Saturday, October 03, 2015

What kind of intelligence do you need?

I'm a daily reader... every morning I kick off my required list reading by about 5:30; coffee with my
print edition of Wall Street Journal. When I finish with that, it's on to an iPad for Foreign Policy, Sratfor, and then I skim at least a dozen tech and security RSS feeds.

Let's examine this a bit more closely...
  • I read the Wall Street Journal slowly.
  • I read (more quickly) daily editions of Foreign Policy and Stratfor.
  • And then I skim dozens of RSS feeds for interesting pieces.
The Wall Street Journal gives me amazing insight into the kinds of things businesses are dealing with from an operational, strategic and technology perspective... I'll give you an example.. A large food/chemical/agriculture company was working hard recently to acquire a Swiss pesticide company. Why do we care about that? Because this US based company is already heavily targeted by MANY cyber actors because they sell GMO plants (corn), chemicals, pesticides, and during the Vietnam War, agent orange. We read this acquisition as yet another reason why someone would want to hack the   company --and my bet is, they probably were. Once we know that, we can look at past attacks to see who favors targeting the company and how... that leads us down yet another path in which warnings can be generated. Sometimes it works, sometimes it doesn't, but when it does, it's cool as hell!

Next, Foreign Policy and Stratfor pieces generally turn into ideas that sometimes get posted to our workflow and analysis request system. This is where I we get much of our long term perspective on things happening in the world that may become problematic in the future, but haven't yet. So, I read the publications, but not as slowly as the WSJ.  Foreign Policy and Stratfor (for me) are geopolitical tipping and queuing.. situational awareness. As the stories get closer, I'll see them in the Wall Street Journal!

The RSS feeds simply get skimmed, read, and posted to Buffer App for sharing across twittersphere and our Linkedin.   I know that I focus more on world and business affairs than I do the tech, but also know that I've got a room full of techies focused more on that then world and business affairs, so when we get the office, the conversation should be pretty amazing --and it usually is --but this is where the new vuls, patches, bugs, etc., are usually discussed.. but because they're in RSS, they're usually a bit time late and written in a format that anyone can understand.. so I also look at some of the google groups to get my fill of deep, running, colorful (sometimes) tech gouge and leading indicators.

Of course I get a ton of this stuff in Red Sky Alliance as well. Usually we don't bring in the original source because everyone sees them too, but the conversations can be awesome --online, phone, video, whatever. The connections become rich and we figure out quickly what's important that day, that week, and sometimes (but not always) next year.

So I have to ask --we talk about this often. What kind of intelligence do you need?  Most folks have no idea what an EEI is. They're really good at incident response, forensics, or operations, but have no idea what the intelligence cycle is or does, why we use it, or the value of great intelligence.

So bear with me. I'd like to take a moment and review the categorization of the kinds of intelligence that we think about. There are many, but this is our perspective:

  • TACTICAL Intelligence is used by security operators, incident responders and forensic teams. The information can be long or short lived, and generally, best in short pieces of context (with the deeper work available via one click), and actionable indicators of potential compromise, or indicators of compromise. 
  • OPERATIONAL Intelligence, although argued by many because of the varied nature of the reader, from my perspective, focuses on the immediate and short term needs of decision makers NOT in security, but in the business or business lines.  
  • STRATEGIC Intelligence focuses on the planners and risk managers. This is for the folks who think about broader situational awareness --the folks who look at the entire chess board and plan the next five moves.
So again, back to the question, what kind of intelligence do you need?

And I'd ask (and I'd really love to see comments on this please)... "How do you want it?" Document? PDF? STIX? Other?? You tell me. I'm all ears.

Who is (are) your primary customer(s)? When you consider writing intelligence for someone, who do you write it for? At what level?

These scratch the surface for me, but we're constantly asking our members and readers "What keeps you up at night?"

I'd love to hear from you...

Thank you!

Monday, September 28, 2015

Lenovo adds another rootkit? So what??

Another blogger just reported finding Lenovo installing another rootkit on laptops.

So I ask... is anyone surprised? iPhones have had WAPI installed for years (by choice). Nearly every computer, cell, display, etc., comes from factories in China. Should anyone be surprised with security issues are found in these devices?

And is China exclusive to this practice? My bet, no.

Why am I talking this? Because your networks are untrusted --for many reasons --bugs in code and hardware, scripts and processes that run for ease of use, autorun, targeted attackers break things to get in... your networks are untrusted... and with every device having components from areas of the world that we may or may not like, there are no computers that I know of with components built exclusively in trusted, high security factories; no chips, no memory, no anything.

So here's the deal... if you trust your laptop, computer, server, or cell to protect your stuff out of the box, you're a fool. The first thing my guys do when we buy new laptops --before powering it on, is to put tape over the webcam. Why? Because we know that the light that goes off when the webcam goes 'off' doesn't necessarily mean that it is. The same for your cell.. even when the power is (ahem) off, cameras and mics can be used against you.

And worse, I happen to love (LOVE) the ThinkPad form factor. I hate some of the clugey things that they've added, but that's personal preference. My other guys happen to like those features (I'm a Mac guy).

So whadya gonna do? Get smart. Hire or rent a CISO. Know that there are controls that should be placed on every computer before it goes into production. Your CISO can help. Need a virtual CISO? Drop me a note. We've recommended several to others.

Have a great day!