Saturday, December 30, 2017

2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.

Phishing. Phishing continues to be at the top of the list for delivery and exploitation. It works, and shouldn’t be expected to slow down any time soon.

Distributed Denial of Service attacks (DDoS) appears to be losing some of its appeal.  LizardSquad/DD4BC glorified DDoS but large-scale adoption of common tools and botnets appears to decreasing in popularity (Phantomsquad, Armada, etc.). We expect to see continued use of DDoS attacks from hactivism motivated actors, those wishing to create noise for effect, and between the gaming communities as an entry into DDoS and IoT DDoS botnets but other tools, like ransomware appear to be growing in popularity while DDoS appears to be shrinking.

Credential Targeting.  In almost any breach, the holy grail of targeting is a domain server, Active Directory, or another location where credentials can be stolen and used. Unfortunately, account credentials are becoming increasingly more available. Keyloggers, misconfigurations, cloud computing, and the expansion of increasingly complex interconnected heterogeneous networking has led to massive losses of credentials. As recently as December 2017, a cache of 1.4 billion credentials was made available in an underground forum. Credentials in the wrong hands can enable a host of malicious activity, from automated, "credential stuffing" and account-takeover, to targeted attacks. The reported use of personal email accounts for official business, combined with the current availability of these credentials, indicates the year 2018 will likely see additional leaks of sensitive data and correspondence.

Democratization of cyber weapons.  2017 saw the most high-profile ransomware attack to-date with the Wannacry worm. Wannacry took advantage of publicly available exploits leaked by ShadowBrokers.  If more exploit leaks are forthcoming from ShadowBrokers or other sources, then their adoption by cyber criminals or other nation states is a near certainty and should be expected to not only continue, but to grow.

2018 is the year of fighting and winning against the abuse of the Tor network.  The Tor network is shrinking due to the new-found ability of IP leak scanning with an onion scanner. The need for compromised systems for web hosting is high and will remain great. Despite the Tor network shrinking, it remains the host of choice for ransomware and scanning/enumerating. The Tor network’s continuing IP leaks, may prove to be a good way at attributing ransomware.

Macro Malware. The popularity of malicious macros for malware delivery continued strong in 2017. The later part of 2017 indicated the increased obfuscation of malicious macros to bypass email based detections. Macro malware can easily achieve low anti-virus detection and there are infinite possibilities when it comes to obfuscation. Because of the ease of development, deployment, and opportunity for success, this trend will continue into 2018 and beyond.

Geopolitical tensions. Iran and North Korea tensions continue. With Russia intensifying contacts with North Korea and Iran, it is highly likely both Iranian and North Korean APT groups will gain more access to Russian APT expertise. Cyber has become the equalizer, and countries with little diplomatic leverage and lesser military power are using cyber as a weapon of choice –both in force and influence. As well, the introduction of asynchronous warfare into election scenarios is likely the tip of the iceberg. Wapack Labs has reported several times sources of fake news. The idea of manipulation of behavior through public influence –by cyber, by advertising, by fake news will grow through 2018.

Blockchain-related cybercrime. With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too. Blockchain will continue to receive investment but at the same time will receive corporate metrics to determine its value. As volatility continues in emerging markets, more people will try to hedge against inflation with bitcoins. Phishing and stealing cryptocurrency is on the rise. Bitcoin exchanges will continue to be targeted. Botnets and simple JavaScript inserts are used to mine cryptocurrency. New software in smart contracts and other blockchain-related infrastructure will continue to be exploited and will grow in complexity and losses.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or

Saturday, December 16, 2017

Iran, Blacklists and Red Sky Small Business

On Tuesday, the 60 day deadline Trump gave Congress to fix or scrap the 2015 Iran nuclear deal
Photo credit: Reuters

passed, leaving another deadline in mid-January for the State Department to act. Will it happen? Who knows, but what we do know is that cyber activity associated with pro-Iranian hackers appears to have been escalating over the last month, targeting organizations in the US, Qatar, Saudi Arabia, and others.

Earlier this year the Saudi government warned telecommunications companies of cyber attacks against 15 organizations, including the Saudi Labor Ministry, and Sadara, a venture between Saudi Aramco and Dow Chemical.

Wapack Labs is currently tracking 13 cyber groups with varying levels of pro-Iranian sentiment or Iranian association ranging from possible government sponsorship (APT) to pro-Iranian hactivism. 

Why do we care? In 2014, leading up to John Kerry sealing the original deal, we watched what we believed to be both APT and pro-Iranian hackers stockpile cyber tools and we called out the idea that if the deal went badly for Iran, both Iranian hackers and their cyber ally's could be preparing to use cyber as a possible equalizer.

Many of the tools that we saw being gathered back then took advantage of opportunistic targeting --they scanned a broad area of the internet and the tools automatically targeted those organizations that had openings that could be exploited through automation. At the same time, backdoors and other tools are used for targeted approaches against organizations of prominence or significance. This is not a new tactic. During the Petya/Not-Petya campaign, we reported that below the noise of the ransomware a second attack was operating that was targeting specific organizations in an attempt to steal credentials.

Cyber is the equalizer and will always be involved where there's geopolitical risk.

Starting in the mid-90's we watched the Mexican Zapatistas use DDoS tools against places like the German Stock exchange to garner support for their cause. Since then, hundreds of other organizations have followed suit. If not for bringing support to a cause, to attempt to change an outcome of an impending action, or for retribution. Even back then, the Zapatistas were not the direct actor in the fight, rather they allied with hacker groups who built DDoS tools and took their fight to public organizations --the German Stock Exchange, because they knew the action would appear in the news, and if associated, would bring attention to their cause. The effectiveness of this action could be debated. I'm probably one of a handful of people that tracked it enough to know the story.

That being said, I tell my team on a daily basis "Where there's geopolitical risk, there will always (now) be a cyber threat to someone". The Iranian story is no different.

In the past 45 days or so, we've seen long standing backdoors being used by actors who've been attributed by us and others to operating for, or operating in support of Iran.

In the last 18 days we've seen an uptick of a new attack profile with characteristics similar to previous attacks. If the linkage is true, then we've likely seen the escalation.


