What does "Getting to the left of Kill Chain" look like?

I call it intelligence --forward looking information based on currently known facts.  Others call

https://threatrecon.co

it Early Warning, Indications and Warning, proactive, or simply, intelligence. No matter what you call it, this is what "Getting to the Left of Kill Chain" looks like.  The best intelligence should stop attacks before they occur.  And this is one example of early warning mechanisms that we (Wapack Labs) send to our Red Sky Alliance members and Wapack Labs subscribers.  

This is the a CIW (Cyber Indications and Warning) Malicious Email Digest. 

     ===========================================

     MALICIOUS EMAIL DATA

     EMAIL HASH:0dca67606a345811dff801b6b0678fd6445ad8467b7e5ef23affc54a398f4085

     TARGETS:abcde.de

     DETECTION DATE:2015-12-16 12:29:24

     RECIPIENTS:info@abcde.de

     SENDER:"Tobias B" - TobiasB@fgihj.de

     SUBJECT LINE: Bestellung 96149

     DETECTIONS:F-Secure - Trojan-Downloader:W97M/Dridex.R, Fortinet - WM/Agent!tr

This report tells an operator which email account is being targeted, by what, and how well detected it already is. 

This report is a bit dated.. detected 12/16 at 12:29 but it'll do for now.  

     It was targeting one email address: TO:  info@abcde.de

     FROM:  TobiasB - TobiasB@fghi.de

     SUBJECT LINE:  Bestellung 96149

Each of the italicized indicators can be seen by watching packets on the network. If they can be seen, they can be stopped. So drop them in your favorite network security system and count the drops. 

But what happens when you're not running network defenses? This alert offers host based detection options as well. This the, becomes a case study in why we practice defense in depth... or Kill Chain if you prefer. 

The line: "F-Secure - Trojan-Downloader:W97M/Dridex.R,Fortinet - WM/Agent!tr” show that two different AV vendors were able to see it on the computer. If the network defenses miss it, then one of these two antivirus applications will see it. Sadly, if you don’t have one of these two, you’re stuck. The AV detections also have clues on how to triage the malware.  It may or may not be Dridex with one specific and one generic detection, but we can say with high confidence it's a MS Word macro document from the "W97M" and "WM" abbreviations.

The upside? This didn't come from the target. We capture hundreds of sources of these things on a daily basis, and as of yesterday, have over 22 million indicators that we query on a regular basis looking for signs of to-be malfeasance... and we drop those signs in the Red Sky Alliance portal. In fact, as soon as I publish this report, I'll be sending a victim notification to the Healthcare ISAC. We don't normally pay attention to the Healthcare sector, but this is one of those cases where professional courtesy demands it. 

So beyond the healthcare industry, there's a high probability that our capture and notification may have saved this company at least one new infection. At least that's the hope right? 

Don't have a subscription? Pay attention to Threat Recon and our CMS. I know, it's a pain in the neck to have to find two sites.. we'll have them consolidated soon. In the mean time, bear with us. We post the indicators and sharable reports there. 

It just started snowing up here. First of the season! 

It looks like we may have a white Christmas after all. 

Merry Christmas (or Happy Holidays if you prefer)

Jeff

What about the little guy?

We hired a new Business Development Manager yesterday. I'm happy to say that Chuck Nettleship will be starting on Monday morning.  Chuck's an old Norwich guy who's been around the block as many times as I have, and has worked not in the same places, but in similar places. So the conversation was fun as hell. And as he asked more questions, wanting to come up to speed before Monday morning, some of the questions made me go back a bit. I've been hearing some of these questions for years, but haven't really seen a good answer. For example, he asked "How is it that in today's information security environment, that only the most sophisticated companies have the ability to detect and efficiently react to badness in their environments?" What about the little guy?

The other night, I was at our monthly NH ISC2 meeting. And while some (usually not this one) of these meetings can be dry, ISC2 is normally pretty good. It's a smart group and I enjoy the intellectual tennis. So the other night, one comment caught my attention. According to the guy, Angler was responsible for the delivery of over 90% of the malware being dropped into their systems. And being a good group and coming from a smart guy in a great company, I'm going to take this at face value and believe. We wrote in August about it being used for Neutrino and we know that at the time, Angler made up about 80% of the delivery... but this is the tip of the iceberg.

This week's blog was actually going to be about the evolution of the Angler Exploit Kit.  But this morning, I woke up thinking about Chuck's question --the supply chain problem, and if this big company is having a problem with Angler, what about the little guy?

http://aerospacereview.ca

We (Wapack Labs) work in APT. We also work in financial crime, fraud when it intersects (which is becoming more and more), intelligence (know the bad guy), counterintelligence (identify and stop the bad guy), counter branding, incident response and more...

Who cares, right? You knew that already. The idea is, this is a COMPLEX new threat landscape. There are about 150 things in the SANS Top 20 that every defender needs to do right, every minute of every day. And if you miss one? WHAM! Hacking today means money to bad guys - big money. It means espionage --stealing your stuff for a country's (or another company's) gain. It means making a handsome living stealing from others and selling it elsewhere.

So, when I talked with Chuck yesterday afternoon, we spoke at length of the idea that while big companies can, for the most part protect themselves --or at least have process in place that allows efficient response when they do get breached.  What about the supply chain? The picture above shows the supply chain of an airplane. There's a ton of information on airplane supply chain, but only one level deep... but to take this further... according to newairplane.com, the Boeing 787 has approximately 2.3 mil parts with roughly 30% purchased from overseas suppliers. Again, who cares right?

http://tommarch.com

At one point, a partnering person at a large manufacturing company told me that in a survey of their 10,000 critical suppliers, ~60% had less than 100 employees and half of those had less than 25.  So let's do some simple math... 6,000 companies had less than 100 employees, and 3000 had less than 25. I'd bet a dollar that most of those are small engineering or manufacturing firms, and that none of them have a formal Information Security program strong enough to defend against even basic threats.

