Saturday, August 23, 2014

Red Sky Weekly: Shocking!

Author: Cuban political cartoonist Antonio Prohías
German intelligence spies on Americans and Turks?

Chinese Hackers targeting information on MH370?

Malware targeting ex-Soviet states has Russian hallmarks?

Say it ain't so!

For months we've read stories about the NSA. I thought I'd take a moment and talk about the second oldest profession in the world: spying. Every country has organizations dedicated to this craft. And with 196 plus or minus countries in the world (depending on who's counting), you'd be hard pressed to find a country with just one intelligence organization. Most have several. Add in another 10,000 marketing/intelligence shops owned by companies, the fact that the Society of Competitive Intelligence professionals boasts chapters all over the world, and a quick Google for Competitive Intelligence yields over 10 million hits. Ever read an analyst report when you're thinking about buying stock?  When you're using it to make decisions about what to buy, that's intelligence...

There is no escaping this fact. Intelligence is everywhere. And cyber is one easy place to get it.

In 1999, I gave a talk at SANS on this very topic. At the time, I was both an intelligence officer and a SCIP member. I talked of the movement of spying toward cyberspace, offering examples of paid intelligence collectors, working in the private sector, grabbing precious information from other companies via computers. I spent some time actually teaching my audience how this is done, and for all of the work I'd done preparing the presentation, my reviews came back with comments like "Stutzman is selling snake oil", "The sky is not falling!" and "What planet is this guy from?" I'll never forget it. I was not invited back.

Since then, I've given that same talk, unedited, in pieces or in its entirety, as if was still 1999, dozens of times --Navy War College's Strategic Studies Group (where Navy Captains go when they're about to put on a star), during classes at Norwich, Worcester Polytechnic Institute and Harvard, and more times than I can count to new analysts. It was a simpler time, but none-the-less, that talk from 1999 holds true today, and was dead on then. I remember it well. I liken good intelligence to information presented by securities researchers when their bosses are playing the market. The reports offer recommendations at the top of the page; it offers some kind of a mechanism to score the researcher, and then lay. (I'll save this for another blog entitled.. what does good intelligence actually look like?). It's beautiful!

What does intelligence look like in cyberspace? How does one go about collecting it? My talk included that too... and at the time, the USSR was breaking up and those spies, needing jobs, migrated largely to countries in Europe... including Germany. Many worked for the banking community, attempting to help protect investments. Think they're the only ones? Many of my former co-workers and peers also now work for corporate America. And what do you think they (we) do? Intelligence, research and analysis. Pick a country and I'll tell you a non-military story of how someone is spying on someone else for money. We expect it from the government. It's the second oldest profession in the book.

So, hold on to your hats folks. Cyber increases the speed by which access can be gained to specific information. It offers access to vastly larger caches of data as storage become smaller and the amount of data they can hold becomes bigger. And computers can be targeted like no human ever could... silent, fast, accurate. And it is very much taken advantage of.

Does it come as a surprise that German intelligence folks are spying on the US and Turkey? No. Pick a country.. they're spying on someone; either for military or economic gain.... and your computer is the easiest place to get information from.

I love my job!

If you'd be interested in seeing the presentation, drop me a note. We'll set something up.

BT BT

It's been a great week.

Announcing Beadwindow on Threat Connect!

I'm happy to announce that we've partnered with Threat Connect to make our Beadwindow portal (our open portal) available on Threat Connect. The site is set up and we're moving content over as we speak. Interested in membership?  Rick is the Beadwindow Community Director and can get you set up. Contact Rick.

In the Red Sky private portal:
  • The Red Sky portal has been really busy. Normally over the summer it takes a dip, but not this year. We added a couple of new members, including one this week. 
  • We continue to watch and blog lessons from the cyber activities undertaken during the Ukraine/Russia conflict, we posted updated GEOPOL reporting. 
  • And this week we loaded up caches of tools, known used by a couple of prolific groups. It's not all been analyzed, but there's plenty of talent in the portal to assist.
In Wapack Labs:

Threat Recon adoption continues to grow. 

https://pypi.python.org/pypi/threatrecon
Yesterday, Seth Bromberger, one of our friends and an expert in the industrial controls security community, posted a Threat Recon python module to python.org and GitHub. In the last 24 hours, there've been 478 downloads!

We've put up our internal Maltego server. The transforms work wonderfully (thanks Bart!).

We're not a CRITs shop, but there are scripts written and posted on the GitHub for CRITs integration.

And standby folks, Splunk is coming!

Enough for now. Until next week, have a great weekend!
Jeff






Friday, August 22, 2014

New API module for Wapack's ThreatRecon!

Thanks to Seth Bromberger for writing Python module for our cyber threat intelligence system ThreatRecon.  You can download the module here:  https://pypi.python.org/pypi/threatrecon

Thanks Seth!