Saturday, August 19, 2017

Ridiculously Simple - Wapack Labs CTAC fully integrated with ThreatQ

I haven't blogged as much as I normally do this summer. The kids are getting older and vacations and… well… at any rate, it doesn't mean work stops, nor does it mean that we stop pushing to make it ridiculously simple for users at any level access intelligence needed in their SOC, in their risk programs, or as we're starting to find, even the physical security guys are reading our stuff.

Last year we worked hard to get data into a foundational tool that could be used to serve our data up to any number of different applications. Unfortunately for a number of reasons, we didn't get it done, but late last year after a few organizational shifts we went live in a VERY alpha state in January, followed by an MVP launch in March, and now, I'm happy to say, we're seeing new products and applications come alive, bolting on themselves to us.

Our 2013's Threat Recon(R) was our first real push into serving up data (IOCs) through an API.  It remains a popular, Wapack Labs low cost API. Today in 2017,  I'm happy to say, our Cyber Threat Analysis Center (CTAC for short) is online and rolling nicely. Now, users can access more than just our Threat Recon(R) data. They can also search, manipulate and download nearly every collection acquired by the team. CTAC serves up not only Threat Recon(R) data, but also key logger outputs and sinkholes; 'bin' scrapes, early warning, and more.

As a result? Greater interest in accessing and integrating our data into their analytics and tools. One that we were really happy to see was ThreatQ.

Why do I say 'ridiculously simple'? ThreatQ has completely integrated our stuff to the point where an analyst only has to point at our reporting, ingest it into ThreatQ, and after a very simple process of letting the machine do its thing, the data is parsed, correlated against other ThreatQ sources, evaluated, prioritized, and even recommends action.

Mike Clark is an old friend. He and I were early guys in the Honeynet Project together years ago. Mike headed up development on the ThreatQ side. Mike, as always was a pleasure to work with. He worked closely with our team and within a couple of weeks we were integrated and running.

We've integrated with others. You can pull data from Threat Recon(R) from ThreatConnect, and limited data from Anomali, but ThreatQ really did it right. You get not only the indicators but the full range of collections, analysis, and human analyzed outputs in one pane of glass.

If you'd like to read more about the integration, or get more information on ThreatQ, one example of the integration is shown on Mike's ThreatQ blog.

If you'd like more information on Red Sky Alliance, our CTAC, shoot us a note. We're here to help.

Until next time,
Have a great week!

Saturday, July 22, 2017

The Camera Adds 20 Pounds!

Yesterday, WMUR, Manchester, NH's local ABC affiliate, released a three minute news piece on Wapack Labs.  As many of you who've done one of these television pieces know, they come on site and tape for three and a half hours and cut that down into a three minute piece. There's a ton of material that ends up being left on the cutting room floor. 

We were interviewed on the heals of Wannacry, and the WMUR folks, recognizing that NH is made up primarily of small companies, wanted to do the piece. 

During the morning of Wannacry, I'd been at three small local companies —all who'd been directly effected by the ransomware. In one, a florist, I'd spent 45 minutes waiting for an arrangement to be made up for my mothers 'celebration of life'.  While I waited and watched the floral designer piece the arrangement together, I chatted with the owner, who when she found out what I did, immediately told me that she'd lost her entire accounting, inventory, and customer list because the one computer used to run the business had been hit.  She had an IT consultant who was managing the systems, but the backups used to attempt the restore didn't work and they were forced to either pay, or reconsitute the drive through piecemeal backups and manual reentry, or, pay the ransom. 

Here's the math… 

  • Pay $300 in ransom and get the key to simply unlock the system (and then go fire the IT consultant).
  • Or spend days (more?) rebuilding the companies administrative operations. 

The company probably does $2 million per year in revenue; I'm guessing —it's a nice place and they're always hopping. At $2 mil per year, they generate approximately $5495 per day, and my bet is they make about 20% profit on that day — $1100 — after they pay their inventory (flowers come in daily), labor, etc. 

As the business owner, what would you do? 

As a security pro, what would you recommend? 

I recommended paying the ransom, then firing the IT consultant (I recommended a good one —a partner we've used in the past —Ezentria in Nashua), instructing the new IT consultant to build the system new and up to date, and getting back to business. 

DHS recommended (publicly, and spread by every news outlet out there) to NOT pay the ransom. Why? Because they take their outside council from larger companies who had full, clean backups and disaster recovery plans. Guess what? They don't need to pay the ransom. They were prepared and had a plan. 

In 2012, according to U.S. Census Bureau data, there were 5.73 million employer firms in the US. 99.7% of them had fewer than 500 employees. 89.6% had less than 20 workers. Add in the number of nonemployer businesses (solo practitioners) – there were 23.0 million in 2013 – and the number of US businesses with less than 20 workers increases to 97.9 percent

97.9% of companies are small businesses with less than 20 employees!  How many of them were consulted when DHS recommended that they not pay the ransom? Out of those, how many were prepared for a business critical ransomware attack? Not the ones we talked to that day. This florist could resort back to catalogs and the internet —and she did, but what about others who were stopped dead in their tracks? 

Look, there're a million ways to skin this cat, but common sense tells me that the DHS guidance doesn't apply to every company, and when a florist tells me that the government recommends she not pay the ransom (and take the $1100 per day hit to her bottom line), my stomach hurts and my face contorts. I can't help it. It's my natural reaction to stupidity. 

My point is, government paints with a very wide brush  from taxes to gun control to health care to cyber guidance. And for those companies who had strong Information Security teams who had kept the systems up to date, and had a good disaster recovery process, well, they weren't affected. For this who didn't, they were. And if that company didn't have backups, or a way to reconstitute data, and the system were business critical, what would be the right answer? What happens in this case, where Wannacry stopped business?

That day, the morning of Wannacry, we put up a website where we allowed users to contact us for help for free. Some told us they were fine but wanted to know what to do for next time. Others had questions on their current state. We answered what we could and sent others a referral to Ezentria.