So how many of those suppliers --in the airplanes that we line up to board, in the laptop I'm using to write this blog (a depiction of the laptop supply chain is shown above), the chip manufacturers for medical devices, or the computer in the car you drive... how do the little guys who supply the basic components of those products protect themselves from having their lunch eaten or worse, code written into those devices that can be accessed later. And when that happens, who's there to help protect the little guy with the cable box for an internet connection and little more?

We are. This isn't new for us, and our focus is intelligence, but we've partnered with some great companies to do consulting, monitoring, alerting, incident response, and remediation. Some of our partners include Morphick Security, Kyrus, Alert Logic, D4C Global, Delta Risk, Ezentria and others offer a range of capabilities that can rival any other --some focus on the espionage and advanced threats. Others focus on monitoring and alerting and do really well in smaller environments. One focuses exclusively on the under 25 market. They handle the 24x7 monitoring, incident response, or consultations. We handle intel and analysis.

Is this the panacea? No. More like the bandaid... but it's something. We've got one partner who just set up a Passive Vulnerability system in an MSSP configuration for companies under 25 employees. When something bad happens, they respond. When something really bad happens, we get a call.

Need help? Interested in partnering? Drop me (or Chuck) a note.

In the mean time, let's keep moving forward!

For me? Time to put up the Christmas Tree. I'm late.
Have a great weekend!
Jeff

Black Friday!

I watched Good Morning America (GMA) yesterday morning as I started to author this blog and saw the CEO of one of the security vendors on television talking about malware on Black Friday.  On LinkedIn, I think I received three notifications before having my second cup of coffee, all with the same theme -- The last, written by a 'Director of Field Marketing'. I love that. A Director of Field marketing warning people of an uptick in cyber activity on Black Friday (no underlying messaging there, right?).

Over the past few weeks we've been working with some models that get us to the left of kill chain. In fact, this is the exact term I've been using in describing a new value proposition to our portfolio of intelligence services --"Getting to the left of Kill Chain*". (*Kill Chain is registered trademark of Lockheed Martin) 

How's it work? We look for things that tell us someone is going to be targeted, and then we track it. We're not 200 data scientists in the MIT Tech corridor or rocket scientists tracking space junk. We're simple guys running simple math. Take it for what it's worth.

It goes like this...

We tested against one intelligence source.  Every day (well, nearly every day) we queried it for keywords, rules, IP addresses and other things that we think might be interesting. We tally the findings and present both the number of hits and detail to the analyst or subscriber who requested it. For the purposes of this blog, I tested PayPal, Amazon and Ebay for a pure online sample, and Walmart, Lowes and Gap for more traditional brick and mortars (although they too have online shopping).  The results were, in this very limited sample, interesting.

I've removed the key from the graph to protect the innocent, but the numbers are interesting. The graph shows higher numbers of malware being sent to the online companies in a lead-up to Black Friday, while the major retailers showed nearly no increase in activity. Tallies of Malware being sent into brick and mortars were negligible throughout.

I'm showing only a few weeks, but even with the small sample, I had some thoughts..

First, this doesn't suggest to me that the sky is falling as a result of Black Friday. In fact, the numbers dropped going into Black Friday. That suggests (to me) that the cyber traps have already been set.  Second, why do pure-play online companies have a higher rate of targeting than brick and mortars

http://www.tricityretail.com/

with an online presence? One would have to believe that cash register (Point of Sale) devices are highly coveted targets. Me? While it's true everything based on a computer will have vulnerabilities, most PoS makers go to great lengths to install encryption, tamperproof architectures, etc. --and the sheer number of individual targets; you'd have to hit SO MANY of them!  I'd argue a softer target would more likely be the backend where those PoS devices aggregate their data, where it's processed, managed by admins, transferred to customer relationship management (CRM) or Enterprise Resource Planning (ERP) systems. There are a million reasons why the disparity in targeted emails.

However, the idea that the traps have already been set in backend systems of brick and mortars wouldn't surprise me at all. We know for a fact that ERP and CRM systems are just as coveted as other aggregation points -heck, we've been watching key loggers in thousands of companies around the world collect this data for over a year.

And why higher numbers in the online companies? Who knows.. maybe because the money flow is concentrated in these places? Pontification without more data would be irresponsible....

On the upside? Chatter in the security community, at least in the channels we monitor, continues as usual. The process is working. Marketers and press need to figure out how to message this stuff correctly, but the security community operates like any other day --because to us, it is. We're just a little more full as we work off the turkey.

So, get a good workout in. After mine I'm going to continue to pontificate about why one type of company gets targeted over another.  We'll continue tracking.

I hope everyone had a great Thanksgiving!
Until next time!
Have a great weekend!
Jeff

The Thread and Xindi...

http://xindibot.pixalate.com/

If you've not watched it yet, you need to take one hour and one minute and watch the Netflix The
Thread". It's a documentary on the Boston Marathon and how amateur internet crowdsourcing played a role ...and how they got it wrong. It's worth the watch.

As I watched the video, it reminded me of days past. I followed bugtraq, alt.hack and about another dozen usenet groups until the pace of keeping up became overwhelming.  Now,  I read closed communities like Red Sky Alliance (of course), and I follow several semi-closed and a few open, Google groups. And again, I'm getting the point where the amount of traffic (some good, some bad) is becoming wild.  If you're looking for heavy loads of raw data as cyber events unfold, there are a dozen places one can look. The open source groups, like Reddit during the Boston Bombing (documented in The Thread), are becoming as much of a bitch session as they are about fact. So be prepared. Open source intelligence isn't always an easy ride, which is what I watched as Xindi unfolded this week.

Nearly two weeks after watching The Threat I remember the power of open source crowd sourcing. It's truly amazing, but one quote has stayed with me since --"Mob rule"--it was a phrase used by one woman to describe how Reddit and other open sourced crowdsourcing news sources got it wrong. I won't spoil the ending, but a theory was offered on circumstantial evidence, emotions ran high, and within hours, internet users from all over the world hogpiled on, singling out one person as the mastermind.

