Saturday, December 31, 2016

2017 and beyond?

I've been a little lazy about running metrics and probabilities on my 2017 predictions. The reason?  It's actually kind of boring! The idea of writing predictions for 2017 is very much like saying "it'll be dark until morning and then it'll be light".  As I look at 2017, I really calling this a no-brainer. My belief? 100% probability on each.

  • Ransomeware is being called out in just about every other predictive out there. No-brainer. Where there's easy money there'll be simple criminals; and since the vast majority of the attackers out there are simple criminals, ransomware poses a low-risk high payoff activity, and yes, it will cost you money --either to fix, or to pay them off. The upside? There are some tools out there that can help. Cybereason and others have published endpoint tools that watch for anomalous behavior, and claim to be able to stop Ransomeware before it begins. You tell me.
  • Voter manipulation??  Folks, you've seen only the tip of the iceberg. We've been talking about this stuff here for the last two years. A blog first appearing here was the reason for a story in the Christian Science Monitor two years ago, that received very little attention. Georgia, Ukraine, Bulgaria, more.  The NCCIC IOC list listed Carberp and BlackEnergy V2 and V3; tools we reported on in 2014 as we watched other elections unfold and those elections get tampered with. If you think this is new, you're missing the boat, and if you think this is going to stop because 35 Russian Spies and their families are booted from the country, you're mistaken.  Every country in the world will be using cyber as the equalizer. Russian breaches into Wordpress sites run by the DNC are easy targets, ripe for, at a minimum, understanding what's to come. 
  • Internet of Things? I think more about unprotected Cable Boxes! It's funny. Yes, I think about the Nest thermostat in my home and the fact Alexa (I got one for my birthday last year) listens all the time bothers me slightly, but that swarm of IoT devices doesn't bother me nearly as much as the idea that every cable modem gets deployed with the same user name and password; and then, even though the wireless is protected from the inside out using some form of WEP, WPA, etc., that generic user name and password can be logged into and used to turn off any security --all without the homeowner (or business owner) knowing, or being alerted. Worried about swarm attacks? You should be. That cable modem is likely one of the contributing factors. And it's only going to get worse in 2017 (and beyond). Cable modems. Really Stutzman? That all ya got? No, but the fact is,  users need higher bandwidth devices that will provide comms pathways for IoT, ICS, and tons of applications that will run through these little grey chokepoints, and those little grey chokepoints have nearly no protection. I think about this alot.
  • Hackless hacking is the idea that key logged systems are ubiquitous, and logging in with legitimate user credentials has become easier than ever. Shells, old DoS net commands, and legitimate credentials are not new, but they're making a reappearance and they're easy as hell to deploy and use. Drop in on a VPN to a local IP, use a legitimate user's name and password and viola, you're in. 
  • APT? It's still out there, but its pushed down from focusing on the big companies who've learned to defend themselves over the last few years into the smaller companies who can't. We signed our first small DIB Supply Chain company into the Red Sky Alliance this week. The CEO of a 20 person high tech manufacturing company came into the portal. He knows all about APT, but only from what the press has told him. Small defense companies around the world are in trouble --they manufacture low cost very cool things that keep the prices of new tech down, and at the same time create many of the innovations. Houston, we have a problem.. and it's not just in the US. The idea that state sponsored espionage can steal or manipulate your data by reaching into a smaller third party, partner, or supplier is not just a prediction, it's happening now.
  • Cyber Warfare --yes, I went there. I don't think I've EVER called this out before because I don't believe that there truly was ever (to date) a cyber war, but I believe we'll see the next great war fought in cyberspace using unmanned drones, robots, and turning on and off (and destroying, degrading, disrupting, etc.) critical targets via wire. I believe the cyber cold war has already begun with countries cordoning themselves off from the Internet and Vermont Electric companies finding evidence of alleged Russian hacking (now of course proven false --although it passed the Washington Post test!) and Iranian use of cyber, and don't forget us. To the rest of the world, the US is the APT. So yes, I believe we'll see rapid escalation of rhetoric and cyber warfare posturing --pre-warfare activities; we used to call it IPB --Intelligence Preparation of the Battlespace --shaping and preparing the battlespace to allow forces to operate effectively; identifying Order of Battle (OOB) --inventorying enemy forces; and looking for ways to both access, and measure damages.  
The upsides?
  • Cloud? Interestingly enough, cloud providers seem to be getting the message. While contracts still don't take responsibility for security, and the stacks are different from provider to provider, they do seem to be building more and more security controls --both customer controlled and baked into the cloud environments. I see this as a very positive sign. One really good thing I see? Containers are being built that (maybe) will help with security in cloud and software defined computing. I'm not even close to being called an expert in cloud or SDN, but the opportunities are ripe for new types of penetrations and the idea that folks are thinking about this as they build containers is a positive sign.
  • Training! One of the coolest things that happened this year is Ron Gula's new gig, Cybrary. I wish I'd thought of it. Training is available for free and I've got every one of my folks running through a curriculum --some are learning python, others more in-depth. If you've followed my blog, you know we built a small veteran training program. They're all in a Cybrary training pipeline --A+, Net+, Security+, and Python. This is a very good thing.
  • Intelligence is as old as he hills. It doesn't mean buy a list of aggregated data, pull it in using STIX/TAXII, and dump it straight into a red (or green, or blue) box. The upside? We're seeing (and hearing) from many many CISOs that they want intelligence, and they actually know the difference between the aggregated feed and intelligence. Even those who've never been exposed are coming around asking questions about what's effecting them. We love this.  
Unfortunately 2016 was the year where I scratched my head and asked myself, how the hell did we get here? We spend billions of dollars protecting our networks and the information we hold most dear, but every piece of tech is nothing more than another layer of stuff, built on the same operating systems and network architectures that got us here in the first place! 