We thought WMUR did a terrific job on this. And thank you to Ezentria for handling any calls that we pushed their way. 

Until next time,
Have a great weekend!

Saturday, July 15, 2017

China’s Intelligence Networks in United States Include 25,000 Spies

Beijing's spy networks in the United States include up to 25,000 Chinese intelligence officers and more than 15,000 recruited agents who have stepped up offensive spying activities since 2012, according to a Chinese dissident with close ties to Beijing's military and intelligence establishment. This, in a piece where Bill Gertz, a long time Washington Times reporter and now writing for the Washington Free Beacon, interviews a Chinese dissident who reveals up to 18,000 Americans recruited as Chinese agents.

Without questioning Guo's motivations, the priority list that's played out in the last few years —in action, appears to be directly inline with what Guo talks about in his statements, and the aggressive positioning undertaken in their recent reorganization. We can't speak to the human rights abused claimed in the piece, for example "Chinese intelligence officers sent to the United States are controlled by the MSS by keeping all their family members and relatives hostage"  but according to Guo:

  • China's intelligence targets included several strategic areas of the United States.
  • "The first is to obtain military weapons-related technology. This is priority No. 1," Guo said.
  • Second, Chinese intelligence is engaged in "buying" senior U.S. officials personally, 
  • and a third objective is buying family members of American political or business elites "with a view to getting intelligence and to make big business deals in China's favor," he said.
  • A fourth priority is penetrating the American internet system and critical infrastructure by implanting malicious software.
  • "And they have successfully penetrated all the major defense weapons suppliers of the U.S. government," Guo said, adding that "the scale of their operations is mind boggling."
Guo said Ma, the MSS vice minister, told him that a major shift by the Chinese was expanding the scope of agent recruitment from Asians to mainstream ethnic groups.
"This is where the biggest danger lies," he said. "It's clear the situation is getting more and more dangerous now. The United States has the best weapons in its arsenal, such as laser weapons, etc. Yet, the Chinese spy system has penetrated into the bloodstream of American defense establishment with their viruses and everything else."
"The United States is bleeding and is unaware that sooner or later the United States will run out of blood," Guo said.
Also, the United States is overly reliant on technical spying while China has an asymmetrical advantage in using its tens of thousands of human spies.

On June 26th, Wapack Labs published a top down report on the Chinese reorganization of their new cyber structure. The report summarizes Wapack Labs research conducted on the PLA Third Department, suspected of being the primary military cyber force for China.  The research was conducted entirely on open sources available on the Chinese Internet, plus unclassified satellite imagery.  The report is unclassified but sensitive in that it reveals more about Chinese cyber-related military facilities than has been published in the past.  This is a compilation of recent Wapack Labs reporting separately on each of these Third Department entities.  If you'd like a copy of the report, register, and we'll send you one.

Monday, June 26, 2017

VIDEO: Integrated with ThreatQ with raw collection data (CORRECTED COPY)

Sorry folks. I realized I mixed up the link to the video. Let's try this again.


A few months ago, a good friend told me that he really loves the quality of our reporting, but that we really needed to figure out out to get it into systems.  I've been wanting to see this happen for the last coupe of years, but we've finally, completely integrated into ThreatQ.

Why'd it take so long? We needed our own APIs to allow ThreatQ to be able to pull, and now with CTAC online, the ability to integrate becomes much easier.

So rather than write an entire blog, and hope you read it, I've put up a video of Micheal Clark at our last Threat Day, where he walks users through pulling Wapack Labs intelligence into ThreatQ.



Saturday, June 17, 2017

Risk Management, Compliance, Resilience. What's old is new again!

Three times this week a user or potential customer told me I'm not looking for more intelligence. I'm looking for compliance, risk management, resiliency.

Imagine that! Those are the three things that that we talk about most… well, may be not resiliency. Your failover is something completely out of my control, but for over 20 years I've had a copy of ISACA's Enterprise Risk Management framework documents either on, or very close to my desk. I'm a long time user of SEI'S OCTAVE Risk Modeling system —even though it's morphed, it's easy to explain, use, and train a team to implement. And compliance? That's pretty easy. If I see massive amounts of lost PII, intellectual property or outbound activities touching our sinkholes, it's pretty easy to know who's in compliance and who's not.  I don't see the systems, but I definitely see the outputs.

I have to laugh. I consider myself an expert in risk management. I have an MBA with a focus in risk, and have built and implemented risk models at some of the best companies, on three different occasions.

I've been interested in, and preaching risk management since 1998, first using OCTAVE as a Navy Officer, implementing risk management into Navy Networks through a visiting scientist partnership with SEI. This work lead into processes for building SiLK models (Suresh L Konda's network flow engine —a CMU PhD and good friend) —now Centaur and Einstein.

Later, after leaving the Navy and working for Cisco (2001-2005) I built a team and implemented hybrid OCTAVE, COSO, and ISO models to build risk processes. This hybrid model was used to evaluate M&A prospects, third party partners and suppliers, and remote offices. We used these models in dozens of locations and organizations in as many countries around the world. Risk is a common language transcending country borders.

At Northrop Grumman (2005-2008), I built on these processes using ISACA's early Enterprise Risk Management framework —a larger view designed to integrate IT Risk into larger organizational risk models —financial, operational, etc. We used it to evaluate (again) M&A candidates, third party partners and suppliers and remote offices. And when it came time to chase out bad guys, we already knew the issues with the infrastructure in which we were operating. This product evolved into full-out, large scale risk management and identification run by my second team hire.

Yep. This stuff works.

But guess what all three of these have in common?

Every one requires a deep understanding of external threats —to operations, to finance, and to IT. That information is called intelligence, and it's a linch-pin component of every risk management process. No matter which one you choose, they all require external inputs to understand and prioritize the threat, the strategy, and the spend that will go into mitigating, minimizing, transferring (through insurance), or accepting the risks identified.