Changing gears. We're heading into Christmas. Last week we ran two days of fraud related presentations -one for Red Sky Alliance members, and one for the general public. Our second day was announced through a public service announcement on WMUR, the local ABC affiliate in New Hampshire, and for those of you who attended, we hope you found it useful.  Throughout the holiday period we've been publishing Black lists with monitor and/or block recommendations for addresses ranging from fraud to theft. Thank you to those of you who've provided feedback.

Last, we've opened the Red Sky Small Business Alliance - a no-cost location for small businesses to come for help. If you qualify as a small business under the SBA rules, please, feel free to join us. Both Red Sky Alliance and Red Sky Small Business Alliance are now officially registered with DHS as Information Sharing and Analysis Organizations, affording the CISA legal protections to those who request assistance.

Red Sky Small Business can be found at

As always, if you have any questions on services offered or membership in the information sharing environments, drop us a note.

Until next time,
Have a great weekend.

Saturday, December 09, 2017

Keyloggers in HP Drivers? Not sure, but… Healthcare? Retail? Money?

I received one of those updates from one of those lists on LinkedIn this morning. The headlines read "Keylogger found in HP Printer Driver". When I went to read the piece —keyloggers interest me —the piece had been removed from LinkedIn. The idea that the piece is removed might mean it was false, or premature… I'm not sure. What I do know is this… Key loggers are a pervasive, cancerous threat to information security and the operations that worry about it.

Yesterday during a CTAC demo for a large healthcare company, I ran a quick demo using the API. I pulled everything from every sinkhole that we monitor for anything with the word 'health' in the industry field, domain, or email address.

This one query showed 8990 records going back to 2016, 855 in 2016 —significantly lower, and 73 unique addresses being sent to 23 sinkholes.

We know of roughly 1250 sinkhole locations that capture everything from healthcare to bank accounts to porn. The idea that HP print drivers are (may be) compromised with keyloggers would not be surprising.

The idea that we can pull meta data on these sinkholes during a live demo and have findings in almost every industry both thrills me as a collector and scares the hell out of me as a security guy.

The idea that there are keyloggers in HP Print drivers? This is yet to be seen, but I'd probably speculate that many drivers are likely compromised. Remember VPN drivers under XP? Who'd have thought those would have been compromised?

Keyloggers, from an attacker perspective, are low skill high payoff attacks. Deploy, wait to be clicked, let it report back and collect the goods.

I'm keeping it short this week.
Until next time,
Have a great weekend (in the snow?)

Saturday, December 02, 2017

Announcing: Red Sky Small Business Alliance and a Day of Presentations

In the last few years we've had more and more experiences with small business —banks, credit unions, port operators, supply chain companies, local NH companies, etc. —primarily in the area of fraud —account takeover, card not present, new accounts, business email scams, etc., and it's only getting worse as fraud crosses information security boundaries and many are left simply not knowing where to turn.. 

Heading into '18, we decided to extend a hand. We wanted to do something for/with small business. Small business by the SBA is defined as 1-500 employees, or a manufacturer, up to 1500. 

Announcing the Red Sky Small Business Alliance. Red Sky Small Business Alliance is a no-cost community of companies who need cyber help. Risk assessments, architecture support, log reviews, incident response support, forensics, best practice, and more. We have someone that can help.

If you're a small business, please join us this Thursday for a day of Fraud related educational presentations as we announce the newest Wapack Labs service, the Red Sky Small Business Alliance. The day is offered at no charge. We'll start the day with a brief intro to the new Alliance, followed by one of our most popular speakers and talks, Elizabeth (Liz) Shirley, the head of our Fusion Intelligence Team.

We have 100 seats available for the day. Come in for the day, or in and out as you desire. Registration is on EventBright. 

When:     Thursday December 7th
Time:      9-4 EST
Where:   A bridge will be provided after registration

The Red Sky Small Business Alliance presents a well-timed online event -- 'CYBER FRAUD FOR CHRISTMAS'. Please join top cyber professionals as they share a series of presentations on fraud topics including; scams, malware, and viruses.

Included in this presentation is a Threat Intelligence University (TIU) seminar on Scripting for Analysis & Hunting
Sign up now, only 100 online seats available. Bridge information will be provided after you register. No tickets needed.


9:00 to 9:15 AM -- Introduction
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

9:15 to 10:00 AM -- Post Data Breach ID Fraud & Mitigations
Liz Shirley | Technical Director, Intelligence & Analysis

10:00 to 10:15 AM -- Cyber Fraud: Skimmers and ATM Malware
Chris Alexander | Cyber Analyst

10:15 to 11:30 AM -- How The Cyber Grinch Stole Christmas: Social Engineering And Scams Around Holidays And Major Events
Technical Support scams, viruses/phishing pages, and holiday scams.
Jesse Burke | Advanced Cyber Analyst

11:30 to 11:45 AM -- Typosquatting – What’s in a Name?
Scott Hall | Jr. Cyber Analyst

11:45 to 12:15 PM -- Evolutions in Business Email Scams
Aure Hakenson | Cyber Analyst

12:15 to 1:00 PM Hacking People’s Lives with Google Sync
In reference to the recent Google Docs hack that went around, we will cover some of the unseen and convenient features that Chrome offers. If an account is compromised, these features can be used to exploit the end user and other accounts tied to the browser and email..
Sean Hopkins | Senior Security Engineer, H2L Solutions

1:00 to 2:00 PM -- Block Chain-Related Fraud
Yuri Polozov | Eurasia Desk Analyst

2:00 to 3:30 PM -- Threat Intelligence University (TIU) – Scripting for Analysis & Hunting
Chris Hall | Co-Founder, Principal Engineer

3:30 to 3:45 PM -- Closing Remarks
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

Saturday, November 25, 2017

Grand Challenge: Victim Notification at Scale

I've been thinking about this for several years. There are several people out there using the term "Grand Challenge" — Bill Joy, Bill and Melinda Gates, and others. I think it applies here. 