Moving into 2017, what can you expect to see from us? 

We're hosting a "Big Broadcast" on Jan 11th. It'll be a conversational forum moderated by an old friend, Jay Healey, talking about issues we see coming in 2017.  Care to join us? Sign up here.

As well, Red Sky members will be seeing some changes that I think you're going to like. More on that later. 

Is all lost? No. But we need to figure out how to get our arms around some of the easy stuff. Where's the big red switch that changes all the passwords on the cable modems, and the basic authentication and security for those internet of things devices? How do I make Alexa stop listening? APT? Better be ready. This train isn't slowing down, it's speeding up. 

So, on that note... Happy New Year!

Saturday, December 24, 2016

2017: The Year of the Better Metaphor?

If the holidays are known for anything, it's heated discussions about the same contentious issues
with the same bone-headed relatives who don’t know what they’re talking about; and why did my sister marry that guy; and when grandma is gone I’m never coming back here…..
Likewise, nothing says you’re about to get into a heated discussion on cyber security like the use of a bad metaphor.
Since so few of the people involved in cyber-security actually know anything about computers to a sufficient level of granularity, or by the same token understand the wider social implications of their ‘simple’ technical fix, everyone falls back on their half-remembered high school history to try and help make sense of it all. Herewith our most misused and abused metaphors, and some suggestions to help make actual sense going forward.

Digital Pearl Harbor

What people think they’re saying: “We don’t want to be caught unaware by a surprise cyber-attack.”
What they’re not getting: Private sector, governmental, and critical infrastructure systems have been under attack for decades. We’re not in danger of being caught unaware, we’ve been hitting the snooze button and acting surprised and annoyed when it goes off…again and again and again.
Suggested alternative: Digital Trench Warfare (or Digital Ypres, if you must). The good guys are over here, the bad guys over there, and between them is this very risky area. Sometimes the bad guys are strong enough or lucky enough to make it across that area, in which case the good guys have to work very hard and expend a lot of blood to kick the bad guys out.

Manhattan Project

What people think they’re saying: “We need a multi-disciplinary effort to come up with a better way to do X, where X is some defensive/protective mechanism.”
What they’re not getting: The Manhattan Project was a multi-disciplinary effort to build the world’s most deadly offensive mechanism. That mechanism was only used twice, and the planet has lived in collective fear of it being used again every day since.
Suggested alternative: Cyber CERCLA (a/k/a Cyber Superfund). Back in the day we didn’t care two whits about the environment. The Valley of Drums and Love Canal (and a crying Indian) changed all that. In cyber security they don’t call DFIR-types ‘digital janitors’ for nothing. I’m not saying we tar-and-feather the founders (what they built made sense at the time), we just need to accept that bringing what used to be OK up to the standard for what is OK now is going to cost a metric-***-ton of money, and if we care about security we should be prepared to pay for it.

Digital Maginot Line

What people think they’re saying: “You need defense in depth because static defenses don’t work because the bad guys will just go around them.”
What they’re not getting: The Maginot Line was not supposed to stop invaders, it was supposed to slow them down and/or channel them to a point where the smaller and weaker defenders could rally in strength in order to put up a half-decent fight. The Line did exactly what it was supposed to do.
Suggested alternative: Use “Digital Maginot Line” properly. Defense in depth has its issues, and no one is suggesting you unplug your computers and lock them in a vault, but let’s be honest: if someone devised a system that delayed and channeled attackers into a zone where you could more effectively fight them and keep them away from your most precious data/valuable resources, you’d buy that today.