Without intelligence, you can't have risk management, and therefore can not have either compliance or resilience. Intelligence is foundational.  And if you're relying on intelligence that comes in that sexy little silver UTM (we use one too!), you're missing the boat. Are you going to show your boss the UTM logs when you need budget for next year's threats? Probably not.

You need to think strategically, and that requires good intelligence —the story behind the threat, the motivation of the bad guys chasing you, maybe a picture of one or two of those guys, and an understanding of how they'll affect your business --not just a feed of IOCS.

An as is always the theme of my blog… we're here to help.

Wapack Labs Cyber Threat Analysis Center is a great way for companies of any size to be constantly aware of threats you face.  Whether it's monitoring threats to key personnel, stolen credentials, sinkhole analysis, or sentiment analysis, CTAC makes it easy to monitor your daily and ongoing threat picture. Look at five years worth of data and extrapolate that out into longer term planning. Request a deep dive on your company and use that in planning futures. We've published on everything from stolen credit cards to North Korean Nuclear and EMP options. We've covered Ukrainian | Russian geopolitical risk monitoring for our companies who do work in the area, and published lists and mitigations for cyber tools being hoarded by Iranian hackers during last year's nuclear talks. We publish indicators with confidence ratings, key logger dumps (not TOR captures with high false positives), and probably have one of the largest sinkhole collections going.

Risk Management, Compliance, Resilience. As you think through these processes and need to figure out who to call for intelligence inputs, call us first.

Want a demo? Drop us a note. We're hear to help.

Saturday, June 03, 2017

Wannacry —I know, it's getting old already right? Read this...

On 02 Jun 2017 Wapack Labs obtained several sinkholes associated with the Virut botnet and were able to confirm that the botnet is being used to deliver the Wannacry ransomware.  Because the botnet owners are paid by the number of installs, Wannacry is now being deployed globally, and fast. Wapack Labs has reason to believe that Wannacry is now affecting banks and ATM machines, are specifically infecting companies in the Middle East and Northern Africa region.

Why should you care? Virut has been around since at least 2006, and although suffering a 2013 takedown by the Polska CERT, has resurfaced and remains one of the most prevalent distribution networks for spam, phishing, malware, etc… and now, ransomeware. Wannacry is now being spread far and wide, and if you've not installed the patch, there's a high probability that you're about to learn a hard lesson in network hygiene. 

And so for now, this ends our public service announcement. 

As an aside, and a bit of a science experiment, we're experimenting with some rudimentary artificial intelligence and publishing capabilities. One, is one of the earliest and simplest forms. We've loaded a public (and gratis) version of MediaWiki in an effort to encourage massive crowdsourcing. We call it Wapackapedia(R)Yes, there are LOADS of issues with sharing information like this; it's definitely a Bambi but in cases like this, where hundreds of thousands more computers are now carrying dormant versions of Wannacry, my science experiment goes like this… Get the damn word out!

Here's the link:

I also published two other pages.. mostly with computer generated work but one page has some new and interesting stuff on Lazarus (North Korean APT).

Here's that link:

I'm looking for maximum crowdsourcing. You guys know me enough.. I believe in machine to machine interfacing but my belief is that real value comes from human communication first, then distilled into machine readable stuff.  Of course, any victim information is not posted here. As always, we prefer to not out victims publicly —they've been victimized once already. For that, we've built out private locations behind our Red Sky curtain where we notify our members.

As always, if you'd like to know more, reach out. Jim's the new President and will be happy to set you up with a demo. He can be reached at

Saturday, May 27, 2017

Stutzman assumes new role...

What's that all about?

I've been running Red Sky and Wapack Labs since Feb '12 after leaving the government to join my old friend Jim McKee. I enjoy building new things, but long term? I needed a break. I keep finding myself with one foot in the analytic camp and one foot in the management camp, but as the company grows it becomes harder and harder to do both things well.

This week I told my partners that I felt like I was getting dumber with every day that passed, and
every minute that I dealt with prospecting, taxes, managing the team, and all of the other things that go along with being CEO, I miss out on time spent staying sharp on the things that I really love doing.

So on Monday, I turned over to Jim McKee, anointed him President, and started writing analysis.

My first task? I convened a fusion cell and authored a weekly report —one that we push out to customers who use us for tailored intelligence. I'd forgotten how much fun it is, but also it's like going back to working out after being off for a while —your muscles hurt afterward! Yes, my brain hurts tonight but it's a good hurt.

So, CEO? Not me. Chief, Intelligence Operations? Oh yeah…

Tanqueray Martini. Shaken, not stirred.

CloudHopper? Systemic... AND Stutzman assumes new role!

This is an excerpt from a piece we authored for our membership. CloudHopper, first discussed about a month ago by PwC UK and BAE are targeting Managed Service Providers for VPN and RDP credentials. Brilliant. When I first read the piece I assumed this to mean Managed Security Service Providers had been targeted.. which would be bad, but colocation facilities? Not a new TTP but still brilliant. 

"CloudHopper, a new name for APT 10 has been identified stealing VPN/Remote Desktop credentials from Managed Service Providers in an effort to obtain administrative level direct access to network infrastructure mechanisms. In our opinion, this is significant. In almost every presentation, at least one financial presenter talks about “systemic threat”. This, we believe, is the epitome of systemic –get the administrative credentials to the network perimeter, change the authentication, and obtain unfettered, unchallenged access to any of the MSP’s customer base. (View the full report:"

This actually scares the hell out of me. 

Four years ago we rented colo-space for a malware analysis sandbox. The colo-provider had all of the right words in their list of certifications —ISO 27001, PCI, HIPAA, etc. After a walk-around of the facility, we signed the contract for a two year stint. 

Within a month we started noticing fun things happening on the box. Fortunately for us we hadn't opened it up for our Red Sky membership; we were still very much in our testing phase. It was clear to us however that the machine had been compromised —so we drove to Boston, removed the server from the rack and brought it back to Manchester where we mounted it locally. We found that the colo had the necessary tools to monitor the systems, but not monitor the security. In fact, they had all of the right tools and skills, but never monitored for the things that would have allowed them to see unauthorized access —something we'd paid for. 