I have a friend who is a police officer in the mid-west. His wife owns a one person candy store that takes orders for her hand made candy over the internet. She has an online order form, will take orders via a non-toll free telephone number, and she lists a gmail account for her company. My friends wife could just as easily be a three person credit union, a mom and pop logistics shop, or a hair dresser making appointments on his/her iCloud calendar. 

In 2010 there were 27.9 million small businesses, and 18,500 frms with 500 employees or more. Over three-quarters of small businesses were nonemployers one sole proprieter

Why do we care? 

According to the IndependentGoogle says that phishing attacks pose the “greatest threat” to users of its services.  The company has studied the ways in which hackers steal people’s passwords and break into their accounts. In the space of 12 months, it found 788,000 login credentials stolen via keyloggers (tools that secretly record every key you press), 12 million stolen via phishing (a method of tricking you into giving up your personal information), and 3.3 billion exposed by third-party data breaches.

Last week we blogged about the problems that we identified when attempting to notify individuals and small company victims of breach. These did not include the 3.3 billion exposed by third-party breach, rather, those who were infected by keylogger, phishing, drive-by, spam, or automation. What is the process for notifying not only the nearly 13 million Google users mentions above, but also the 22 million showing up in our sinkholes, and the hundreds of millions showing up in others?

Who notifies my friend's wife when her computer gets breached and her customer accounts —payment information, shipping (presumably their home) address, and other privacy information is stolen by unscrupulous cyber thieves? 

As far as I can tell, nobody.

Nobody notifies them. The identity monitoring services would never see the kinds of activity that Google (or we, as intelligence providers) see. They can sign on to notification sites like Have I Been Pwned, but HIBP doesn't run sinkholes either, so they wouldn't know. Troy specializes in third party breach notification, not intelligence.

Let’s fix that.

Last year we sent almost 200,000 notifications to abuse email accounts listed in companies domain registrations. This came with mixed feedback -some positive, mostly negative.  This year we sent notifications to individuals. Out of all of the emails sent, we were marked as spam only once (thank you!), and earned a 97% reputation score with our transactional email provider. The email might have been worded better, but in talking with one of our Red Sky members, we were told that they too had received similar mixed feedback when attempting their own notification campaigns.

Today, from Sinkhole collections alone, we have recorded over 22 million sinkhole connections reaching out to command and control (C2) nodes that we own.  What does that mean? It means that there are a ton of people out there who have no idea that they've been infected, and nobody else who is going to tell them about it. Worse, my bet is, they have no idea where to get help? 

One company? Ten? Fifty?  That's easy… How do we handle 22 million? Should it be done by a government? The US? The National CERTS? Where is the clearing house? And with the numbers growing exponentially, it's only going to get worse. 

I see this as a Grand Challenge scale opportunity —one that is never going to be fixed with current technology, rather requiring education. 

Saturday, November 11, 2017

A Veterans Day Message

It's Veterans Day, and instead of my normal blog, I wanted to take a moment and acknowledge the vets, and the vet interns that we've brought into our small company.  We're small, but we pitch in where we can, and we very much enjoy training returning vets to do what we do. 

So first, to our team. These guys are the mentors, peer analysts, and instructors:

  • Me? USN and USCG
  • Chris: USA 
  • Liz: USAF
  • Bill: CGIS (Ret) - Heads up our Veteran program (Thank you!)
  • Mac: USMC-R
  • John: USAF (Ret)
  • Pedro, USMC (Introduced through Audrey at the VA, and full scholarship recipient at SNHU)
  • Brent, USMC (Introduced through Audrey at the VA)

And to our interns — Some did 15 weeks for credit, others have been here much longer. Some decide to stay even after the semester. To Audrey at the Manchester VA Hospital,  the myriad of people in the Veteran and placement offices at Southern NH University, and Peter at Manchester Community College; Thank you for helping us help returning vets:
  • Jeremy (and buddy!), USMC (Former Wapack Analyst and full scholarship recipient at MCC)
  • Chris, USA (and SNHU student)
  • Jessica, USA (and SNHU student)
  • Phil, USN (and SNHU student)
  • Shannon, USA 
  • Matt, US?? (and SNHU student)
  • Travis, USA
  • Inbound in January: Thomas, USMC and Manchester Community College
Thank you!

Saturday, November 04, 2017

Reducing complexity!? Small business?

A few minutes ago I heard a security pro giving an interview on television. He says that one of the best things that a company can do is reduce complexity. I don't disagree. However… the graphic shown here is VERY old, but I love it. The story it tells is amazing…

I consider myself an expert in IT risk. I think about it often. I think about the complexity that's built into our own computing and the things that hide either just below the surface, or sitting just outside the fence waiting for someone to leave a door open, even a little bit. I used to give a talk.. it was about an hour long and one slide. This one slide talk discusses how in any given environment, if you follow any one of the standards (NIST, SANS Top 20, ISO), there are at least 100 things that you need to do right every minute of every day —and if you miss one? The door's left open and those automated threats are always there; always standing by the ready waiting to pounce.

So let's think about this for a moment… lets frame the scenario.  Let's say you're a small business; a 20 person company with public facing internet, an online ordering system, and you produce something that's distributed digitally or in a storefront.  Your computing environment might look like this:

  • 20 employees, each with two (or more) devices (computer and mobile phone).. 40 devices
  • Servers and storage —handling digital data, processing work product, etc… 30 devices
  • You probably have some kind of cloud environment.. maybe your hosted in one?
  • You'll likely use several Software as a Service providers one or more of your internal needs —Google Corporate Apps, Microsoft Office, or something else. 
  • VPN access into remote areas for sensitive work
  • VPN access into the company for remote workers
  • Externally facing operations —public facing web servers, databases, etc.
  • Externally facing customer touchpoint —registration pages, shopping carts, etc.
Immediately, you can see, you have 40 user endpoints, plus 30 server/storage endpoints, plus the network infrastructure that connects them… 

You've got cloud infrastructure, customer facing infrastructure, email in the cloud. You're probably processing credit cards, and for all of this, you have absolutely no idea how many additional endpoints you've got data passing through or sitting on. 

And then, you've decided to implement your security standard… remember that 100 number that I talked about? It's probably conservative, but for even your small company, you only have direct visibility and control over a small portion of your total computing environment!

