Saturday, September 05, 2015

Three victim notifications...

I spent last weekend in front of a loaded gaming terminal running forensic analysis software. Why?
22Gb of keylogger credentials.

What do I do with that data? I start dialing.

Three victims this week, with three very different responses. Here's the story:

All three victims are in the US.
  • One is a large company - $10b+ in annual revenue
  • One is a medium sized energy --smart grid manufacturing company - $2.5b per year
  • The last is a privately held company that manufactures static-proof rails for the maritime industry.
In all three cases, sales people had been victimized by keyloggers. In all three, the sales people had no idea that they'd been victimized, and for months had every keystroke, clipboard capture, document and screenshot captured and sent to keylogger capture servers (we call them caches).

So, how'd the victim notifications go?
  • Company one never responded.  It's not the first Fortune 500 that we've contacted that simply ignored the notification.  Frankly, I was shocked at even the lack of ACK. 
  • The medium sized company? They responded immediately --checked me out on LinkedIn, sent email, and then finally, called me back. 
  • The small company was surprised but happy for the call. They had no security team, and when the operator asked who I wanted to see, I asked for the person that handles IT. When she asked why, I told her that the company had been hacked. She asked again. Finally, I got through to the CEO, who was very appreciative. I followed up the next day to ensure all goes well.
The current status? Company one still has keyloggers sending their stuff out; Company two has turned off the bleeding, and Company three? We'll see. We partner with a couple of strong IR teams. I offered to recommend one (and did) but I don't thing they ever called.

So why would the company with the best opportunity to respond, not?

I had a similar experience last year. I was doing a presentation with a CISO with a reputation as an "empty suit" (not my words).  He's an educated dude (an MSIA) with a long list of publications under his name. The guy does great at building the team, grabbing budgetary real estate, and spending money,  but not so much in actual measured output. We try to come prepared for every presentation, so we did a quick run against our sources to find out what we knew about the company before jumping on the call. The low hanging fruit is passive DNS showing registered VPNs or dynamically generated names.. both red flags. During the presentation, I stop just before the slide with the results and explain that we always try to find something new for each talk.. and in this case, the company had THOUSANDS of names registered... and then I flip to the slide with the results highlighted. The reaction?  None. Most ask if we know whether or not the possible VPNs are active (most times we don't), but still... nothing. Completely ignored.

Another, a notification just yesterday.. a UK based company investment company that we talked to about services two weeks ago... we provided 'on the surface' evidence of compromise, but frankly, not a paying customer, we spent time paying attention to the guys paying us to do so. We're a small company, focused on what we do best, which is often, not aggressive selling. Even so, the company when presented with findings, did their level best to discredit rather than probe and qualify. They didn't want to know.

It happens more times than you'd want to believe. 

Here's what I think... I've seen this before and I'm sure I'll see it again.

CISOs come in two (highly generalized) flavors --technical and managerial. Often times, the technical CISO's skills will carry enough water to allow proper persuasion with upper management... the halo effect coupled with acronyms, brilliance, and the fact that the techie can get in mud and fight the fight; and this alone makes the company happy. Others, the managerial flavor, had someone sign off for their CISSP endorsement (say it ain't so!),  and have figured out that their ability to keep their mouth shut and roll with whatever comes through the SEIM will keep them under the radar; and as long as they can keep the lights on, they'll be fine --until they're not, then they roll ceremoniously on to their next job, like a fallen, but experienced and celebrated hero.

So what's my point?

We've been doing victim notifications, but we're don't work like the windshield repair man  running through parking lots at night with a ball peen hammer.

When we call, yes, we can try and sell you subscriptions, but when we do victim notifications, unless you ask for more information about our services, the notification is just that --a private call to quietly notify you of a breach.  What happens after that is completely up to you. We've been fortunate so far in that almost all of our sales have come from word of mouth --referrals from current Red Sky members or Wapack Labs subscribers... and if you really want to check findings, you can do it without calling us by pulling IOC that we give you during the victim notification from Threat Recon (it's free to 1000 queries per month), or check our public- facing CMS --TLP WHITE and GREEN commentary and/or analysis. Want more than that? Buy a subscription. Give us a call and we'll walk you through the options. We're not going to force your hand.