The idea that VPN/RDP credentials are stolen and pathways are used is not at all new. In fact, these were the first cases that I can remember after building my APT team when I worked at 'that really big defense contractor', over ten years ago. These accounts are most prized, and in many cases in large companies administrative credentials —domain credentials —those that most often have VPN and RDP access to many many servers across the horizontal become one of the single most effective vectors for systemic breach. And when it's done in a colocation facility where small and medium sized companies are most likely to host? Not new, but still brilliant. 

When asked why he robbed banks, Willie Sutton replied, “I rob banks because that’s where the money is.”  Why target colo facilities? Because that's the pathway to small company innovation and potentially, larger accesses. 


This may or may not be a surprise to many of you, but I've been running Red Sky and Wapack Labs since February 2012 when I joined my old friend Jim McKee in building Red Sky. 

This week I told him that I felt like I was getting dumber with every day that passed, and that every minute that I dealt with prospecting, taxes, managing the team, and all of the other things that go along with being CEO, I miss out on time spent staying sharp on the things that I really love doing.

So on Monday I anointed him President, and started doing analysis again. I'd forgotten how much fun it is, but also it's like going back to working out after being off for a while —your muscles hurt afterward! Yes, my brain hurts tonight but it's a good hurt.

My first task? We write tailored weekly products as an intelligence provider to some big companies. Yesterday I wrote my first one in nearly six months. There are several more to come. 

So, CEO? Not me. Chief, Intelligence Operations? Oh yeah…

Tanqueray Martini. Shaken, not stirred.

Saturday, May 20, 2017

#WannaCry - To Pay or Not to Pay. That is the question...

I'm not always sure that the government offers the best advice… and the press simply repeats it.

Earlier the week I was interviewed by the local ABC Affiliate. The next day, my team pulled together roughly 40 Red Sky Alliance members for a  —largely on my request to better understand and make sense of all of the noise in the press. 

Yesterday, I picked up flowers at a local shop, when one of the owners approached. She'd seen me on WMUR and wanted to tell me that she'd also experienced a WannaCry incident. This was the third such mention by someone who'd been infected. None of the three had full backups. All three told me that because 'they' (meaning the press, largely because of circular reporting) had instructed victims to not pay the ransom. I handed them a business card and told them to call me Monday.

I have a few thoughts. 

1. Don't pay? Be careful. Large companies, and those smaller companies who are prepared for such an event might be fine not paying the ransom. What's 'prepared' mean? It means that you can completely restore lost data from tested backups. In these cases, none of the three had complete backups. They will soon. Each lost far more revenue than they would have if they'd have just paid the ransom.

2. Make your own decisions. The government doesn't run your business. The press only reports what others tell them. Many times those opinions are based on something reported by others —often times coming directly from the government. In this case the government urges people to not pay the ransom. The US does not negotiate with . I would urge you to make you own decisions. 

3. Who did this? I'm not sure anyone has any real evidence. One report compared WannaCry with Lazarus, but in our work, we found only six lines of code in common —largely machine generated; and our opinion, not a good indicator. We discounted it. We do however have theories… we rarely look at attribution at the country level (i.e.: Russia, China, N. Korea). I prefer to look for individuals. In this case, I think the story will unfold. My team, and our Red Sky members, are watching to see if this is a test. My bet? There'll be more. 

WannaCry encrypted over 200,000 computers. Last heard, the attackers earned slightly over $75,000 US. Not a bad payday if you're sitting in someones garage punching a keyboard. Not so good if it's a country attempting to steal money (N. Korea?). 

The bigger lesson? I have two. First, small business owners listen to the government, but in this case, the government (and repeated by the press) didn't give adequate guidance to small businesses. In fact, Here's what the US-CERT offered as guidance:

"Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."
One, me, might argue that in this case, this guidance is only partially true. Let's break this down.
Paying the ransom does not guarantee that the encrypted files will be released...
 this to me demonstrates a lack of basic understanding on the part of US-CERT. Ransomware is a customer service business. A few weeks back, we paid a ransom for a client --roughly $30,000. When we couldn't decrypt servers we contacted their tech support. YES! They have TECH SUPPORT!. If someone pays and still can't get their stuff back, victims will stop paying. It's bad for business!
…it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information.
I'm sorry. Did I miss something? In which case did WannaCry take someones banking information? Here's the way you buy a BitCoin… Go to an exchange, pay the money, take a picture of yourself with a note that clearly states that you want to purchase the BitCoin (the picture/note combination will be given to PayPal or your credit card company in the event that you try and reverse the purchase). You then get credited with the BitCoin —in a personal digital wallet. Send the bitcoin to the bad guy, and you're done. So where does my bank account get stolen?
In addition, decrypting files does not mean the malware infection itself has been removed.
This is absolutely true. Even if you pay, you'll want to burn that machine to the ground and reload it. 
Two of three pieces of guidance offered by US-CERT were not completely true, and in fact (again, Stutzman's humble opinion) poorly worded guidance. If US-CERT is going to be cited as the authority (and they SHOULD BE!), they really need to pay attention to their audience. Never, EVER give guidance to one company and expect it'll hold true to another. 
I'm certain there are victims out there still reeling from the encryptor. Drop us a note

Saturday, May 13, 2017

Hacking back: A viable strategy or a major risk?

I spent yesterday at a conference at the Kostas Research Center at Northeastern University.  

I don't normally spend my time in the midst of so many government folks anymore but I did yesterday. I gave my "Daily Show" talk —the talk of massive key logger exploitation in the Maritime space and sat a panel later in the afternoon. 

Yesterday morning however, something BIG happened —a massive ransomeware campaign #WannaCry ransomware was used in targeting healthcare and other industries in roughly a dozen countries around the world.