This week, Pixalate, another intelligence company issued a report on a botnet called Xindi. My team was asked to comment on the botnet and whether or not we thought it had any real substance. My malware guy thought it might be a hoax. The intel folks thought otherwise. We watched the open source threads, each with their own opinions. One in particular reminded me of the virtual hogpile I talked about a moment ago on Reddit.

The report was posted. It detailed impression fraud, supported by a vulnerability in a process, and the authors extrapolated out potential damages if left unchecked. From an intel perspective, I actually liked the product! It was a bit heavy on the marketing for my taste, but it laid out the fact that there was a bug, the fact that it was used for impression fraud, and if left unchecked, offered some examples of how it bad it could be (which by the way, reminded me very much, of speculation that ensued during the early hours of Heartbleed).

The malware guys in the group immediately dumped on the report --no indicators; they outed victims; heavy marketing; a F500 was outed.  Even inside my little company, we had two very different thoughts, both at opposite ends of the swing of the pendulum.

So why is it that a simple intelligence report, with obvious gaps, but also obvious positives, drew such attention. How could it be that this one report generated so much (negative) discussion?  Not sure, but here's what I do know... I love analytic differences. It makes for better decision making. Crowdsourcing isn't always right, but it gives every participant the ability to come to their own conclusions. Should one use crowdsourced data blindly? Of course not. Think for yourself --but don't be afraid to take on the thoughts of others in coming to your own conclusions.

Interestingly enough, in one group, pounding the Xindi report got more air time than the ISIS attack in Paris. In another, there were no mentions of either. In another, a very busy industry list, Paris got four mentions, Xindi none. 

And now? First reported in one of the more active groups at 9:06AM on the 17th, by 10PM on the 19th the conversation is nearly dead.... on to the next topic. Starwood Hotels is now under the spotlight.

Have a great weekend and a fattening Thanksgiving!
Jeff

Attribution counts. Good intelligence counts.

We've had one of the guys on the road for the the last week. He spent some time in the Nordics, and

http://world.edu

during one visit, he was told a story that I'd like to share (we have permission).

About two months ago we received a high priority request from an overseas bank.

They'd come to us with a fast-turnaround request for information on what they were seeing during their ongoing attack. We authored an (attribution) profile with the material we had, and a bit more that we needed to dig for, but by the next morning we were able to give them some pointed gouge. The bank used it to verify the guy, and within a very short window, used the intel to kill the accounts, turn off the attack, chase down the guy, and return the money.

When asked if there was money saved by the bank, the response was ‘a ton of money’ was saved, and the profile was the information they needed to kill the (at the time) live attack.

On our end, this was a small request. We turned-to for a few hours and pulled together what we had, but for the bank, apparently it meant much more. We talked with their security team, legal, and compliance --all grateful.

This is a great story of where good intel was able to help thwart an intrusion, track down a bad guy, and stop the bleed.  We have others. I'm a believer... Attribution counts.

Other analysts don't necessarily share my views on attribution. I'm good with that. Analytic differences almost always lead to better intelligence. In our case, we believe that by knowing the attacker we can track the way they operate, why they do what they do, and how they're likely to act.  We track several dozen intrusion sets and hundreds of thousands of high confidence indicators associated with them. For many of the intrusion sets, we've broken down the groups, individuals, and the tools they like to use. And because of that level of detail in attribution, we can (sometimes, not always) help companies get to the left of the Kill Chain but even when we can't, we almost always have information that can shorten response times.

There's value in good intelligence. There's value in attribution.

BT

We don't sell boxes. We don't sell infrastructure. We sell subscriptions. We live on customer dollars, not investor dollars, and nearly all who've subscribed or joined Red Sky remain with us today. 

So as we begin to wind down 2015, if you're thinking about buying a cyber intelligence service or joining an information sharing group, give us a call! In the mean time, get 1000 Threat Recon queries free per month, or, if you're a ThreatConnect customer, ask for your 30 day free trial.

Until next time,
Have a great weekend!
Jeff

Spy sentenced! BZ!

This is a simple, short blog. I'm traveling this morning but wanted to acknowledge the arrest of a CT resident sentenced for stealing F35 engine materials and sending it to Iran. 

WASHINGTON — A former Connecticut resident has been sentenced to 97 months in jail for

Wikipedia - uploaded by Hpeterswald

attempting to send sensitive technical data on the F-35 engine to Iran.

I have one thing to say... BRAVO ZULU to the LE/CI folks who made this happen.

Without restating the  DefenseNews article, in addition to the F-35 and F-22, the guy (I refuse to rename him) also stole documents from numerous other U.S. military engine programs, including the V-22 Osprey, the C-130J Hercules and the Global Hawk engines.

Very little, very late. However, one down, many more to go... Nice job.

A shift in Intelligence Community thinking?? Don't let perfect get in the way of good...

(Photo: Courtesy/ Northrop Grumman)

The Senate passed a bill Tuesday aimed at improving cybersecurity "Senate Passes Cybersecurity Bill Aimed at Hacker Threats". It took roughly six years to win approval for such a program.

This is a big deal. The government, at least on the surface, is radically shifting its position on use of the intelligence community.  Traditionally focused on intelligence assistance to policymakers and the military, the intelligence community (IC) is now coming to the assistance of, and will supply intelligence to, the owner/operators of the US Critical Infrastructure.

What does this mean? Organizations and people who want this kind of intelligence must still undergo security and potentially facility clearance processes, and the data will still come out as classified, but it will now be made available.

What does this mean? It means that companies who are considered critical to the US (the government calls them "critical infrastructure") will be offered opportunities to receive government collected and analyzed intelligence.  For example...