Digital Magna Carta

What people think they’re saying: “We need to protect ourselves from oppressors who would arbitrarily punish people without due process based on what they say or do online. Come and see the violence inherent in the system.
What they’re not getting: If you say these words from a country with a governmental system that is more liberal-democracy than autocracy, dictatorship, or kleptocracy, you have no idea what oppression looks like. The fact that you get to say those words in public or in print and still walk the streets is proof enough of that. Your good wishes and strongly worded demarches aren’t advancing the cause of freedom.
Suggested alternative: Digital Jedburghs. Foreign regime using digital means to enhance their ability to find, detect and oppress dissidents and you’re not down with that? Stop writing manifestos and start putting some skin in the game. Give people the means to not only resist but fight back. A word of caution: this might come back to bite you in the ***.

Going Dark

What people think they’re saying: “If we don’t preclude the use of encryption, or weaken it to the point that (the appropriate authorities) can break it, the world will be overrun with ISIS and  pedofiles.” 
What they’re not getting: This being America, investigations (of citizens) is supposed to be hard. If literally the only thing stopping you from keeping a monster off the streets is his PGP pass phrase, you’ve not done a very good investigation. And not for nothing, but encryption didn’t help the 200,000-odd sex offenders currently in prison, nor does encryption help every jihadist in the sights of USAF UAV weapons officers.
Suggested alternative: Fourth Amendment After Next. I’d much rather we focus our energies on rights and liberties and not crime and punishment. When you define the former its easy to identify the latter; when you come at it the other way around it doesn’t work out nearly so well. “After Next” is a military think-tanky way of saying “these are the issues we think we will face in the war after the next war we fight.” The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures in the information age could not be more important. Courts are already beginning to realize the problems with things like the border exception, and as we step tentatively into the age of implantables, this is an area that is only going to get more complicated and dangerous if we don’t get it right.
By the same token, if you think political dissent and child abuse are both worthy of equal protection under math, you’re not someone I want to meet in the new year.

Cyber Arms Control

What people think they’re saying: “If we can impose a layer of control over the things you need to make (dangerous things), we can stop those less responsible/polite/sane than ourselves from getting and using (dangerous things).”
What they’re not getting: Since nuclear arms control became a thing, more countries have the bomb than before it was a thing, and keeping a handle on code is infinitely more difficult than keeping track of fissile material.
Suggested alternative: Nothing. This is the most ridiculous idea in computer security. The sooner we stop talking about it, or proposing things remotely like it, the sooner someone will come up with a more practical approach to the issue.


This was a bit heady for the morning of Christmas Eve, but it's something we talk (laugh?) about in the office and over beers, and at just about any opportunity, I get the questions often --I had the question a few weeks ago while on the podium briefing the commander of US TRANSCOM. The question was "What should we be thinking about a national policy level?" This is a simple list of some of those thoughts. It seems every few years someone rolls out, and the ideas start all over again. Ever seen the moving Groundhog Day? It's the story of a weather man who repeats groundhog day over and over until he gets it right, and then he's released from the daily loop.  Ours seems a little longer, but we're stuck in the loop --and the new young iron majors have the same ideas over and over and we see history repeat itself, and while public reaction has become largely ignorant bliss, we hear the same stories over and over from vendors and the government... 

So let's lighten this up a bit. It's the morning of Christmas Eve. We at Wapack Labs very much wish you the happiest day. Me? I'll be doing two masses tonight (three if you count praying at the alter of the New England Patriots! Go Pats!).

Merry Christmas (or if you prefer, Happy Holidays!) from the team at Wapack Labs!

Saturday, December 17, 2016

Raison d’etre (Why Are We Here?)

"We are here to produce finished intelligence reports. A good intelligence report provides a customer with insight, meaning, and context that mere data, “feeds,” or news cannot. Intelligence reports help people understand complex issues and explains why those issues may impact them. In an ideal situation, an intelligence report tells someone something they do not already know, or puts seemingly disparate things into a perspective that they did not envision."

This is the first paragraph in our newly drafted writers manual and style guide, and in one paragraph it tells the story I've been screaming from the rooftops for five years. 

This week I had lunch with a really smart, highly qualified security sales professional (I
normally would say sales guy, but this guy qualifies in my mind as a pro).  He was skeptical when I told him we were looking for a sales guy (a pro) to help sell our upgraded vision --that of a premium provider of finished intelligence,  he told me he'd sat with a number of other (ahem) intelligence companies who all tell the same story --they run honeypots, sinkholes, and pull data from all over the world. They aggregate, they correlate, (heck, they even julienne fries!) and then send it out. He commented that in every case, when he asked how each individual company was different from the rest, none had an answer --they all sell the same information, aggregated from the same sources, and sold with slightly different pitches. And when he talks to his customers about it? They all have the same feedback  --it's junk

I showed him ours --pictures of bad guys who target banks, defense supply chain
companies, oil and gas, SWIFT.  I showed him technical analysis of malware submitted from a defense company, but reported out in a way that's useful to many; and I showed him geopolitical stories of election tampering with real lessons learned (written because we had customers who operate in the area!); and I showed him how we distill that information into finished intelligence; the story, the motivation in many cases, the targeting, and the tools --broken down into actionable indicators, snort and yara rules. 