AND your stuff is probably in a cloud that HOSTS bad stuff —because they all do,  but that's a story for another blog! 

As well, buy any computer today —Mac or PC, and default storage is in the cloud. Wow! And if you try and turn it off, it gives you a warning that you'll lose access to your stuff! 

So, where do we reduce complexity? It seems to me like it's built into the process. It's one of the reasons that I love the intelligence and risk roles so much. I'm like the weather man.. I don't (and won't) be right all of the time, but if I'm right more times than not, it's good. As a defender, you've got to be right every time. And the owner has to be able to pay for it all… and it's not cheap.

I get the question almost every time I speak in public —"What do you guys do?" We are a small company, and as an intelligence company, obviously we're targeted. We've set up controls but we must also stand guard. We trust some things in the cloud but not others. Our sensitive stuff is moated off —sometimes multiple times, and with few exceptions, passwords are dead to us. We require two factor authentication for just about everything. And as important as everything else? We know where the highest priority threats are coming from. 

Want to know more? Join us. I'll give you a presentation and show you how we do it!

Reduce complexity? I'm not sure that's even possible anymore, but I am sure that there are ways to offset it. 

Intelligence is one of the best value items that money can buy… It shouldn't cost you an arm and a leg. It should save you reading time. It should save you stress.  It should tell you what to protect from today, next week, and maybe next year; and you should be able to buy it from someone who doesn't want to sell it to you to get you to buy their box. 

Information sharing is the other. The latest buzz phrase seems to be 'trusted circles'. Find a group —Red Sky Alliance, the Financial Services ISAC, the Maritime ISAO, or one of the others that are out there.  Asking questions of others in a trusted, non-governmental environment is HUGE. Why non-governmental? Nobody wants to talk about themselves when there's a chance a regulator might be in the room. Use information sharing to learn how to fix your stuff —and then decide how you want to work with the government. Privacy is important. 

Climbing off my horse…
Until next time,
Have a great weekend!

Saturday, October 28, 2017

CTAC Attack! Fridays

How many times have you walked into the office, only to find your boss looking for answers to the threat of the day —you know what I mean. I saw this on the news this morning. What's it mean? or Hey boss, we just got hit with this and now you have to explain it (and fast!).

If you've ever been in one of these situations read on...

Every Friday afternoon at 2:00, we hold a short form training session called CTAC Attack! CTAC is short for Cyber Threat Analysis Center, and its desktop of tools that we provide to our subscribers for their own analytics. CTAC Attack! goes like this…

The idea is that in 20 minutes or less, a presenter will show a group of analysts -virtually via webinar, how they use a specific tool, or in combination, tools, to solve analytic problems.  20 minutes is usually more than enough time to show the tool, describe how the analysts uses it to solve a problem, and then leave 10 minutes for Q&A. Presenters earn CTAC Attack T-Shirts, and attendees are entered into a drawing to win one.

So this week instead of my authoring an opinion piece, I've recorded a short, two minute video summation of one of the sessions that I do. This is a tool that we bought from a startup. It was built to create books, but we liked it more as a search and answer tool, so we hired the founder to make sure we got it right, and after some slight modifications, this quickly became one of my favorite tools.

THIS, is information sharing. We created a dashboard of our favorite tools. I love (LOVE) Pagekicker. Most of the other guys loves CyberChef. We all love Kibana, and we share notes in real time via Slack.

Enjoy the video. Interested in seeing more? Drop me an note.

Until next time,
Have a great weekend!

Saturday, October 21, 2017

Sometimes you just need to talk to someone!

I've used the VA for my healthcare since leaving the Navy in 2001. In my opinion, it's one of the best deals going.  One of the things that you see from the minute that you walk in, are magnets, handouts, and wallet cards —seemingly everywhere —all designed for one thing; they give a vet a place to call when they're in crisis. Maybe that applies more to some than others, but for that one, who finds themselves in crisis, it could mean everything.

I was having dinner with Liz last night. Liz is the head of our intelligence team. We talked about the idea that since starting Red Sky Alliance back in 2012, people, laws, and trends have really changed. In Red Sky for example, once fertile two-way communication has become more the place where we get RFIs from members, deliver PIRs and get asked questions about the intelligence we push through.

So in talking with Liz last night, who's given talks to over 1000 people in the last three weeks —her audience largely bankers, with the majority being smaller --all on fraud; a subject we know well, She says, you know what? These companies just want a place where they can ask questions, not necessarily share a bunch of information.

"They're not all big companies" she says. The majority of those she's talked to haven't built an internal, 200 person infosec team (like many of our original members), nor do they have dedicated intelligence. They have Directors of IT who, many times find themselves double, even triple-hatted —CIO, CISO, Analyst, Fraud person, privacy, and general go-to person for anything wrong with the IT. They participate in free groups and pull down as much information as they can, and make due with it as best they can, but when they get stuck… they want to talk with someone.

And for the last four years, this is exactly what Red Sky Alliance has been. Red Sky Alliance is a place talk to an analyst. Not only can you talk to a Wapack analyst, ask the RFI, or get your intelligence, but Red Sky still today maintains roughly 40% month over month participation —not including my own analysts. Companies come in when they want to talk —when in crisis and they get expert feedback from folks dedicated to monitoring the chatter, pulling apart code, and tracking the fraud. And when we don't know the answer, someone else usually does. Did I mention 40% participation? Yeah, someone else usually knows.. it's called crowdsourcing… and it's amazing.

And in the coming weeks, we're making it easier than ever to talk to someone. We've been on Jive since the start, and realized the need is for more tactical communications. We're moving to a Slack-based platform starting November 1st. Tactical, mobile, and always on. Need to talk to an analyst? Compare notes? We're here; and so are about 60 of your closest friends. This isn't a group of 2000+, it's small trusted, and smart.

I think Liz stumbled onto our new marketing message. Talk to an analyst. 

She's dead on.


This week was the week for fraud. Liz has delivered three talks in the last two weeks to over a thousand people, is preparing to do another one this week, and will give a talk on cryptocurrencies in fraud next week at the MacKenzie Institute in Toronto. 