At the top of the new tech heap likely to be targeted heavily by hackers, insiders, and spies?  "Northrop Grumman Wins Air Force's Long Range Strike Bomber Contract"

This was one of those deals that Northrop needed one in the win column… and they did it. But imagine what kind of cyber (and traditional) espionage targeting is going to come with this… China is launching strategic missile submarines (with nukes) as a strategic deterrence and shiny new bombers would give them the ability to project power anywhere in the world. Strategic deterrence and the ability to reach out to anywhere in the world is squarely in the Chinese playbook.... and a shiny new long range stealth bomber is a huge (critical) part of that plan. So pay attention folks… China pays attention to news release in the defense industry.  What happens next? First, my guess is, there's already an airplane that's been built --because that's the way these things work. Several companies build airplanes. Government pilots test them, engineers evaluate them, and they pass the stealth tests, someone gets a contract --yes, an airplane has probably all ready been built. But now that the decision has been made, Northrop will be exploited. And they damn sure better be getting high quality, timely intelligence from the government to help them protect it. At a price tag of $550 mil (2010 dollars) per copy, and a lifetime price tag of over $55 billion (in taxpayer dollars),  if I were sitting in the procurement shop that purchased made this award, I'd want two things:

1. I want (demand) that the US Government provide Northrop with the intelligence (cyber and other) to protect this enormous investment.  
2. I'd want how well this program is actually protected using that intelligence. I'd want the ability to know, at any moment, how well protected, and what the threats are, to this new tech and supersized investment of taxpayer dollars. 

What I wouldn't want? I wouldn't want every line in their SEIM sent to the govermnent. I wouldn't want seventeen different government information sharing, regulatory, and LE/CI organizations, banging on their door asking (sometimes demanding) logs from the new program.  I'd want to know that Northrop can, and does use that intelligence in a responsible way and can show the metrics that prove it. Assessing the ability of a defense contractor's use of government intelligence should be a requirement in awarding these contracts. Additionally, as prime, Northrop needs to be ready to assess that their supply chain is also adequately protected --it's a cost of doing business, and yes, intelligence should be used to protect them too.

Back to the point  --This government sharing initiative does nothing for security, but does allow for government intelligence sharing. It offers anti-trust protections (although the FTC has already ruled), and requires intrusions be reported to the government (we'll see how that works.. certainly I have some opinions on this --I bet you already knew that!). So, congratulations to Northrop Grumman, but more importantly, congratulations to us. Aircraft carriers can't turn on a dime, and the government takes a long time to make change, but this massive shift in intelligence community thought is an enormous milestone. It may not be perfect; the government paints with a very broad brush and one *thing* is never detailed enough to make everyone happy.

I had a boss once who used to tell me "don't let perfect get in the way of good'. My thinking? The lawyers and lobbyists will take care of the warts.

I see this as a good thing.

Jeff

Are we finally in an era when a new CISO can put the pedal on the floor??

russelreynolds.com

There are many reasons why CISOs succeed and why CISO's fail. The recipe isn't always reliant on secret sauce, but in this case, there's been what appears to be a shift in thinking.. at least on the surface. My sample size is four, but recent, and all interesting...

CISO #1 just started with a large federal government organization. He'd literally just retired from the military (after probably hundreds of years of service) as a plain clothes senior law enforcement officer and just took over with this federal organization. He'd been on the job two weeks when we first talked. CISO 1 is ready to burn down down the house, take no prisoners, and doesn't care who knows about it.

CISO #2 has been on the job for about eight months now, and since the day he started (working at a large healthcare company), he wanted to go "APT hunting". CISO 2, in my opinion (I've already expressed concern) is going to find something that's going to cost a ton of dough *like millions* without adequately preparing/socializing his bosses to what this might actually mean.

CISO #3 works in a large financial.. fairly new. Very smart guy, coming from the high tech space prior to being named CISO at this bank. CISO 3 wants intelligence, but before jumping into a collaboration, wants to turn his new banking security team into hunters and security producers --the top of the CTI Maturity ladder... because that's what he had before.

CISO #4 works in a large manufacturing company.. 100K+ computers.  CISO 4 is a brand new CISO, who told me last week that the board was requesting a brief within TWO WEEKS of reporting onboard. TWO WEEKS!? In an enterprise this size (100k+), it takes two weeks to learn where the bathrooms rooms are... let alone figure out the inter-dependencies of of the network and the business.

All four of these CISO's have exemplary careers; all very smart, motivated, and without a doubt, have earned the right to be in their CISO seats.  But I have to wonder... these guys are all pretty aggressive. I know... I'm one to talk right?  These guys are hitting the ground running hard. In past cases, I'd worry if they'd burn out, lose the support of their champions, find out the company really doesn't want to know what's really happening in their networks, or simply don't have time to build the relationships needed to be successful.

Are these guys wrong? Who am I to say? Are we finally in an era when a new CISO can put the pedal on the floor?? I can't wait to see!

In the mean time I'm running hard in the DC area preparing to fly to San Diego for the FS-ISAC conference. I'll be presenting our Cyber Threat Intelligence Assessment of Venezuela. This is the fifth such report we've written presented.

I'm looking forward to seeing many of you in Coronado. These guys pick the best spots for conferences!

So until next time,
Have a great weekend!
Jeff 

Wapack Labs acquires Project DataSafe

Red Sky Alliance caters to primarily large enterprise companies. Our membership for the most part

own at least 100K computers.

Wapack Labs authors intelligence for Red Sky Alliance, a couple of managed security service providers,  a large information sharing and analysis center, and several companies --also large.

So what about the smaller guy? How do they get intelligence?

Many of the folks we talk to simply don't have the ability to even use intelligence. They understand that there are threats out there, but haven't been adequately equipped to consume it, let alone push it into their defenses. Heck, some have great tools, but aren't really sure how to even push IOCs into an intrusion prevention system. It's not to say they have any less skill. They simply don't have the resources.

On that, I'm happy to announce Wapack Labs acquisition of Project DataSafe service offerings. 
Wapack Labs now performs remote website security testing, hardening, and maintenance.  The operation is in full swing, already performing work for several hosting companies around the US and making calls into others. 

So, what about the smaller guy? They get intelligence through its use by service providers. While any company can purchase a subscription from us, they can also request initial hardening and long term maintenance.

Interested? Drop me a line.. jstutzman@wapacklabs.com or join our mailing list.