[PG13] I joke about a measure of success; it's that point where I'm telling a story; when I realize the guy I'm talking to has only one hand visible above the table. You know that look? This guy ate his lunch one handed! [/PG13]

He commented throughout lunch that THIS is what EVERY CISO should be reading --especially if they need to brief the CEO or the board.  At nearly every turn, he commented on the idea that he could sell the sh*t out of this, because we showed pictures, and stories, and motivations, and also, like everyone else, indicators of compromise. The difference? Ours had meaning. 

We'll see if we hire this guy. He's expensive and we're a cash flow company, but he clearly got it. The value proposition was dead on for this lunch; and if he works for someone else? He'll be thinking about me ;) (Does anyone else hear an Alanis Morissette song playing in the background?)

In all seriousness, this is what we do...

We produce finished intelligence reports that offer readers insight, meaning, and context that mere data, “feeds,” or news cannot;  Intelligence reports that help people understand the complex issues that they face and explain why those issues may impact them

When we get the opportunity to tell our story to a techie, a CISO, CIO, or a board member, they get it. It takes very little convincing for them to understand why we're different.  

We're heading into the end of the year, and we're talking with folks who want and need more than just data --every CISO needs intelligence; not just a list of IPs or domains --that's data. You need to know how and why things are happening and then how to protect against it. 

Want to hear our story? Drop me a line. Let's schedule some time.

Until next time! It's snowing like crazy outside and I'm going to go enjoy a bit of it!
Have a great weekend!

Saturday, December 10, 2016

27 Chinese Hackers Profiled

Hacker use information sharing and collaboration, and there is a large community of Chinese coders are doing just that --exchanging ideas, and tools, and sharing software development.  This week, Wapack Labs published a study of 27 of the most active Chinese coders,  revealing the some common characteristics of this community:
  • These coders are not lone hackers.   They are mostly employed in major corporations or network security entities. This includes Alibaba, TenCent, and Huawei, and security entities KnownSec, Keen Team, and Evil Octal.
  • They are not anonymous.   Real names were found for 18 of the 27 coders studied.
  • Many are well known in China and abroad.  Several of those studied had more than 400 followers, and one had about 1,800.
  • Many are contributing regularly; Several updating ideas and code more than 200 times over a year period.
In addition, the white-hat posture taken by these coders appears to have been accepted so far by the Chinese government.  This community does not appear to fear suppression by the government, similar to the shutdown of the Wooyun vulnerability-hunter website earlier this year.

Why do we care?  We care because our customers need to know who's coming for them, how they work, and how to protect against them. 

We know who they are. We know their telephone numbers, employers, who they're influenced by and who they influence.  And we know what tools they've developed and are using... and with that information, we know the baddest of the bad, and how to protect against them. 

Why should you care? For years, the press has been reporting on various military technologies that have been stolen. I'm sourcing only one for this blog, but there are literally hundreds of pieces published in the last ten years.

What's been stolen? Tech. And then used to compete against non-Chinese manufacturers... what tech?
  • F35
  • Space, Sat, and Missile systems
  • Unmanned Vehicles
  • That really cool DDG that launched from Bath Iron works not long ago 
  • Need more? Try this.
What about non-military? ThyssenKrupp, one of the world's largest steel makers, said it had been targeted by attackers located in southeast Asia engaged in what it said were "organized, highly professional hacker activities". 

Remember RCA? GE Consumer Electronics? Both bought out by a $16 billion French company ..gone (saved from bankruptcy in 2012 by a French government bailout).

And those rare-earth minerals used to make your smart phone? Much of that comes from China.  In 2010 three Australian mining companies who compete with Chinese companies were hacked with attackers later convicted of spying and bribery.

ERP systems, MRP systems, CRM systems, Legal, air traffic control, food, chemicals, pharma... gonegonegonegonegonegonegone and gone.... shall I continue?

How do they do it? They work together. The share information and profit from it.  And as their information sharing processes get better, our global intellectual property losses will continue to follow suit --in an inversely proportionate way.

They share information.  And so should we. 

The Defense Industrial Base's supply chain is under constant attack. Many of the big companies can handle themselves --or maybe some have nothing left of interest, or maybe it's SO easy to hack the supply chain that the bad guys simply pick easier targets; I'm not sure. What I am sure of is that the smaller companies are being targeted. 

Information sharing isn't free --not from the government, not from public-private partnerships, and not from information sharing and analysis centers.  The best intelligence isn't costly --because it's largely available to everyone; hiring smart people to collect it, analyze it, and publish it cost money, as do the systems. So pitch in.  What you get back will more than pay for what you put in. Information sharing --not buying a feed, but really talking, works

Want to know who these bad guys are? Join Red Sky Alliance. My guys are standing by, ready to answer just these kinds of questions.  Until then, keep following our announcements, sign up for our digital storefront, or join us in Red Sky Alliance

Are you a defense company with less than $3 bil in revenue who needs help?  Join Red Sky Alliance. If you've ever thought about joining an information sharing program, or need incident response assistance, call us. We're offering special pricing for defense industrial base companies who can't join other defense-specific information sharing groups. We offer private collaboration, malware analysis, tools, and a dedicated intelligence team; and when you need it, referrals to qualified incident responders who can help clean up, and keep you moving. 