We published several pieces of analysis, one originally appearing to be a simple smash and grab leading us down another analytic path only to believe (still a WIP) that it may turn out to be a major data loss breach and even more, ongoing fraud —for over a year. 

Me? I'm speaking at ISC2 in New Hampshire on Tuesday and heading off to ZeroDay Con in NY later in the week. I'm looking forward to seeing some of you.

So until next time,
Have a great weekend!

Saturday, October 14, 2017

RiskWatch and Suspicious Activity Reporting

In the last 30 days we've sent approximately automated 25,000 suspicious activity reports from a new application that we call RiskWatch.  While our 'open' numbers appear strong, we're still building trust in the recipients of those. You see, we compete in victim notifications with bad guys who've been sending "You're infected" emails to users for years in attempts to sell fake AV.

So today I'm going to do a bit more socializing.

What is it we're doing? The process is simple --and patent pending ;)

For a while now, we've been sending polite victim notifications to those where we identify (ahem) suspicious activity. Of course, this suspicious activity is rarely just suspicious. We send notifications in which we break out malicious (high probability compromise) and suspicious activity (maybe a compromise but needs a look). And why do I say polite? We're complimented by many as not using scare tactics to sell subscriptions and services. Polite means that we normally handle victim notifications like I'd like it handled if someone were calling me… I call them, and send them a report. Many times, I didn't charge —only to be put under NDA, or blown off, or simply, not answered —and then we watch as the victims continue to be victimized, and those connecting to them do as well. The numbers of victims have grown exponentially in the last two years.

For months, we've been sending suspicious activity reports to the maritime community, and last week I hired a person who'll begin authoring victim reports for the banking and finance industry. This person will be doing nothing but mining our collections for information suggesting bankers, financiers, or insurance companies are notified when we see activities.

What do these things look like? Here's one for the .gov space —of course, this isn't a full report and it isn't in our template or letterhead yet, but I'm sure you get the picture. This shows a small sample of state governments but one from a survey site at Government folks aren't allowed in the Red Sky portal, but they can pull subscriptions from us. This snippet is, of course, sanitized, but I'll be posting the report in its entirety in our online storefront.

Sorry folks. I realize this isn't my typical sassy Saturday morning blog, but this stuff is important, and those who can't afford a good security shop —which includes many of the states we live in, still need to have the information presented to them. This isn't a 60 page in-depth study. It's down and dirty, short, and in a completely actionable format. This report, when finalized post-QA will be available on via our online storefront at

Moving forward, we're making the automation available for supply chain management. Please feel free to reach out for more information.

Until next time,
Have a great weekend.

Saturday, October 07, 2017

Free email systems are not secure. This is easy button.

I'm tuning a presentation that I'll be giving at the National Defense Transportation Association's Fall meeting in St. Louis next week. I'll be on the podium on Tuesday, and as I think through the flow, and I have my first cup of coffee for the morning, I think about the new Yahoo breach numbers —3 billion, and the fact that the Equifax CEO is no more. And as I run through my deck and consider my blog, I have to wonder.. how many email accounts show up in our own data sets?

Anytime we see a password in our collections we substitute the word "redacted".

I queried one data set only. This specific dataset goes back to only April of last year.  In that dataset, the word "redacted" appears 650,472 times and was recorded in 11,227,687 records of attempted uses, meaning, someone tried to log into something with the credentials and we recorded data about the attempt.

Figure 1 - Victim Counts, Government and Logistics
Last year, in front of the four star and his staff, in front of hundreds of transportation company representatives, in two different talks, I told to them about the "Daily Show" campaign that we've been following since roughly 2014. Daily Show is the theft of credentials (using key-loggers) from the transportation and logistics sectors —primarily ports and maritime, but now extending out to anything supporting logistics —air, money movement, transactions, vessel traffic monitoring, and more.  I put up the big maps, and I showed a few passwords, and I scared the bejesus out of many of them. I went for volume instead of specificity —and the volume was enormous.

This year, I'm going to update the victim count. Figure 1 shows the victim counts in the government and logistics sectors from the data set I mentioned above. They are not on the top of the victim count list, but certainly they're high on that list. By way of reference, the entire list in Figure 1 represents 3779 victims -a small fraction of the total 650,472, but remember, they are already victims. It starts with one and spreads.

Now consider this.
Figure 2 - Victim Counts, Totals

Of that list 650,472 mentions of the word 'redacted' and 11,227,687 records of attempted uses, there are several that we have not been able to characterize by industry or type, but of those that we can, the top four are Email, Search Engines, Social Networking and Financial Management. Yahoo email accounts alone account for 38,764 compromises in our data set. How many of those are used from ships at sea? That's a great question.

But wait, there's more. 3854 victims appear from free email services (Yahoo, Gmail, Hotmail, AOL, etc.), accounting for over 3,562,444 records (recorded uses) in this one, singular, dataset.  So what? 32% of the victims came from free email services. 

We keep chasing the really hard stuff… we're going to hear talks of advanced persistent threats, fighting through the cyber, and talks about why this stuff is really hard —and it is really hard, but there's also easy stuff.

Why are ships at sea allowed to use free email services? And if they want to allow them (there are probably many reasons why they would —crew changes, shared computers, etc.), why not do so on machines not connected to other devices? Why are these same computers used for email, surfing porn (yes, we see a ton of that too), shipboard logistics, and communicating between the ports, masters, agents, etc.?

Don't get me started in minimum manning, integrated bridge systems connected to engineering, and the push toward both connected and autonomous ships? This scares the heck out of me.

A much simpler concept. Free email systems are not secure. This is easy button stuff folks.

There are plenty of reasons why commercial logistics operators would want a free email system —crew changes make it impossible to keep up with the moves, adds, and changes or new crews and the required provisioning. These email accounts are used to connect with the wife and kids, surf porn for those lonely guys/gals, and buy Christmas presents on Amazon. I get it all. But, when one infected user on a shared computer onboard ship gets infected, they all get infected.

Do I care that 3 billion yahoo accounts were stolen? You bet I do, but in every place where I've worked, where they take security seriously, one of the top things that they all do is block free web based email systems.