I'm keeping it short for now. Preparing to run out for a workout and then prepare to travel tomorrow. So, until next time, have a great weekend!

Jeff

Got IOCS?

IOCs are easy.  Any number of folks can feed you IOCs all day long.  You can't swing a dead cat
without hitting an vendor who aggregates hundreds of thousands of them from open sources every day and calls themselves an intelligence shop.  I'm not saying they don't do some of their own work but literally, within minutes, crank up an EC2 instance, write a few pieces of code, and viola --IOCs in a container. Add a search engine, a way to push them out, and all of the sudden you've got yourself

a security feed.

Everybody needs them right?

IOCs are a mandatory piece of the information security landscape. UTMs and IPSs are the largest segment of the security business right now. And what do you feed them? IOCs.

So what's my point?

IOCs are great. You can buy tons of them from any number of sources on any given day. Here's the rub --how many can your UTM or IPS handle? a million? 10 million? 500 million?  When IOCs change, sometimes minute by minute, can you pump these things into your systems in a never ending stream of real time feeds? Would you even want to? It's becoming just silly. It's like the little Dutch boy who keeps sticking his finger in the dike hoping to make the water stop coming through.. he doesn't have enough fingers!  And worse, as an intel provider, some customers like to measure effectiveness of their provider(s) on IOC volume! And while that works great for some companies, remember, they too must spend time to ensure that the IOCs that they pump into their systems are in fact, the ones that will most likely result in a dropped bad inbound or outbound connection.

How does an organization make sense of it all? With context. And here's the thing.. anyone who knows me has heard me say this hundreds of times --What's old is new again. What the heck does that mean? It means this... every risk management process, as far back as I can remember, measures risk based on information brought in that tells the practitioner what the risk is, why that risk is important and where it should be prioritized in the stack. The most important risk gets mitigated, minimized, or transferred first. It's that simple. The next important happens next, and so on.

How do we know which IOCs get pushed to our security tools first? By understanding which of those IOCS are attached to the wolf closest to your sled. And how do you know that? By reading context, by receiving a heads-up when something important happens, and by having someone else in your neighborhood watch (Red Sky Alliance or others) tell you what's happening.

So here's the bottom line folks... companies who have their oh sh*t moment --that moment when they realize they've got a problem; start out as voracious consumers of IOCs... they'll eat anything; and then they find out that they need help qualifying them. The false positives are overwhelming. As they become a bit more mature, they learn to qualify them before they get pumped into their systems. At some point, they get really good at qualifying them and they learn to grow their own --they become intelligence producers; a bit higher on the maturity scale. 

So where do you get context? Where's the easy button?

Red Sky Alliance and Wapack Labs

Skip some of those steps and learn lessons from others who've had their oh sh*t moment before you. Wapack Labs produces intelligence, context, IOCS, snort, and yara rules --every piece of work is tied to a primary sourced piece of analysis, and grown from there.  Red Sky Alliance is the place where you get answers from others --privately.

Need more? Use an MSSP? Ask us. We've partnered with a couple of great MSSPs. They handle the 24x7 monitoring, the 15 minute SLAs, triage --all of the wonderful things you'd expect from them. At the same time, we get to watch the glass, monitoring for targeted threats to your company, performing what we call 'second level analysis', and feeding that second level analysis back to the MSSP to allow them to provide you with an individualized security offering.  MSSPs are not intelligence organizations but when they partner with Wapack Labs, you get the best of both worlds.  Your MSSP not a partner? Tell them to reach out. We'll hook'em up.

Gotta jet.. Early day. Kids' hiking today with school.

So until next time,
Have a great Columbus Day weekend!
I'll be back in the saddle on Tuesday!
Jeff

Back in the Saddle Again

I am back from four days of upland game hunting and brook trout fly fishing in Western Colorado.  We shot plenty of game birds that we plan to cook and serve to our friends.  We carefully released all of the Brookies for other anglers’ enjoyment.   I watched wild turkeys eat crab apples from the tree top and mule deer does and fawns visit the pond for water.  No one talked business or politics.  The weather was beautiful and the company was great.  The most amazing thing about the experience was that there were no TV’s, newspapers, Internet or cell service for the entire trip.

Upon my return to my desk this morning, I spent a couple of hours catching-up on emails and returning calls.  And now it is as if I had not left at all.  I scanned my news groups and saw that one of the companies that I had an outstanding proposal for services suffered a major breach.  It took law enforcement to inform the company of their loss of nearly 5 million customer records.  I am a soft sell guy and I hope that our company’s value proposition can help close a sale without me becoming a pest.  Since this is a financial company, I can imagine the lawyers are circling, just like foxes circling a wounded game bird that can no longer fly.

I contacted the company today and asked if it would be a good time for us to provide a threat briefing about what know about that type of intrusion and hopefully a review of our outstanding proposal.  I was told that the information security team was too busy to consider an hour long GoToMeeting session.  I was also told that the company had plenty of information security feeds and my proposal was no longer a priority.   I paused and replied, “Maybe they are not receiving the right subscription feed?”  I have not heard back from my reply, I may never hear back…

I speak with Information Security Officers from government departments/agencies, organizations and companies every week.  Most of the time, another salesman has already sold a contract and I have the opportunity to contact them at a later date.  Well, that is sales.  As a decision maker, are you receiving what you want, do you really understand what you need to combat today’s cyber criminals? We track the cyber criminals, their tools and their associations.  Since we have been in cyber intelligence information security sharing for over four years we may already have a line on your nightmare.  I am happy to schedule a session where you can ask these questions of some of my team members.  They are not sales persons, only a small group of dedicated professionals who will look out for your best interests.

Please feel free to contact me at jmckee@wapacklabs.com or call me on my cell phone at 314-422-8185, it is turned on.

What kind of intelligence do you need?

I'm a daily reader... every morning I kick off my required list reading by about 5:30; coffee with my

print edition of Wall Street Journal. When I finish with that, it's on to an iPad for Foreign Policy, Sratfor, and then I skim at least a dozen tech and security RSS feeds.