If you've heard me talk recently you know that one of the things I talk about are threats 3-5 years out… I call it my Futurist talk. What should we be thinking about beyond the end of next week? One of those things I talk about often are swarm attacks in cyberspace… the idea that massive computers can communicate swarm, and attack a target computer, system or network and insert code, drop systems, etc., taking any opportunity to implant something that denies, degrade, destroys, or simply embeds.

During the panel, one question came up —a question that always comes up.  A strong offense is often times better than a strong defense.  Should we be offensive in our defense?  Should we be hacking back?

I think about this a lot, especially as it relates to ideas that in three to five years, even the most mature security teams (in my opinion) will not be able to keep up with the overwhelming amount of data that will be needed to actively, in real time, defend from these swarm attacks, attacks that I call the nuclear option, and cyber laser guided bombs.

Anyway, we started on my right. The first panelist talked of legal issues. The second spoke of mis-targeting (the old.. what I hit the baby milk formula factory?!), the third? Heck I don't remember. When it was my turn, I gave the answer that I always give. I generally have two analogies:

  • "If I get into a bar fight, I'll make a decision to either talk it down, defend myself, or run…  depending on who's picking the fight, whether or not I'm outnumbered, surrounded, etc." Generally, the other guy doesn't know that I've been a black belt for years, and if he pushes to hard, well…  Maybe I'll buy the guy a beer to try and de-escalte the situation, but if that fails, if I think I can defend my self and win, I'll fight. If not? I'm asses and elbows outa there!
  • The second analogy? The one I used yesterday... "I live in New Hampshire. If someone break into my home in the middle of the night and attacks my family.. I'm going to shoot them dead ---and nobody is going to care. I was defending my family."

So why is it that in cyberspace, I'm not allowed to fight back?

Police aren't charged with, or equipped to protect you from cyber crime and the government isn't going to come to your rescue unless you're a member of a critical infrastructure, and even then, well....  So what are you to do?

Hackers often times learn their trade by sharing tactics and many times, hacking each other —for fun or profit —live… yet defenders are expected to build expensive labs, take training, follow process, be good citizens, and stay within the law.

At some point, the tables have to turn. I'm not saying this is an answer that everyone should pursue. I am saying that if you feel you can defend yourself —and win, go for it. There may be legal consequences, and you might get a cyber broken nose, but for those who believe that they have the skillsets to actively defend themselves, my feeling is, they should be able to do so without fear of prosecution. 

This is a topic of discussion that I both enjoy, and have talked about both inside Red Sky and in public. In fact, Wapack Labs publishes an intelligence product that we call the Targeteer(R) report --dossiers on bad guys that we've identified over the years that pose threats to our membership. We identify them through good old fashion research. These guys are the wolves closest to your sleds.

We want to know if someone is a threat, and when we find out, we want to know how they work, where they live, how they connect to the internet, where they operate from, etc.  Why would we not use this information to our advantage? It's good intelligence and it can be used for many things —hacking back, legal or HR, freezing credit cards, and more.  This is good intelligence work and we publish it to our Red Sky members.

Should you fight back? Probably not. Should you have the right to? Absolutely.

Interested in hearing my futurist talk? Drop me a note. We'll set something up.

Monday, February 13, 2017

Morning One at RSA

Leaving the impending Nor'easter behind in Southern NH, after teaching the family how to hook up and start the generator, I boarded a puddle jumper from Manchester to Detroit, and Detroit to San Francisco --the annual trek out here for one of the largest security conventions in the world.  Anyone who knows me will tell you that I'm tolerable of small crowds for a small period of time but large crowds, even for a short period of time make me absolutely nuts.  This morning it appears, the conference and most of the sessions are closed. Even the expo floor opens later tonight. So....

I'm hanging out under Moscone North, shaking hands with old friends as they make their way down for coffee. I've become a tea drinker of late but the coffee stand still attracts the geeks --and I love talking to them.

More to follow as we run through the conference, but for now, in the smaller crowds, I'm having a great time reconnecting --and writing.

Saturday, February 11, 2017

What's happening at Wapack Labs this week?

I'm running a bit late today. I'm preparing for yet another snow storm up here in New Hampshire, crossing my fingers that I'll actually make it out of here tomorrow --heading for San Francisco for RSA. I don't plan on writing a deep blog but thought I'd cover some of the highlights of the week.

Wapack Labs Threat Analysis Center:  We unveiled a new offering this week, allowing companies direct access to our normalized raw intelligence using tools that you know; keyloggers, sinkholes, early warning tripwires, and more.  Red Sky Alliance members will now have access to our tools, where they can create dashboard, reports, analyze our data, or pull our data into their own Splunk, SEIM, or analytic tools.  Need help? Reach out to the team through the Red Sky Alliance portal or Instant Messaging for real-time direct access to the team. Need a new source? Ask us. We'll capture it and get it into the system for you. 

The system is in early adopter mode with three or four customers testing it as we speak.  We're offering it up as a SaaS-based and MVP today.  I'll be showing off pieces of it during demos at RSA this week, so if you see me, grab me. I'll show you! 

Threat Day: Our next Threat Day is rapidly approaching. This one will be a little different than others. We're offering the first couple of Threat Intelligence University training modules and training on the new Wapack TAC system. We hold these quarterly --some onsite at a member location, some virtual, but we've had questions about how we do some of the things we do --so, we'll show you!

Upcoming conference - CyberRx/Wapack Labs: We've partnered with CyberRx to deliver intelligence into the local BWI/DC SMB markets. We're co-hosting a conference on April 19th where we'll be setting up terminals at the conference and scheduling 10-minute meetings with each participant.  We'll open up the databases and tell them what we know about them and their industry.

This week and last, we seem to be busier than usual. Most years, we have a little bit of activity before RSA and then get really busy after. This week, however, seemed to be crazy. From companies calling into seeing increased hits on our blog, website, etc., we (I) have been non-stop. We love that. 