I've not discussed search engines, social media use, or financial, but you get the point. One user spreads to many compromises. In one (a story I'm going to tell next week), we authored a report in which one compromised payment processor had over 35 pages of transaction records —each record per transaction. Why? Because a shared machine was compromised.

OK folks. My family will be up soon and I'm behind on posting. I hope to see you in St. Louis next week. Stop by and buy me a beer! :)

Have a great weekend!

Saturday, September 30, 2017

Why is security hard? (or maybe, If it Bleeds, it Leads?)

It appears Equifax has had its fifteen minutes of fame. It came and went as fast as the the winds shifted in Washington and another shiny story caught the eye of the press. But it made me think...

Anyone else remember Fred Giesler? Fred was a cool old guy that taught the information warfare program at the National Defense University at Ft. McNair. 

Fred ran a class on full spectrum information operations, and one of my favorite speakers was a CNN reporter that operated his own refurbished C-130 gunship, in which he operated cameras instead of guns in the side doors… and the quote I'll remember forever from this guy, and Fred, was "if it bleeds it leads"

And so it comes to Equifax. I saw this headline in an online security publication that I used to read often —today not as much, but this brought back a vidid memory of my days in information warfare training ..."if it bleeds it leads". I'm not sure who took advantage of who, but...

"Lawmaker rips Equifax for eschewing DHS's Automated Indicator Sharing program"

"Rep. John Ratcliffe, R-Texas, chairman of the House Cybersecurity and Infrastructure Protection Subcommittee, slammed Equifax, still reeling from a breach that affected 143 million Americans, for not taking advantage of the Department of Homeland Security's Automated Indicator Sharing program, designed to facilitate the sharing of threat indicators between government and the private sector."

According to a 2015 US Census Bureau report, 99% of the companies in the US are less than 500 employees. If that's the case, 1% (or less) of the security folks in the US know what it feels like to manage security operations (i.e. patching) in companies larger than 500 —right? And even a smaller, much smaller percentage operate in larger enterprise companies —of which Equifax is one with roughly 10,000 employees. 

I'd like to take a moment and offer a small education for Rep. Ratcliffe:

There is a ton of noise out there. You can't swing a dead cat without someone selling, pushing, or dumping indicators of compromise on you, and the DHS AIS program, while probably good enough for most, is, I would argue, likely not as good as the intelligence processed by the Equifax team today. In fact, I've had conversations with them in the past. I'm jealous of their malware processing capabilities. Even if Equifax had participated in DHS's AIS program, they would have had to sift through the noise to get to the good stuff… and my bet is, they probably had it already.

Assuming DHS had given them information on Struts (I'm certain they probably included it in their subscription, and I did see it in Infragard reporting), patching in large distributed enterprise environments is to say the least, difficult. Why?
    • Almost no company has full visibility into every computer on their network. Why? As companies grow, either through acquisition or organically, tools change, people change, and requirements for IT change —usability, storage, operational requirements, etc. Security must change too. Unfortunately, one can simply not reengineer the entire security posture with every change. Virtualization and cloud processing brought massive requirement changes for security but, even if the tools existed to manage all of these new advances in IT, budgets did not, and could not keep up. 
    • Assuming they had both full visibility and ability to reach every computer, in global companies, it still takes time to push. And since we know assuming makes and "ass of u and me", it's a safer bet that they probably didn't have full visibility. Full viz is nearly impossible.. In fact, I'd say it probably is.
    • There's a real shortage of skilled labor - Actually, maybe not a shortage of labor but a shortage of skilled labor —with all of those cloud, virtualization, and deep technical capabilities needed to operate in todays environment, there are no more one-size-fits-all security folks.
    • The Fog of War - Let's do some simple math. Equifax has ~10,000 employees. On any given day there will be 3-5% moves, adds, and changes. That equates to roughy 400 computers in motion every day. Add in those compromised, plus mobiles, plus tracking those in motion, and then dealing with the multitudes of alerts from the many technologies used to defend them. The numbers are staggering. This is absolutely nuts. Now let's go back to number one… almost no company (I'd argue large, or small) has full visibility and control into every computer on their network. I say again -staggering. The Fog of War changes everything —how you see the problems(s), which one(s) you handle first, and figuring out best how to use the limited resources that you do have.
    • Inadequacy of tools - Nearly every tool is Windows based. Unix, Linux, Solaris, BSD all require higher degrees of manual processing. While not impossible, accounting for patches, updates, system outages, and even simple inventories require higher levels of due diligence and manual processing.

I could do this all day. There are no less than 300 reasons that could have cost a simple miss —one that on that particular day, at that particular moment, something went wrong, leaving a hole exposed.

I do not fault Equifax.  I've said this many times in past blogs. I know exactly what it feels like to be a security operator in a large enterprise company. And, I know exactly what it feels like to be a security operator in a very small company. This is a hard business and I'd throw the bull sh*t flag at anyone who tells me that they have perfect security and could have prevented this. I'd throw the bigger bull sh*t flag at the person who says that by being a member of DHS's AIS program, the Equifax breach could have been stopped. Heck, my own marketing people urged me to write a blog that said that we'd seen information that would have stopped the breach. I could not, and would not. Others? Maybe. Not me. The Internet was not built to be secure, and adding layers upon layers upon layers of tools and technologies on top of this insecure foundation will eventually cause a massive failure. The fact that we trust it with nearly everything is a fools game.

I rarely pay attention to the security news anymore. There are a few to whom I will talk, but even then, I watch with one squinty eye to see if I'll be misquoted —and if I am, I don't talk to them again. The magazine that quoted Ratcliffe? I stopped reading them in 2002 when I was a new Cisco employee and they misquoted me; I took a real blistering from my co-workers for that one.  For some reason, every now and again, one of their stories pop up on my radar. I generally pass it by but this one? For whatever reason, I couldn't let it pass. I was compelled to write about it. 

In the mean time, nearly every time I see one of these headlines, my butt clinches and I smile. I think of Fred Giesler… if it bleeds it leads.

For Rep. Ratcliffe? Send me your computer. I'll bet a dollar it's not up on its patches :)

I have to laugh. 

Saturday, September 23, 2017

An mambo dogface in the banana patch?

