Saturday, December 26, 2015

2015 - A look back, and a look forward...

This is my last blog of 2015, so I thought I'd close it out right!

This was another great year in Red Sky Alliance and Wapack Labs.

Red Sky, as planned, added several new members. Our intent was never to have thousands, rather a select group who use the portal and the intelligence that’s provided. So, a few numbers:

Red Sky Alliance has roughly 200 accounts issued. Approximately 10% are issued to Wapack Labs analysts, leaving ~190 accounts. Out of those, an average of 73 people (38%) participate weekly and about half of those participate daily.  Those are staggering numbers in any information sharing environment. Add to that the idea that in nearly four years, only three Red Sky Alliance members have left, and those left because of one member was divested and then dissolved. Another transferred and rejoined after the move. The third, an intelligence manager, took another job in the company and the intelligence team went with another service. Our customer satisfaction remains high. The intent of the Alliance was never to serve the needs of all, rather allow companies who really want it an opportunity to crowdsource questions, and share intelligence and analysis. The price has remained stable for the last two years –significantly lower than others, with the intent of users being ecstatic at the amount of value that they receive as members. We’re not into politics. We don’t drive national policy. We want standards but participate in those national level discussions only tangentially.  We author intelligence and provide it to the members. We stick to our core competency and charge a fair price; and our members seem to love that.

Wapack Labs has really grown into its own this year.  Wapack Labs was spun out of Red Sky Alliance in 2013 as a place where our analysts could do other kinds of projects that didn’t fit nicely into the information sharing construct –professional and tailored intelligence collection and analysis. The Lab sells intelligence subscriptions in forms that allow both the board and C-Suite the ability to get fast, one-page sound bites, and at the same time, corresponding technical reports that the tech teams can use to protect the company from those reports that their CEO reads.

We added a few new pieces of analysis this year. Targeteer® reports profile actor groups and its members. From our perspective, there are dozens of things that can be done outside of the network, without breaking any laws, to turn off an attacker’s ability to execute. Targeteer® reports offer our members the information needed to take political, legal, or other actions as may be desired by their leadership team and counsel.

We started pushing early warning indicators in September. We love Kill Chain, but many don't understand that while Kill Chain details activities of the breach, it can be used proactively to plan and instrument active defensive campaigns. And because so many don't understand that, if you’re operating in Kill Chain, it may to late for you. To answer that problem we’ve spent a lot of time this year on processes that we’re calling “Getting to the Left of Kill Chain”. There's a bit of a learning curve, but so far, our pilots have been successful. When our infrastructure is built out, any company will have the opportunity to log into our new Cyberwatch® system and receive early warning indicators that they can (should) act on before having their first coffee of the day.

Our desire to push these reports and indicators to larger audiences has showcased a bit of a problem –the ability to scale in distribution. Until this year, scaling the ability to perform human driven analysis has always been the concern. We continue to drive analytic processes. We’re sourcing hundreds of primary sources of information, and to allow us to scale, Cyberwatch® will be released as initial operational capability in January. The goal of Cyberwatch® is to consolidate and create efficiencies. 

Today, we offer products as C-Suite offerings in a low cost format delivered on We offer collaboration in Red Sky Alliance, and we offer a query/response indicator repository on It's confusing even to me!  The idea of Cyberwatch® is first to translate information security into language that anyone can understand, and know at a glance the implications of growing cyber threats. Second, we’re hoping to solve the problem of a massive need for victim notifications. The number of victims seemed to skyrocket this year, and while we’ve done our best to push out notifications, the numbers are staggering. At the time when I was drafting this blog, another company was victimized; this time for 13 million accounts. How do 13 million people get notified that their computers might have been victimized? And if they knew, what could be done about it? We hope to solve a piece of this problem.

What’s trending?

By far, the biggest activity we saw this year was the distribution of key loggers globally. As of today, we’ve seen over 12,000 unique infrastructures compromised in over 85 countries around the world. We’ve seen Nigerian actors compromising systems in every corner of the world and selling the accounts in TOR based forums. That activity, named by us “Daily Show” seems to focus on a few geographical locations, primarily targeting the maritime community (and those supporting the maritime community) in the South China Sea, maritime routes between Nigeria and the Black Sea, the Nordics, and the Suez Canal.