Let's examine this a bit more closely...

• I read the Wall Street Journal slowly.
• I read (more quickly) daily editions of Foreign Policy and Stratfor.
• And then I skim dozens of RSS feeds for interesting pieces.

The Wall Street Journal gives me amazing insight into the kinds of things businesses are dealing with from an operational, strategic and technology perspective... I'll give you an example.. A large food/chemical/agriculture company was working hard recently to acquire a Swiss pesticide company. Why do we care about that? Because this US based company is already heavily targeted by MANY cyber actors because they sell GMO plants (corn), chemicals, pesticides, and during the Vietnam War, agent orange. We read this acquisition as yet another reason why someone would want to hack the   company --and my bet is, they probably were. Once we know that, we can look at past attacks to see who favors targeting the company and how... that leads us down yet another path in which warnings can be generated. Sometimes it works, sometimes it doesn't, but when it does, it's cool as hell!

Next, Foreign Policy and Stratfor pieces generally turn into ideas that sometimes get posted to our workflow and analysis request system. This is where I we get much of our long term perspective on things happening in the world that may become problematic in the future, but haven't yet. So, I read the publications, but not as slowly as the WSJ.  Foreign Policy and Stratfor (for me) are geopolitical tipping and queuing.. situational awareness. As the stories get closer, I'll see them in the Wall Street Journal!

The RSS feeds simply get skimmed, read, and posted to Buffer App for sharing across twittersphere and our Linkedin.   I know that I focus more on world and business affairs than I do the tech, but also know that I've got a room full of techies focused more on that then world and business affairs, so when we get the office, the conversation should be pretty amazing --and it usually is --but this is where the new vuls, patches, bugs, etc., are usually discussed.. but because they're in RSS, they're usually a bit time late and written in a format that anyone can understand.. so I also look at some of the google groups to get my fill of deep, running, colorful (sometimes) tech gouge and leading indicators.

Of course I get a ton of this stuff in Red Sky Alliance as well. Usually we don't bring in the original source because everyone sees them too, but the conversations can be awesome --online, phone, video, whatever. The connections become rich and we figure out quickly what's important that day, that week, and sometimes (but not always) next year.

So I have to ask --we talk about this often. What kind of intelligence do you need?  Most folks have no idea what an EEI is. They're really good at incident response, forensics, or operations, but have no idea what the intelligence cycle is or does, why we use it, or the value of great intelligence.

So bear with me. I'd like to take a moment and review the categorization of the kinds of intelligence that we think about. There are many, but this is our perspective:

• TACTICAL Intelligence is used by security operators, incident responders and forensic teams. The information can be long or short lived, and generally, best in short pieces of context (with the deeper work available via one click), and actionable indicators of potential compromise, or indicators of compromise. 
• OPERATIONAL Intelligence, although argued by many because of the varied nature of the reader, from my perspective, focuses on the immediate and short term needs of decision makers NOT in security, but in the business or business lines.  
• STRATEGIC Intelligence focuses on the planners and risk managers. This is for the folks who think about broader situational awareness --the folks who look at the entire chess board and plan the next five moves.

So again, back to the question, what kind of intelligence do you need?

And I'd ask (and I'd really love to see comments on this please)... "How do you want it?" Document? PDF? STIX? Other?? You tell me. I'm all ears.

Who is (are) your primary customer(s)? When you consider writing intelligence for someone, who do you write it for? At what level?

These scratch the surface for me, but we're constantly asking our members and readers "What keeps you up at night?"

I'd love to hear from you...

Thoughts?
Thank you!
Jeff

Lenovo adds another rootkit? So what??

Another blogger just reported finding Lenovo installing another rootkit on laptops.

So I ask... is anyone surprised? iPhones have had WAPI installed for years (by choice). Nearly every computer, cell, display, etc., comes from factories in China. Should anyone be surprised with security issues are found in these devices?

And is China exclusive to this practice? My bet, no.

Why am I talking this? Because your networks are untrusted --for many reasons --bugs in code and hardware, scripts and processes that run for ease of use, autorun, targeted attackers break things to get in... your networks are untrusted... and with every device having components from areas of the world that we may or may not like, there are no computers that I know of with components built exclusively in trusted, high security factories; no chips, no memory, no anything.

So here's the deal... if you trust your laptop, computer, server, or cell to protect your stuff out of the box, you're a fool. The first thing my guys do when we buy new laptops --before powering it on, is to put tape over the webcam. Why? Because we know that the light that goes off when the webcam goes 'off' doesn't necessarily mean that it is. The same for your cell.. even when the power is (ahem) off, cameras and mics can be used against you.

And worse, I happen to love (LOVE) the ThinkPad form factor. I hate some of the clugey things that they've added, but that's personal preference. My other guys happen to like those features (I'm a Mac guy).

So whadya gonna do? Get smart. Hire or rent a CISO. Know that there are controls that should be placed on every computer before it goes into production. Your CISO can help. Need a virtual CISO? Drop me a note. We've recommended several to others.

Have a great day!
Jeff

The Pope, China, Israel, and my Diesel VW

http://www.ibtimes.com/

It's been a big week! The Pope, Xi Jinping in DC on back to back visits, Boehner resigns, and Netanyahu heading to Moscow, meeting with Putin, to ensure there are no misunderstandings between Russian forces (meaning, supplying the Hezbollah).  The Pope story hit GMA first this morning, followed by Boehner, and then, Michelle Obama's Vera Wang gown. Apparently Mrs. Jinping is a bit of a fashionista in China, but I'm looking at this photo, asking myself if we're going to see hacking from Chinese kids motivated by our news suggesting that our first lady is better looking than their first lady! I know it sounds silly, but it was the first thing I thought when GMA put these clearly two gorgeous women in a head to head competition for best dress.

Seriously though... one of the big takeaways from the visit is cyber reform.  The two leaders said they agreed that neither government would knowingly support cyber theft of corporate secrets or business information.  