Have a great weekend,

Saturday, December 03, 2016

Why Intelligence?

(Ghost-posted for Micheal Tanji) At the close of my first month at Wapack Labs, and as the company prepares to surge ahead for 2017, I thought it was a good time to articulate a couple of things I 
thought were important for everyone who is struggling with cyber security and trying to understand what role intelligence can play in overcoming those struggles.

First, the basics. 

Intelligence is not a “feed.” In a nutshell, the content hierarchy goes like this:

·         Datum
·         Datum + Datum = Data
·         Data + Data = Information
·         Information + Context + Methodology = Intelligence

Intelligence provides you with meaning, which is something that only human insight and intellectual rigor can provide. That X happened on Y date at Z time is news; who did it, why, and what implications X has for you, your people, or your business is intelligence.

You need intelligence to combat cyber security problems because intelligence helps you make decisions. Anything that complicates your decision-making process isn’t intelligence, its noise. Its more hay on the proverbial stack.

To produce good intelligence you need two key things: solid sources and sound methodology. Without good sources, you’re not even telling people news, you’re giving people your interpretation of the news based on what a guy who heard the news through the headphones of a guy he was sitting next to on the train told you.

The full spectrum of analytic methodologies is far beyond the scope of this post, suffice it to say that a true provider of intelligence subjects its sources and the data they produce to a range of processes and intellectual approaches to help derive facts, reduce ambiguity and provide the kinds of insights that consumers of intelligence so desperately need. That rare, clear signal amongst the ocean of noise.

It would also be a mistake to think that producing good “cyber” intelligence stops at technical analysis. Cyberspace is its own domain, but its underpinnings are physical and increasingly so are its impacts. Cyber-attacks are carried out by human beings, with myriad motivations. Only an analytic team that has “cyber” skills as well as cultural and linguistic skills, awareness of a range of geo-political dynamics, knowledge of economic, financial, legal and other matters can put all those bits and bytes into the proper context. 

Finally, there is no substitute for experience. You can run the smartest people through the most rigorous training and give them the most advanced tools, but they’re journey as intelligence professionals has only started. This is not an issue of gray-beards having better “guts” for the work (which is itself an intellectual trap that analysts can fall into – also, we could stand to lose a few pounds), but a factor of knowing what works, being able to enforce discipline and rigor in the process, and to understand that we are not writing book reports, but occupy a position of trust. That we’re a “civilian” intelligence organization doesn’t reduce the seriousness of what we do.

If you’ve spent money on something called intelligence that doesn’t meet the aforementioned criteria, you’ve bought a feed. You’ve made it that much more difficult to find the needle, and increased the probability that you’re going to get poked somewhere sensitive. It’s a common mistake because marketers treat “intelligence” like “APT” or insert your own buzzword here: they strip it of meaning and re-define it to match whatever they’re offering.

If you’re drowning in data, if you find it increasingly difficult to make good decisions about your cyber defense, if you’re struggling to define ROI for your security spending, intelligence – real intelligence – can help. And I’m glad I’m back in a position where my training and experience can make a difference.  

Saturday, November 26, 2016

Who else knows?

We did a victim notification on the eve of Thanksgiving --about 8:30 PM EST, with a US-based online accounting firm. The firm boasts hundreds of clients on their website, although after looking at their data, I actually know how many clients they have. There are some good ones;  every one was listed in the financials shown in unencrypted emails that were harvested and sent from their systems, and although I didn't tell their customers that their outsourced, online accounting firm had suffered a data breach of nearly 80G of their accounting data, customer lists, and payroll information, at some point soon they're going to find out.

So after a call to their customer support line (my call was actually forwarded to a human), and two emails to the CEO, he called me on Thanksgiving morning.  I explained what'd happened.

So as we speak, on the weekend, two days after Thanksgiving, we're preparing a formal report for the accounting firm, detailing the simple actions that offered the penetration into this small scale systemic breach, with the names of those who'd been exploited and harvested.

Wait.. did I say simple actions? Yes. This breach, like many others, could have been prevented by two things... knowing that the activity was ongoing (this is called cyber threat intelligence), and by taking the appropriate actions to prevent it.  The malware (a key logger) that was used is widely recognized by many of the AV vendors out there today, but it was dropped onto the machine of a senior account representative  --a sales guy!

I scrubbed the name of the machine from the screenshot on the right, but the "Installed Anti-Virus:" and "Installed Firewall:" lines were both blank when we found it. This SaaS company didn't have even the most basic protection mechanisms on their sales guy's computer, and for that, they had a bad Thankgiving.