Steve Martin had this routine where he talked about playing a cruel joke on kids —by teaching them to talk wrong.  As a kid, I laughed many times, listing to this old record over and over, but last week, something happened that made me laugh --not because it was as funny as Steve Martin, but because I listened in horror as a well paid security guy sprinkled in words and phrases that he absolutely nothing about.  

When I was an Ensign (ok, and sometimes as a JG) we used to (sometimes) sit in meetings and write down all of the acronyms, buzz words and power phrases, and then string them together to make jibberish paragraphs that actually sounded like they could be legit! It was even more fun to hear those phrases later when someone else picked them up and used them as their own. Imagine how hard we laughed!

A few years ago I had a young guy that worked for me in, who after a few drinks at an offsite used the phrase "fake it till you make it".  I hadn't thought about that comment in a while but I was reminded of it last week during a conversation with a young security pro(?), who I'm convinced writes key words and buzz phrases from the multitude of information security conversations he participates in and then saves them in reserve for those times when he's in a conversation where he needs be credible, but lacks depth. The thought is, sprinkle in a few important words, names or concepts —regardless of how well they're known, do it with conviction, take cover from the halo effect of previous successes, and there's a high likelihood that won't be (most times) challenged.

I feel like I'm seeing this more and more. I went to an ISC2 meeting where a Mandiant exec (at the time) and I both presented on APT. We talked about indicators and TTPs, until one brave young woman, in this otherwise deer-in-the-headlights audience, chimed in and asked What is an IOC? OK, so she's the CISO for a string of medical facilities and should know that, but if there were ever a place to ask the question and get an education, it'd be at an ISC2 meeting right?

Good for her! 

Last week one of my own guys, when talking about possibly introducing a new application, made a comment (something to the effect) Changing a firewall rule is easy! Anyone can do it! To which I responded When's the last time you changed a firewall rule? And, when's the last time you changed that firewall in a large enterprise company (like our customers)??

This is hard stuff. You can't just log into a Netgear box and increase to the next highest security settings needed to keep you safe. There are a dozen (or more —usually more) interdependencies that also must be considered.

In fact, this is one of my favorite (past) presentations, I talk about the SANS Top 20 controls, ISO 27001, and NIST. The could easily go for an hour, but it's only one slide long. I talk about the moats and controls that must be built around critical assets, and I talk about the fact that there are like 300 things that must be done right every minute of every day, and if you miss even one, well…  At that time, I was talking about large enterprise. Today, however, after having been in the seat for just under six years, I'm finding that even the smallest companies have those exact same problems. 

So I'm thinking maybe it's time to blow the dust off of my one slide 'Why is Infosec Hard?' presentation and do some training on change management in defense in depth, system design requirements, network design requirements, and the butterfly effect that happens when making internal defensive changes. It's a hard lesson but important. 

I don't fault anyone for the lack of depth. The just one of those things where if you've not operated in a SOC, you may not know how hard it really can be. As well, we've gone from 10 mph in demand to over 100 mph in the last few years —virtualized footprints, the criminal shift from having fun to making real money, regulatory requirements, government reporting, and a dozen other variables have all contributed to this massive sucking sound —sucking many many people into positions to which they may not yet be ready.

So where do these people go for help? Besides asking friends (who are, many times, in the same boat as they are), they come to information sharing environments. In some, they get a steady stream of IOCS, in others, they get hammered by vendors paying their way into educational speaking engagements, and in others they get two way collaboration in which they can ask those question, receive non-biased information. 

One of the reasons that I absolutely LOVE the idea of information sharing is because there are no stupid questions! And if you feel like you're going to be embarrassed asking the question in one of our public forums, IM or DM us and we'll answer you in private! Heck, request a training session. We do one every Friday! Maybe someone else will benefit too. 

Red Sky Alliance isn't here to sell you products or services. Its only purpose is to share information collaboratively. And its changing to stay up with the times. We run this area that we call the Cyber Threat Analysis Center (CTAC for short). I like to call it ISAC 3.0 but it's really a suite of our favorite tools in one desktop made available for our customers.  Open the desktop. Select a tool. Need a script? Open our Script repository and either grab one you need or collaborate on building one. Need help? We're here. Open HipChat or Slack and ask for help. Need a report? Fast? We have an archive. Need something fresh? Try Wapack Pagekicker. Enter your query, wait thirty seconds and get a machine written report. 

Let's leave "An mambo dogface in the banana patch" and get everyone on the same page, speaking the same language, educating each other. Yes, we can do this. 

Call me for a demo. Yes, I take phone calls too.

Saturday, September 16, 2017

NEW! and Ridiculously Simple! Wapack Labs RiskWatch

Ridiculously simple is going to be my mantra. Wapack Lab's RiskWatch makes monitoring threat Ridiculously Simple. Define Ridiculously Simple you say?

We can do it for you, or you can do it yourself.

For the individual: Sign in, enter an email. That domain gets checked and monitored. When we see something, you get a report. Simple right?

RiskWatch tally's the number of times any of domains, IP, or domains are seen in our intelligence. If it is, a report is generated and you get an email.

When the recipient of one of our emails logs in (for free), they'll see a dashboard that will give them enough information to fix the problem. For a small fee (starting at $9 per month) the victim can sign up for a detailed look, including raw logs and a notification service.

Think credit monitoring, but we're watching for malicious activity targeting you.

For your company: Today, our analysts screen thousands of companies. When we find issues, we'll enter a point of contact and you'll get the report. Fix away. Interested in having one of these in your own company? Use it for reporting security concerns, risks, threats to your suppliers? Partners? Easy.  Interested? Drop us a note. We're working on that console as we speak.  We'll call you when we're ready.

I was told "think Equifax report".

As of this morning, we've sent out over 1300 suspicious activity reports to individual users in the last two days.  Received one? No sweat.  Sign in. We'll build your report on the fly.

Want to be proactive? Sign up on the site. If we see something, we'll tell you!

Simple right?

RiskWatch is Patent Pending.

Saturday, September 09, 2017

Could we have stopped the Equifax breach? Leading Indicators?