This talk is huge, but I'm here to tell you... we will continue to see cyber/corporate espionage used to support the Chinese economy.  The US makes it a practice to not use our espionage capabilities for competitive advantage, but most other companies in the world do... including China. In fact, collections are built into their constitution --affecting even those who leave the country.  And if you're a supply chain company, regardless of industry, there will be no rest for your security teams.  Most larger companies have learned to protect themselves, but the companies who support them are largely the soft white underbelly --the place where the cyber dagger penetrates most easily --the place where protections are generally either not in place, or not as effective.

And for the Chinese, they too will continue to be victimized and exploited by those wishing to point the finger at them. Talk to any hacker worth their salt.. they don't go direct. They go through someone else first.. many, through China. The bandwidth is open like the autobahn. There's SO much activity coming from China that hackers can hide in the everyday noise.

http://cdn3.vox-cdn.com/

And why do we think about about Syria, Putin, and Netanyahu? Because Russia is making its way across the middle east looking for easier ways to deliver oil and gas to Europe without going through Ukraine.  In fact, we think Ukraine may become irrelevant in the movement of oil and gas very soon. There's turmoil brewing --Putin's been wooing Turkey, now stepping into Syria, worrying Israel --and for good reason. The graphic to the left shows oil and gas pipelines connecting largely through Turkey, into Syria, and to ports in the Med. Russia and Iran have made some great deals, but Syria offers other advantages. Russia used to deliver much of its fuels through Ukraine, but we all know what's happening there right now. We will see cyber fallout from all of this.  Putin doesn't act without a cyber component. We've seen activities in Georgia and Turkey, and there will be more. We've been tracking Russian cyber geopolitical activities and implications in the area about two years now. And now, we'll see (my opinion) more as Russians establish real estate in Syria.  This is a story for another day. In fact, Rick's probably working on it as we speak.

Thankfully no Pope hacks. But attacks from China? We see them every day. Israel, Russia, Syria? There will be major implications here. We've reported on cyber in the middle east on a number of occasions, and I'm betting we'll see more as Russian forces get closer to to access directly to the Med. If only Turkey and Georgia would go along with the plan... will we see cyber being used against them? We already have. 

Last?  As a side note, VW got busted... maybe that was last week... but, do you think for one second that VW is the only company fudging software to offset hardware deficiencies? I could go on with a rant about my diesel VW Touareg (it's not affected), but I'll spare you that.. but for VW, this is nothing more than a sign of things to come. This is the perfect example of how software can be built to deceive; and then be deployed into millions of locations around the world.

On the upside? The Vatican doesn't hack us (at least I don't think so)...

Have a great weekend!
Jeff

Like stars in the sky!

I spend a ton of time talking... talking to my team, talking to others, speaking at meetings

and conferences. And the interesting thing is, on every occasion, when we start to talk about intrusions, there are soooo many different perspectives on the problem. As an example, I had a conversation the other day with a guy who asked me (lead me) into a conversation on the commonalities of the Anthem and OPM breaches. And while we know who Anthem and OPM are, and what they do, and maybe a bit about the malware used, I don't have first hand experience with either case, only secondary and maybe some RUMINT... so I listened to this smart guy who, because of who he his and where he works, probably DOES have first hand information... and here's his thesis:

Anthem is the health insurer for some of our more sensitive intelligence personnel (I'll leave it vague), and OPM manages their records. 

Interesting.

Anthem also insures ME (and our little company), and I too was in the OPM database.

And so I explained, as I do often, that sometimes my guys come to me with these fantastical connections --some right, and some well, maybe not so right... but you can't be right all of the time right?? And when I do hear something that strikes me as a bit of a stretch (hold on, I'm giving away my politically correct response --the one I use instead of an eye roll and colorful fun at their expense!) ---it goes like this:

Analysts and Researchers look at so many breaches happening today; and the commonalities can sometimes be significant, but looking at all of those breaches is like looking at the stars in the sky --you can draw lines between any number of stars to create almost any image that you can make up in your head. 

Does it mean they're wrong? No! It just means that you need more information. Flesh it out for me. I have an old friend that used to call it 'analytic rigor'... meaning, check your facts. Have several sources. Establish theories and then attempt to disprove them before you attempt to support them.  Have three ideas and don't fall in love with just one. Analytic rigor is a message I heard over and over from my old friend "B", and I've passed it on (sometimes with a hammer) to employees ever since.

Interestingly enough, I've heard one message from three different people this week. Our positioning in the market is that of an independent voice. We don't sell hardware or software. We just do our best to produce ground truth, high quality intelligence.  I guess, "B", we're following your advice and it's paying off. This is exactly the place in the market that we'd hoped to occupy!

And so, the million dollar question --Are Anthem and OPM related? I have no idea. But I like drawing pictures between the stars! *I think* they're targeting middle aged, balding, overweight computer guys!

--Jeff

Cyber as the equalizer

On April 6th, Wapack Labs reported an uptick in Iranian hackers stockpiling tools, registering domains for command and control nodes, and seemingly preparing for the idea that nuclear talks may not go Iran's way.

Why did we believe this? Beyond the sheer volume of activity at the time, at a high level, we examined data and planted a stick in the ground, and made what we believed at the time to be a valid, analysis driven intelligence assessment on the implications of the things we'd been sourcing, coupled with open source, historical data and current geopolitical activities (the nuclear talks). In the business, we call this "all source analysis".

Today, it appears we were right. We may see only a small piece of the puzzle compared to the NSA, but you get to read ours. You'll probably never see theirs! In this case however Mike Rogers, director of the NSA was quoted in the Wall Street Journal on the drop in Iran-originated attacks since the close of nuclear talks.

http://si.wsj.net/public/resources/images/BN-KF886_0910IR_M_20150910125728.jpg

While today's blog isn't intended to blow our own horn, it is meant to demonstrate the idea the context in intelligence matters. In fact, without context, it's not intelligence at all...