I realize that there's an amazing amount of data coming in, and it's really hard to recognize which to act on now, which to wait on, and which to simply pass on. This is not an uncommon scenario. A couple of weeks ago I spent some time with a group of CISOs --all of whom experience --and don't know what to do about, the sheer volume of information.  As incident response companies, big data companies, and open source lists offer more and more information, the CISO in the smaller companies (small meaning 1 - 10,000 employees) are drowning in data and literally have no idea what's important;

And while I always talk about intelligence and information sharing, many still don't understand what it actually is, or means.  That night I offered a view into information sharing, and what it is --early warning, prioritization, proactive response, all supported by a group who's only job it is, is to monitor threat profiles of the companies in the information sharing environment, and report when they see something bad happening.

In this case, the company was not a Red Sky member.  As with many interesting nuggets, we found his data while pulling threads related to something else we were working on.  He asked where the data came from, and then the dreaded question... "Who else knows?"  In our case, the "Who else knows?" is simple. We tell the members of Red Sky Alliance. Some of them use this service and we want them to know that one of their vendors has a problem.  They may be able to help.


You're going to see a few changes in messaging moving forward.  Red Sky Alliance and Wapack Labs had been, from the start, two different companies. As of the end of the year, they're becoming one and will operate as Wapack Labs.  The Red Sky portal will become the focal point and delivery for Wapack Labs intelligence, and when a company enters the environment, they'll be met with a team of Wapack Labs analysts ready to assist.  As a Red Sky member, you'll have access to our malware repository, our CRITS (currently in beta testing and loading data after the build), full access to our threat intelligence, the indicator database (Threat Recon) and the raw intelligence search API. Red Sky Alliance will be a cyber intelligence concierge; an analytic hub and information sharing environment. We provide the sources and tools, you bring the questions and the know-how. Don't know how? Our analysts are standing by and ready to help.  You'll see the changes taking shape as we move into the new year,  and already, we've had five new organizations jump in.

On that, I'm off.
Until next time. Have a great weekend!

Saturday, November 19, 2016

My Hat's Off to Soltra

Normally when a company doesn't work out the way we'd hoped, we criticize and critique, and we Monday morning quarterback and we talk about all of the things they did wrong to make them go away. And certainly, my own company struggles like every other company out there with those competitive pressures, so I don't criticize. I look for the lessons, and the good that came from the experience and we drive on.

In this case though, when Soltra was announced as being discontinued, and Aaron Chernin's name showed up on LinkedIn with another company behind it, I thought to myself "What a shame"; and then I thought, Wow. These guys really made a difference.

Many of us have been fortunate enough to have had our fingerprints in tools, technologies, ideas, and processes that have stayed well beyond our initial participation. Soltra will be one of those ideas that I look back on and think to myself they left their fingerprint all over this...

Look, between the FS-ISAC and DTCC, the idea of Soltra was in my mind BRILLIANT. While I don't necessarily agree on all of the implementation decisions, there's one thing for sure. There needs to be a way to automatically share indicators in a way in which analysts at both end of the sharing stream can understand their importance, rack and stack confidence by source, and automatically ingest the information into a device that can use it without further manipulation, cut and past, or additional human man-hours.  I'll admit, we were a late adopter. As a cashflow operated company I wanted to wait until the dust settled. And even today, the idea of moving STIX from XML to JSON means many folks are going to have to do a bit more work... but...

Soltra Edge really pushed the ball up the hill. 

I believe at last count, Soltra had over 11,000 downloads. I'm certain many of those were not paid accounts, but at the same time, the idea that over 11,000 application downloads by 2900 organizations, who did something with it is absolutely amazing to me. And more, the idea that those users were primarily in the Financial Services and Security industry is even better.

There's power in numbers, and when those numbers are offered a solution by two trusted organizations, the FS-ISAC and DTCC, backed by the knowledge that many of the other financial institutions in the world will be downloading and using it, and then that many of the trusted security companies in the world (us included) will be using it... the sheer volume of warm potential users, all in one industry, supported by the security companies who with to sell into STIX/TAXII enabled environments made the viral spread of Soltra in the financial sector possible. And while it wasn't meant to be this time there are several options out there that will now take Soltra's place in the market; filling the hole that was left; but wait --did I say that there are several others who've taken on TAXII servers? I did, yes.

Being an entrepreneur is really hard. Being a tech entrepreneur is even harder. But being a tech entrepreneur who was selling a disruptive idea? Holy cow. You (Soltra) guys didn't just take someone else's stuff and make an improvement, you created a whole new way to share information! Ok, there were flaws. So what! We all fail sometimes. But sometimes even in failure we advance ideas that paved the way for even greater things. Soltra was one of those things.

