If you're interested in having a look at what Red Sky Alliance does, or some of the tailored intelligence and analysis coming from Wapack Labs, drop me a note. We're pushing before summer sets in, and happy to set up a time!

So until next time,
Have a great weekend!