I have this friend (it seems like all the best stories start this way —or with This is a no sh*tter!). Regardless.. I have this friend. He's a long time friend that I worked with years ago during the days when I spent my morse code shifts with the positions glass door closed, head sets on to drown out external  noise, studying calculus while I waited for the next AMVER, or worse yet …- - -…  …- - -…  …- - -…

After leaving the Coast Guard, he went on to become a sales giant with Big Blue, and of course you know where I ended up!

This old friend, we'll call him Mike (I call everyone Mike when I want to anonymize them) was working us through a 'so what' exercise on Thursday night when the phone rang at about 6:00 —it was WMUR, the local ABC Affiliate, who wanted to come to the lab and interview us for comments on the Equifax breach. At that point I hadn't really kept up. Equifax is bad, but so are all of the others —OPM for example (of which most of my team were included). Equifax was just one more breach from a company who likely let their guard down for a moment, and ended up getting screwed as a result.

In preparing for the interview, I quickly pulled up our internal Kibana instance (you've heard me talk about Cyber Threat Analysis Center? An ELK stack is one of the tools that we make available to our members. So.. I pulled up our internal Kibana and punched in the search term *equifax* with a one year time window —and whadya know…

At the time, we knew that Equifax claimed to have identified the breach in late July. We suspected they'd actually suffered the breach earlier; it's rare to catch the breach on Day 0. I wouldn't surprise me to hear that this incredibly talented security team at Equifax probably caught it much earlier. I've met and had beers with these guys. The are scary smart like I was at that age ;) , and my bet is, they followed the same smart process that any large company would follow before reporting out… they identify the breach, investigate the breach, and at the same time, fix the hole and assess just how bad it is. They then break out the mop. The legal team decides how far it extends and what the reporting requirements are, and then, if they choose, the PR engine fires up. This entire effort could take anywhere from days to months. My estimate would have been that they would have actually suffered the breach approximately two to three months before they announced —sometime between late April and late May. Apparently I was close. Scuttlebutt says May.

So why the chart? We monitor all kinds of proprietary intelligence sources that give us leading indicators of when we think something might be coming. We had early warning on Amazon when Jeff Bezos was portrayed as the Devil Boss in the press a few years ago. We had increased levels of cyber activity (although we had no idea what it meant at the time) before the Paris shootings, and we had a leading edge spike in cyber indicators leading into the time when Equifax was believed breached. Of course this is all speculation at this time, but… what did we see?

  • A trojan was sent, several times, to three people —a senior account manager in Mexico, the Information Security Officer in Costa Rica, and an email account that appears to be associated with an unemployment claims service.
We identified these indicators —none of which were delivered —but we see only a small sample. My suspicion is that we saw only the unsuccessful indicators, but in many cases, there are several others occurring at the same time; we just don't have eyes on those sources.  The indicators that we identified were associated with emails sent to these users, with a trojan attached, delivering ransomware that sometimes (not always) uses a C2. 

There were other indicators from open source and misc others, but they didn't appear, at least on the surface to hold any kind of meaning. 

From an analytic perspective: 
  • FACT - We saw activity on the leading edge of the currently believed timeline of the incident. 
  • FACT - That activity targeted three locations (people and email accounts) that would have had significant access:
    • The Senior Account Manager would have had access to Equifax's customer relationship management (CRM) systems —that database that contains all of the customers information, easily access by sales and marketing teams to allow tracking of sales efforts.
    • The Information Security Officer, if breached would probably have administrative rights on some systems but not all. He would have knowledge of detailed local business unit operations, systems and locations of sensitive data.
    • The targeted email that we identified in our collections was associated with unemployment claims -and one (one that we saw), appeared to be sent from an Equifax user to a hospital —apparently looking for health information to support some kind of claim argument. 
  • ANALYTIC GAP - Did Equifax receive other emails like the ones that we saw, but with successful delivery?
  • ANALYTIC GAP - Why the spike in activity on that day anyway? Why was that day so special, as to have received almost three times as much activity as any other day in the preceding twelve months, and to date following? 
  • We saw only part of the storm.. the derivative of the storm. I believe that we may have seen activity generated by automated sensors, but it may have been only a small piece of what was actually happening. 
  • My bet is, others were targeted at the same time. In this case, we was emails with, at the time, a virus total detection rate of 2 out of 57 attempts, and others were probably compromised.
  • Some of what we saw were attempts to deliver ransomware —a diversion? Noise?
I'd make a low confidence assessment that goes something like this… I'm going out on a limb here. This is a first SWAG (Scientific Wild Ass Guess) at what may have occurred. Equifax is neither a customer or are we under NDA with them, so lets have a little fun. This is a total SWAG.
  • Access occurred in Latin America (Central America if our indicators are true).
  • The ISO was targeted to help him from working
  • The Salesperson was targeted because sales people have access, and are easy targets.
  • The unemployment line? No idea. Maybe because it was on the list?? 
Of course, that assessment will change over time as more information becomes available and as our sensor systems collect more information. Let's see how close I come to the real story. I'm betting we'll hear it in the future. It's to big to be swept under the Trump carpet (the noise that happens when he tweets in the middle of the night). 

So, for my sales buddy? He wanted to know… Could Wapack Labs have stopped this attack? 

Probably not. Could we have given them warning that might put them on higher alert, positioning them to stop an attack? Absolutely, yes. We would have put them on alert —for good cause.

For many customers (albeit, not Equifax), we deliver as-it-happens and weekly reports that show these pieces of information as we know them. Equifax most certainly may have benefited from our identification of a 3x spike in cyber activity targeting them on that that particular day. At a minimum, the security team would have been issued a warning, and would probably have taken a more heavily monitored perspective. I told you, that team is scary smart. I'm certain they would not have let our warning pass.
This is where humans have value. Machines are cool. AI is cool. But this set of indicators needed to be interpreted by a human (me), who can read between the lines and think in the gray areas. Humans have value, and information sharing has value. This analysis is posted in Red Sky Alliance, and this is where information sharing has value. We'll let our membership to evaluate our data with their own eyes and participate in the discussion 

For others? Drop me a note. We'll sign you up.

Traveling today. 
Have a great weekend!