And so, as I close, I come back to my original statement. Mark Clancy, Bill Nelson, Aaron Chernin, and all of those other names that I'll never know, My hat's off to you all!  

With Respect,
Bravo Zulu.

Saturday, November 12, 2016

We're growing! Partner Exchange Program, Data Analytics, Strategic Hires

First, let me say how happy I am that nobody resorted to cyber bombing during the elections. And although there was a short period during the morning after, where Anonymous put out the word, the results were peaceful physical protests rather than cyber. For that, I'm happy to say that my blog from last week entitled "Mutually Assured Cyber Destruction?" Didn't, in fact, come true.


A couple of years ago a friend came back from Afghanistan. He was an intel officer charged with identifying those folks building bombs that, maybe we should pay a visit to.

His big data output pushed roughly 800 targets to him every day, yet he could only visit a half dozen or so. So what'd he do? He sat up all night and picked a half dozen high probability targets for the next day. He was the guy who wrote the 'finished intelligence' from the big data picture that kept coming in from the aggregation and analysis shops supplying him with targeting information.

This became the norm and eventually, he came home.

Yesterday I sat with a small bank CISO and his deputy. I told them that in one of our past projects we'd pushed intel products to various organizations preparing in support of the National Conventions.  I even gave them one of the 60 or so short, tactical intelligence products that we pushed to folks involved in the setup. This one report talked about an assassination attempt on Trump that never seemed to make into the main stream news, but did make it into smaller outlets.

When I passed it off to the banker, he asked How'd you find this stuff? My answer? We read! And then we push it out in just about any form needed to get it into our customers inboxes.

In three weeks we'd pushed roughly 75 intel products with a bunch great stuff on the activities in Cleveland, then the Rio Olympics. 

Cyber intelligence was once the domain of larger companies who could actually do, understand, and act on intelligence; today however, smaller companies are asking the same questions.  But as they learn, many, like the larger companies we've worked with for so many years, really have no idea how to get it, what's good and what isn't, how do deal with the overwhelming amount of data, and rarely do they have an understanding of when they actually do get good stuff, what to do with it.  Even worse, the idea that they can even recognize the finished intelligence from the aggregated data is a question that often gets answered in the negative.

So I asked my new small bank CISO friend how he ingests all of the stuff that they get from their intel feeds, the list, etc. His answer?  "We don't. There's to much data and we really don't have time to figure out what's important and what's not."  Yikes. He relies on an MSSP and then uses sensors internally connected to a commercial SMB SIM; but if it's not getting pushed into the SIM by someone else, he reads what he can but the finished intel has no nowhere to go except the cutting room floor. Yikes. 

We wanted to find a way to help. So let's try this... 

Wapack Labs collects nearly half a million victims every week including those hit with key loggers, botnets, and various APT and non-APT activities. When we detect them, we do victim notifications --at no charge; we shoot the victim automated alert form from our API.  At the same time, we've hired some new strategic people to assist in pushing the message out to those who need it, but may not yet be able to consume and act on it:

I'm happy to say, we hired Michael Tanji as the new Managing Director of a new Wapack Labs Partnership Exchange Program. The idea is simply this... when we see a smaller company in trouble, we let them know... generally through a partner who can help.  We don't charge for the service, rather generate revenue through partnership building.  Mike has been in the intel space for over 20 years. I've known him since we were in uniform, and I'm certain he's the right guy for building partnerships. We don't want to be in the break fix business, but if we can enable others while helping those who need help; well, we see that as a win-win. 

We hired Patrick Maroney to build new analytic tools and data analysis processes. Pat is the former Executive Director of the Defense Security Information Exchange (DSIE), the Chief Architect for CyberIQ, and before that a Director in Information Security at L3.   He's a long time evangelist and thought leader in the development and practical application of International Standards for Cyber Threat Intelligence Data Representation Models, Inter-Exchange, and the community development of tools, frameworks, and operational Reference Implementations, and has come to Wapack Labs as a Principal Engineer in charge of 'enabled analytics' --building analysis tools for analysts. 

And last, but certainly not least, as we grow, it's more important than ever to make sure we add quality cyber analysts to the team. One of those is a young woman who worked in my team at the Office of Naval Intelligence --shortly after my time, but will with the team. Liz Shirley is coming onboard to take on the role of Fusion Director for the intelligence team. Liz's has got a great background including having worked as a senior intelligence analyst Gestalt, iSight Partners, the FBI's National Cyber Investigative Joint Task Force (NCIJTF), Pacific Northwest National Labs, and Office of Naval Intelligence  She's going to make a great addition to our team and help lead and shape younger analysts.