So two fun things. First, I'm flying into SFO tomorrow night. My plan is to meet with folks Monday and Tuesday, but Monday night I'm looking forward to drinks with friends at the Marine Corps Club. It's a small place, but really nice.

Second, if you've ever considered one of those 'driving experience' days, we've got one for you. On March 3rd, we're bringing some friends together to do a driving school at Team O'Neil Rally Sports in the north woods of NH. This is a tactical driving school that teaches rally car racing. There is a cost, but if you're interested, drop me a note. We've got a few (6) spots left.  The day is meant to be fun and exciting. Interested? Drop Pamela a note. She can send you logistics. 

We know you guys have many (MANY) choices in where you get your intelligence. We also know (at least according to Ponema) that the CISO and Incident Responders aren't the only ones who read it.  There are only a handful of companies that I know of, that offer intelligence written for both the technical and non-technical audience --and we're one.  Drop me a note or grab me at RSA next week. 
I'd love to show you.

Have a great weekend and if you're heading for SFO, travel safe!

Saturday, February 04, 2017

What is Intelligence?

A great paper came out of the Ponema Institute yesterday. It went hand in hand with messaging I'd heard from a CISO earlier this week --"I have so many dashboards, I don't look at any!"  These were his exact words when I asked him "to what extent to you consume and use intelligence?"

The paper explained, as I've heard from so many CISOs explains that security teams are feeling the data overload. Why? They're being bombarded with news, intelligence supporting vendor pitches and aggregators of every IP under the sun, dumping it your lap and calling it actionable intelligence.

If that isn't intelligence, what is?

We didn't have much time. It was a 30-minute meeting, but he asked me how we're different.  I told him that we actually follow an intelligence process.

And so I explained, as I often do, by telling a story:

Many of our members operate in Eastern Europe and Ukraine.  In 2014 we tracked, in near real time, election manipulation in Ukraine.  The campaign wasn't just cyber however, it was full-spectrum information operations; psychological operations, influence operations, and propaganda, military actions for diversion (remember Crimea?), cyber, and intelligence monitoring the entire thing to ensure the desired impacts. There were actions against banks who supplied funding, and those associated with those banks. Military action was used to take over cellular communication nodes, and throughout, telephony denial of service (tDoS) and DDoS were used in conjunction with trojans and remote access control to take over communications.

There were several tools used by one side against the other (I say 'one side against the other' only because it's often times hard to know who's who). Little did we know that one of those tools, BlackEnergy would later become famous. We did some of our own work but one of our peer intelligence companies had authored a great report on BlackEnergy.  We issued reporting to the Red Sky members that told the GEOPOLITICAL story (the 'why should we care' piece). We reverse engineered the tools identified and included in our reporting detection methods, and metadata.

Fast forward to Christmas 2015. BlackEnergy was believed used against power companies in Ukraine, and this time, unlike the previous time in 2014, it hit the press. Now, every Energy producer, distributor, etc., wanted to know how to protect themselves from attackers using BlackEnergy.

Back to the question. "What is Intelligence?"

I explained the idea of "Data, Information, Knowledge, and Wisdom". I explained that most intelligence feeds offer "data" (IOCS) but no real context about why it should be important or how it should be used.

I went on. Intelligence is the idea that we can collect a ton of data and that we boil it down into a form needed by a reader. In this case, we simply wanted to keep our finger on the pulse of the activities occurring in Ukraine.  Why? We have members who operate there. We felt we might be able to offer insights on things that might affect them, and at the same time, pick up some lessons learned about how those in the area operate against each other... and there were!

Our reporting and follow-on blogging (in the Red Sky portal) offered several pieces of highly valuable, highly actionable intelligence:

  • We told a story of how the attacks unfolded, thereby understanding where cyber fit in, how it was used, and who (specifically, by company name) was targeted. 
  • We identified several tools used, and by whom; 
  • We provided metadata on the tools, allowing security personnel the ability to protect; 
  • And we offered go-forward recommendations for operating safely in the future --not just security related, but things like monitoring political exposure of key executives in the area; 
    • Recommendations on courses of action are the hallmark of good intelligence. In some worlds, it's called 'strategy', but it's all based on some kind of solid intelligence foundation.

In this case, intelligence was realized by monitoring sources, collecting a ton of data and then boiling down into something consumable --the story of election manipulation in Ukraine, and how/why our members may be impacted. It was written in a way that any person could understand it. offered specific protection and go-forward recommendations.
  • When the question came up in 2015, we had intelligence on BlackEnergy from a year prior.
  • In the Carbanak campaign, when a few dozen banks were compromised in Eastern Europe, the story was told as compromises in American and Australian banks.  We'd had intelligence from six months earlier that showed the story to not be entirely true (and we'd reported it out with the FS-ISAC at the time).
  • Last week a Florida port (Port Everglades) and Cuba made a deal to allow Cuban ships in Florida ports but the deal fell apart when the Governor threatened to cut off state funding to the port --resulting in a politically motivated DDoS. This will happen again. We learned something from this one --it's good intelligence. 
  • We're tracking yet another PLA cyber unit. Why? Because we want to know what they target and how. This is intelligence.  As more information becomes available, we'll analyze it and report. Until then, members can search through over five years of intelligence written and published in the Red Sky portal.

Intelligence is about assisting decision makers, in our case the CISOs, with protective strategies. We tell the stories, often times before they hit the news. We then, when possible, obtain the tools used, reverse engineer them and offer our members the technical data needed to protect themselves from the stories we've told. 

Intelligence is not the aggregation of everyone else's stuff. It's about helping that one company, that one time, make an informed decision. This is what we strive for.  

Have a great weekend.

Saturday, January 28, 2017

Lunch talk —Cyber Threat? Business Intelligence? Geopolitical?

I had lunch with a guy in Boston today --a smart dude, and as I ate my bento box and him his tuna
maki, we talked about some of the creative ways that I've been wanting to use cyber intelligence data for a long time.