Angler has easily been number two. We’ve written several reports on Angler, and have had readers and conference goers tell us that Angler delivers roughly 90% of all of the activity seen.

Russian actors have become a tool of the military. Wapack Labs detailed accounts of Russia’s cyber actions in the conflict with Ukraine. The cyber underpinnings of the activity, in our opinion, track closely with the Ivanof Doctrine –a plan for using cyber and other information warfare tools in conjunction with physical activities.  

Iran moved into the top of the threat chart. Starting with the stockpiling of tools to connections with others, Iranian actors appear to have become the new China with one major difference; Iran isn’t interested in espionage. And why should they be? They became one of the first cyber sabotage targets in this new era.  

Last but certainly not least.  We watched this year as attacks turned from espionage and theft to integrity attacks, with documents manipulated to allow the movement of goods, services and money. Cyber has indeed converged with the fraud and physical security spaces... and it's only just starting.

Which brings me to my 2016 predictions:

I’ve authored predictions since 2013, and many more informally before that. I’m running pretty hot right now with nearly all coming true. Feel free to view previous predictions on our blog at

So here goes…

  1. Key loggers aren’t anything new but they’re taking hold in a largely automated way. I’d mentioned in presentations (twice this year), when I followed a consultant who talked about cracking passwords that passwords don’t mean a thing when there’s a keylogger involved. And it seems the number of pieces of malware with key loggers built in are increasing dramatically. Not a rocket science prediction. Common sense.
  2. We witnessed what we believe are the early indications of a movement from confidentiality motivated attacks (meaning, espionage) to integrity motivated attacks. This year will be the year of data manipulation.  This is a high probability, high damage risk prediction. Companies everywhere will lose the ability to depend on their computing systems to deliver trusted results. This has already proven true in engineering focused industries, but now, enterprise resource management systems, are becoming targets of opportunity, allowing access into any of the multitude of services they connect to. 
  3. Customs offices in several countries were witnessed by Wapack Labs as compromised. One European country’s Visa office was included in that last. This is a major risk to governments everywhere. My prediction? We’ll see key government organizations in the US and elsewhere get compromised in places that vet foreign visitors. Documentation will be generated and delivered. The overarching theme? Fraud is intersecting with information security. Cyber is simply another tool and the Visa offices are not exempt.
  4. Resilience has become the name of the game. Leading edge companies are learning to live with untrusted networks, and as 2016 unfolds, we’ll see several key companies focusing on their efforts on resilient networks.  We don’t believe that Chief Information Security Officers will be replaced with Resilience officers, but taking the role to the next step means ensuring organizations can survive, operate successfully while under massive attack.
  5. Service accounts aren't getting enough love... but they will. A service account connects two systems not normally accessed by a human. I.e.: One database connecting and querying another requires credentials, but because the process is automated, it will not require human interaction... so credentials are written into the code or query so human interaction is not required.  If one database queries another, and the credentials required either do not change, or may not be changed (because they're built into the code), they become highly coveted targets. Many of the larger companies have already addressed this problem. Many of the smaller companies don't have the ability to act on this enormous risk... and the bad guys know it. In industry, think supply chain. In personal accounts, think interconnections between various social and cloud based tools. If you can log into a system, and query using a social media login, or have your home thermostat connected to your iCloud account, you've created a service connection --and it can be exploited. 
  6. Systemic risk is the phrase of the year. Systemic risk means that attackers will find singular points to attack, (probably as a result of staticly credentialed service accounts systems).   Need an example? OPM was a wonderful target from systemic perspective. Compromised in such a way that new tech with new thinking was required to identify the breach (math based behavioral anomaly detection), in a target that held such immense importance that nobody would be spared the possibility of targeting. Brilliant! I wish I'd have thought of that when I was in that business. 
2016 is going to bring some big things for Red Sky and the Lab. We're hosting our first Threat Day of the year in January in DC, and we expect to debut Cyberwatch® with our membership. Beyond that, if this works, it's going to transform the way executives look at information security and cyber. So standby. 2016 is going to be transformative... and I can't wait!

Happy New Year!