We're growing, we're adding new offerings, and we're excited! The last few weeks have been busy for us, and as we head into the end of the year, I'm making one more trip to the BWI/DC area --with our new marketing manager in tow, meeting with customers, Red Sky members, and prospects one last time before we head into Thanksgiving. If you'd like to grab some time in person while I'm in town, drop me a note. If you'd like to schedule some virtual time to find out more about what we do and how we do it, we'd be happy to show you... and for the remainder of the year as we put on the full court press before the holidays, we're offering two months in Red Sky Alliance before you're billed for your first year.  Simply sign up and finish membership paperwork by the end of the year and you'll receive your first two months on us!

OK folks.. it's going to be a long day on the tractor for the last lawn mowing of the season before the deck comes off and the bucket loader goes on.. I've got work to do before travel.

So, until next time,
Have a great weekend!

Monday, November 07, 2016

Election Day Mutually Assured Cyber Destruction?

"U.S. military hackers have penetrated Russia's electric grid, telecommunications networks and the Kremlin's command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News. 
American officials have long said publicly that Russia, China and other nations have probed and left hidden malware on parts of U.S critical infrastructure, "preparing the battlefield," in military parlance, for cyber attacks that could turn out the lights or turn off the internet across major cities." 
I had a boss once who used to tell me "There are no unintentional leaks in Washington." so I'm guessing this is a question of mutually assured destruction in cyberspace, but does it really have to be telegraphed? 

Saturday, November 05, 2016

Cyber influencers on next week's elections?

We blogged last week on activity that we believe may be indications of potential upcoming election tampering. Tonight it was on the news. And while I'm sure they didn't get it from us, we've been watching election activities in Eastern Europe since the last Ukrainian Presidential election. 

We witnessed election tampering (hacking, DDoS, and telephone DoS) in the Ukraine, and then again DDoS in Bulgaria. We're also paying attention to Macedonia and Moldova --not because we had a dog in either fight but because there are massive lessons to be learned from watching the cyber interactions when we have customers who operate in both areas... and we have a global customer base that we believe have interests in the areas, and want to know.

In October (last month), Wapack Labs watched as Montenegro was hit with a DDoS and insurgency preparations as pro-Russian opposition tried to take hold in October 2016 elections.  


Wapack Labs believes with high confidence that there will be additional election tampering, but analytic rigor dictates that more data be collected.  We have five major elections in the near future where foreign interests may be manifested by some cyber activity – Bulgaria, USA, Macedonia, Moldova, Transnistria and France:

  • 06 November 2016 - Bulgaria. Presidential elections will be held in Bulgaria on 6 November 2016.[1] Bulgaria is a NATO member but has very strong pro-Russian fraction of the population. The incumbent President, Rosen Plevneliev, announced in May 2016 that he would not be running for re-election. Last year Bulgarian Central Election Commission and other governmental institutions were DDoSed as the country held municipal elections.[2] 
  • 08 November 2016 - USA.  Hacking of Democratic organizations, with release of the data, as well as intrusions to the Arizona and Illinois election commissions were mostly attributed to Russian APT hackers. 
  • 11 December 2016 - Macedonia. Early parliamentary elections will be held in Macedonia in on 11 December 2016, having originally been planned for 24 April and later 5 June. The elections were called as part of an agreement brokered by the European Union to end the protests against the government. From 20 October 2015, a transitional government was installed including the two main parties.[3]
  • Leading Moldovian Presidential candidate Igor Dodan
    meets with Putin (2014)
  • 13 November 2016 - Moldova. Second round of presidential elections will take place on 13 November 2016. The Socialist Party leader Igor Dodon, fell just short of the majority needed to secure outright victory and faces a runoff election.[4] Wapack Labs believes that Moscow will radically increase its influence on the ex-Soviet republic. Russia has troops in unrecognized Transnistria and this development might similar to country Georgia where pro-Western government lost land to Russia and then lost its power to more Russia-oriented coalition.
    Soviet-like Transnistria coat of arms
  • 11 December 2016 - Transnistria. Presidential elections, 11 December 2016[5]  Transnistria is part of Moldova, an unrecognized state with Russian military base and strong military influence. 
Moscow is courting both leading presidential candidates but is worried that their fierce rivalry and worsening economic conditions might lead to destabilization of this pro-Russian region.[6]
  • April and May 2017 - France. The next French presidential election is scheduled to be held in April and May 2017.[7] But the first primaries are this month already.  Marine Le Pen who’s National Front was taking Russian funding is predicted to gather between 28% and 30% in the first round, ranking first or second, and so to be qualified for the run-off.[8]

There's been much in the news about the potential for DDoS next week during the elections. We do not see this as much of a stretch. There are many who'd like to disrupt voting next week, including just about any kid who's got access to a botnet and credentials to the sensors in your thermostats and refrigerators. 

There are however, many geopolitical influencers supporting the idea that there will be cyber activities --Wikileaks is preparing to dump what Assange is calling the most damning dump yet. That's yet to be seen.

In the mean time, get ready folks. You've heard me say it before.. welcome to the new normal.

Have a great weekend!

[5] [article in Russian]