As we brainstormed some of the options, and I told him stories of the kinds of things we're writing about,  He asked me... what do you actually do? Are you a cyber shop? Are you a geopolitical shop? Business Intelligence? 

I told him that I've been experimenting with ideas of running comparisons between a measure we call "Cyber Threat Indexing" (patent pending) and key performance indicators associated with running a business.  What's that mean? If you owned a manufacturing company you'd probably worry about the uptime of your manufacturing line, right?  So what if you Splunked (yeah, I'm using it as a verb!) the number of times your company was mentioned in the intelligence space with the output measures of uptime off of your manufacturing resource planning systems?

You might be able to show genuine business risk as they relate to cyber risk —right? This is a security holy grail stuff! As a CEO (albeit, of a small company), I know we do our best to protect the operation but wonder, how does our external threat profile match up to our attack footprint, and how does that translate to my ability to run the company?  

Why do we measure geopolitical risk he asks? Because where there's geopolitical risk there will always be a cyber risk. We monitored hackers stockpiling tools during the nuclear talks last year.  In this case, we monitored cyber risk and identified potential targets that could be seen as political retribution targets --our Wall Street Bankers (some of whom are our customers), and companies operating in the Middle East (also some customers).

The cyber risk to our members was real.  Motivation would be political retribution on opportunistic and targeted potential victims.  Our expectation was that targets would be chosen (by groups we were monitoring), and those targets would likely be those thought impactful —not because of simple compromise, but because they might send a message. Attacks never occurred, but if they had, our members would have already had the protections from our reporting. 

We monitored the manipulation of the Ukranian Presidential Election.

Why? Again, we had several Red Sky members who operate in the area. What'd we get? Cyber tools used in 2014 that hit the press in a big way over Christmas 2015... our members had proactive information on a tool used in the future against others (maybe them).

In all three cases, we used an all-source intelligence approach to understanding the cyber threat to our customers.
  • The first measures business process interruption as a result of cyber activities and risk.  
  • The second and third, we monitored geopolitical activity because although not exclusively cyber activities, there were massive cyber threats posed to our customers working in the areas. 

Are we a cyber threat intelligence shop? Absolutely. But we don't see things quite the way others do. If you're pulling lists of indicators of compromise (IOC), you're looking at every tree —examining each for potential compromise.

We are a cyber shop but we do it through "all source" intelligence processes,  not just from incident response data. We like to tell the story and then tell you how to identify and protect against it, not how do you indicators of the attack with no context as to what they're being used to find. How in the world do you know what's most important?

It's like that bento box! The whole is the sum of it's parts. IOCs are the parts, the sum is the context and the story. Call us. We can help.

Want to be part of our new mailing list? Subscribe here:

Have a great weekend!

Saturday, January 21, 2017

Cyber Security Through the Lens of an Election

Inauguration day has come and gone, giving us some time to reflect on both the previous election process as well as what lies ahead for the next four years. There are a number of parallels between running for office and running a cyber security operation, and a few lessons learned from the former can help those involved in the latter.
It’s a Campaign, Not a Day Hike
Depending on the office you’re running for, your campaign might start years before the winner takes the oath of office. Likewise, it is likely to take years to reach the ideal end-state for the IT enterprise you’re responsible for protecting. To further complicate things, technology in general and security threats specifically will change over time, which means the probability you’ll see the end of the race is very close to 0. Not running is not an option, so pace yourself.
You Need a Team
Every chief executive needs a team to get things done. In government, it’s called a “cabinet” and in business the “C-suite.” Regardless of the nomenclature, the purpose is the same: they are the people who specialize in certain things who help you formulate and execute policy. If you’re lucky you’ll get a team that buys into your vision, trusts you implicitly, and has the resources necessary to get the job done. More than likely you’re going to have something more akin to a Team of Rivals, but not ones you got to pick.
 (All Kinds of) Experience Matters
There is no one-size-fits-all career path that leads to the White House. People that get into cyber security have a wide range of backgrounds. Yet in both fields people love to poke at perceived shortcomings of those who aspire to (or end up in) top positions. We pick on Michael Daniel or Rudy Giuliani for their lack of technical acumen, forgetting that George Washington never went to high school and his first job was blue collar. Being able to cast a vision, manage people under stress, manage limited resources, and inspire confidence; none of those things requires a given type or level of education, and all of them can be developed in a variety of ways.
Everyone is a Constituent
If you’re in security, everyone is “your people.” You don’t have a party, you don’t have a faction, you have to make everyone happy. At the very least you have to keep everyone from revolting. Everyone has a different agenda, different needs, different outlooks. You will make enemies, and different people will be your friend or foe depending on the situation. Success depends on keeping all those factors in balance so that you can move the center forward.
It’s a great parlor game to try and figure out what the next four years are going to be like on the political front, but the fact of the matter is we have no real idea how things are going to go. In that sense politics is a lot like cyber security: you prepare for the worst, you assume every day is going to be rocky, but sometimes you get pleasantly surprised.

Hail to the Chief! All of them.

Saturday, January 14, 2017

Botnets, swarms, operating at scale, sharing notes

"Imagine ubiquitous, intelligent robots collectively performing complex tasks. By combining intricate algorithms, defined rules, and continuous sensor data, swarm behavior can emerge. Entrepreneurs are using this collaborative intelligence to develop applications for drone swarms in the air, on land, and by sea. Watch out, Drone Swarms are coming!" ( 

Last week we held our first "Big Broadcast" a live audio event in which we talked about our thinking on futures —and swarms are one of those things I think about 3-5 years out. Not swarms of bees or drones or swarms of strike fighters or humanoids, but the computers, and I'm not sure we have the ability to protect against what's to come. Let me explain...

If you are a security organization, what’s the most significant thing you can do to combat threats from cyberspace? Work at scale. Are we there yet? Not yet.

In late last month, the cybercrime platform “Avalanche” was taken down by an international consortium of law enforcement agencies. It was an investigation that took four years to come to fruition, and would not have been possible without cooperation from and collaboration with 30 different countries. If you’re familiar with cybercrime history you know this sort of action isn’t new, but the scale of it is impressive. 

A total of five people were arrestedOver its eight-year lifetime, Avalanche is believed to have caused losses well into the hundreds of millions of dollars. Campaigns run through Avalanche impacted systems in over 180 countries. Avalanche had control over as many as 500,000 systems, every day, across the world. Five people!  

Reports don’t reveal how many law enforcement agents, attorneys, technicians and participants from the private sector were involved, but it’s a safe bet that we’re talking about at least mid-to-high hundreds. From the perspective of scale, the bad guys still have us beat hands-down.

Avalanche was a semi-automated, semi manual process, relying heavily on money mules, but was the favored means for delivering Zeus and ZpyEye malware — he tools used to clean out accounts. The manual link of requiring money mules, limited the amount of damage that could be done at any given time. 

Now consider this: what if Avalanche were fully automated, autonomous, using peer-to-peer communications and coordination between those 500,000+ drone computers? What if a user simply enters the name of a system into a point and click interface and those 500,000 computers took over attacking one victim organization at every vulnerable point using a range of poisons that allow the attacker to use the system for whatever they choose in future operations?

Our folks have participated in a number of botnet takedowns. No, they didn’t last long, but such efforts are merely the initial steps in our ability to skew the economics of this sort of malicious activity. Right now it takes a lot of time and effort to take down a Zeus botnet or a cybercrime platform like Avalanche, but that won’t always be the case.  But at the same time, the idea of automation and targeted botnet swarm attacks will continue to inch toward reality.

Takedowns are rare today, but as the negative impact of cybercrime grows, and once the good guys begin to promulgate lessons learned, such efforts will become more common. We hope that efforts of good guys outpace the efforts of bad guys, but to date this has not been the case. Momentum is building but protection (and liabilities) of your networks resides solely on the owner.

How do you do this? How do you protect yourself against botnets, future potential swarms (or at least higher velocity, higher frequency attacks) outpacing the ability for authorities to keep up?

Work on your technology. Develop your methodology and processes. Perfect your as-a-Service offering. Learn to operate at scale. When given the chance, don’t hesitate to participate in a collaborative effort to fight cybercrime. All boats rise on the tide. Security is no different. If you can think of a new way for groups of us to band together in efficient and cost effective ways, you’re making a greater contribution to the good fight than you will likely do on your own.  

Red Sky Alliance is one of those places, with intelligence, collaboration, sources and tools. If you'd like to see some of the kinds of reporting that we push to our Red Sky members, have a look at our readboard or the Wapack Labs blog. This is where we announce products that get pushed to our members. When they need help or have questions, they use Red Sky to ask. When they need help, we refer trusted partners for the strategy, consulting and/or incident response. For more information, contact us. 

Until next week,
Stay safe in the ice storm!

Saturday, January 07, 2017

Spend money on Insurance or Insights?

A colleague recently circulated a link to a report that claims that the cyber insurance market is going to top $14B by 2022. My rather glib response at the time was something to the effect of, “if cyber insurance policies are still a thing by then.” When pressed for an explanation, I gave the following analogy:

If I get supplemental life insurance I tell the agent that I'm so tall, weigh so much, don't smoke, don't drink, don't participate in high-risk activities, etc. He gives me a quote. Then he sends a nurse is to my house. She determines that I'm not quite that tall, I'm certainly not that thin, the house smells of Borkum Riff, the recycling container is overflowing with empty bottles of Jack, and the walls are covered with pictures of me skydiving, BASE jumping, and running with the bulls. Oh, she also takes my blood pressure, draws blood, and takes an EKG. 

A few days later the agent calls me back and says, “Yeah, that quote I gave you, it’s going to be a bit higher and the coverage, a bit lower.” I don't want my wife and kids to starve if I get hit by a bus so I sign and I pay.

Cyber insurance providers don’t send a nurse to your house. Some carriers make an effort to understand your IT enterprise and others basically take your word for it. In both cases, they ask you to pay A LOT of money in premiums for not a lot of coverage. The way most enterprises of any size operate, it is very easy to get out of compliance with your policy, which means the probability your claim will be denied in the wake of a hack is very close to 1.

Even if your claim isn’t denied outright, there is undoubtedly a cap on your coverage, which means that you’ll still have considerable out-of-pocket costs even if insurance pays out. In high-risk cases, you’ll end up paying first before insurance pays outOut-of-pocket doesn’t mean pocket change either. If insurers are forced to pay out too much, they’ll just stop writing new policies and cancel existing ones. Does no one remember when cyber insurance was a thing 5-6 years ago? You don’t? It was, they lost money, and they stopped doing it. The past is almost assuredly prologue.

You’re CEO of a company in an industry that is at high-risk for cyber-attacks. You could spend several hundred thousand dollars a year on insurance premiums or you could increase the budget of your cyber security team. Which do you choose?

I would argue that in fact you have a third choice: pretend there is a nurse at your house.

Spending a little time and money to assess your true digital health would be exceedingly enlightening. To paraphrase former Secretary of Defense Donald Rumsfeld, you don’t know what you don’t know when it comes to existing and potential liabilities. With this information in hand you have a much better idea of where to spend your limited security dollars to reduce risk, mitigate threats, and identify where insurance actually makes sense and how much. 

I would also argue that you can take things one step further my looking at the data and findings of your existing security testing regime and determine cyber security spending ROI, which would further reduce your exposure. For example, if you regularly conduct pen tests make sure they tell you what they tried that didn’t work (you’re spending enough money/have the right defense there).

Insurance is one tool of many that every enterprise should use to fulfill its risk assessment and reduction responsibilities. But corporate leadership also needs to appreciate that they can do a lot themselves, relatively cheaply, with the same insights that a nurse acquires when she uncovers difference between your image of your enterprise and reality.