When we posted that report on Iranian cyber activity in April, I was shocked that ours appeared to be the only story out there talking about the impending close of the nuclear talks, and the rise in what appeared to be cyber attacks from Iran.

• During the uprising of the crisis in Ukraine, cyber attacks were used on both sides of the border --albeit far better mobilized, financed, planned and executed from the Russian side, to manipulate the Ukrainian Parliament and Presidential elections. This activity was expertly planned and executed. And, it involved not only targets in Russia and Ukraine, but others outside the area who appeared to side with one or the other --including US and EU bankers who appeared in investment documents published on the web by Ukrainian banks. Again, I was shocked that we were the only ones talking about Ukraine and Russia, but we thought there'd be some massive lessons that we'd take away.

• Maritime shippers, port operators, logistics companies and more, in and around the Panama Canal, S. China Sea, the Suez and others have all been victimized by cyber activities --why? There are several theories at work, but one suggests to ensure supplies of crude, LNG, LPG remain open for large Asian consumers. 

• Why are the Chinese acquiring land and investments in Iceland? Because there's major fiber convergence there ---and because it may be a staging area for mineral rights, travel rights, or further exploration under the arctic cap. 

Why do we care? We're a cyber shop right? We care because cyber is the equalizer. For us it's not so much about physical threats from Iran during the nuclear talks (although there may be --I'm hoping someone else is watching that), it's the idea that any country can gain access and use cyber tools against any number of targets, for any number of reasons. In every case, where there's heightened geopolitical risk, cyber will be in some way, to level the playing field, gather information, manipulate documentation, steal money, or garner political support.

Our job? Our job is to make sure you know.

---------------------------------------------------------------------------------------------------------------------

Red Sky Alliance: Information Sharing and Collaboration - RedSkyAlliance.org

Wapack Labs: Intelligence production  - WapackLabs.com

Three victim notifications...

I spent last weekend in front of a loaded gaming terminal running forensic analysis software. Why?

22Gb of keylogger credentials.

What do I do with that data? I start dialing.

Three victims this week, with three very different responses. Here's the story:

All three victims are in the US.

• One is a large company - $10b+ in annual revenue
• One is a medium sized energy --smart grid manufacturing company - $2.5b per year
• The last is a privately held company that manufactures static-proof rails for the maritime industry.

In all three cases, sales people had been victimized by keyloggers. In all three, the sales people had no idea that they'd been victimized, and for months had every keystroke, clipboard capture, document and screenshot captured and sent to keylogger capture servers (we call them caches).

So, how'd the victim notifications go?

• Company one never responded.  It's not the first Fortune 500 that we've contacted that simply ignored the notification.  Frankly, I was shocked at even the lack of ACK. 
• The medium sized company? They responded immediately --checked me out on LinkedIn, sent email, and then finally, called me back. 
• The small company was surprised but happy for the call. They had no security team, and when the operator asked who I wanted to see, I asked for the person that handles IT. When she asked why, I told her that the company had been hacked. She asked again. Finally, I got through to the CEO, who was very appreciative. I followed up the next day to ensure all goes well.

The current status? Company one still has keyloggers sending their stuff out; Company two has turned off the bleeding, and Company three? We'll see. We partner with a couple of strong IR teams. I offered to recommend one (and did) but I don't thing they ever called.

So why would the company with the best opportunity to respond, not?

I had a similar experience last year. I was doing a presentation with a CISO with a reputation as an "empty suit" (not my words).  He's an educated dude (an MSIA) with a long list of publications under his name. The guy does great at building the team, grabbing budgetary real estate, and spending money,  but not so much in actual measured output. We try to come prepared for every presentation, so we did a quick run against our sources to find out what we knew about the company before jumping on the call. The low hanging fruit is passive DNS showing registered VPNs or dynamically generated names.. both red flags. During the presentation, I stop just before the slide with the results and explain that we always try to find something new for each talk.. and in this case, the company had THOUSANDS of names registered... and then I flip to the slide with the results highlighted. The reaction?  None. Most ask if we know whether or not the possible VPNs are active (most times we don't), but still... nothing. Completely ignored.

Another, a notification just yesterday.. a UK based company investment company that we talked to about services two weeks ago... we provided 'on the surface' evidence of compromise, but frankly, not a paying customer, we spent time paying attention to the guys paying us to do so. We're a small company, focused on what we do best, which is often, not aggressive selling. Even so, the company when presented with findings, did their level best to discredit rather than probe and qualify. They didn't want to know.

It happens more times than you'd want to believe. 

Here's what I think... I've seen this before and I'm sure I'll see it again.

CISOs come in two (highly generalized) flavors --technical and managerial. Often times, the technical CISO's skills will carry enough water to allow proper persuasion with upper management... the halo effect coupled with acronyms, brilliance, and the fact that the techie can get in mud and fight the fight; and this alone makes the company happy. Others, the managerial flavor, had someone sign off for their CISSP endorsement (say it ain't so!),  and have figured out that their ability to keep their mouth shut and roll with whatever comes through the SEIM will keep them under the radar; and as long as they can keep the lights on, they'll be fine --until they're not, then they roll ceremoniously on to their next job, like a fallen, but experienced and celebrated hero.

So what's my point?

We've been doing victim notifications, but we're don't work like the windshield repair man  running through parking lots at night with a ball peen hammer.

When we call, yes, we can try and sell you subscriptions, but when we do victim notifications, unless you ask for more information about our services, the notification is just that --a private call to quietly notify you of a breach.  What happens after that is completely up to you. We've been fortunate so far in that almost all of our sales have come from word of mouth --referrals from current Red Sky members or Wapack Labs subscribers... and if you really want to check findings, you can do it without calling us by pulling IOC that we give you during the victim notification from Threat Recon (it's free to 1000 queries per month), or check our public- facing CMS --TLP WHITE and GREEN commentary and/or analysis. Want more than that? Buy a subscription. Give us a call and we'll walk you through the options. We're not going to force your hand.

Katherine Archuleta - Is she the only one leaving?? Clear the room of the bureaucrats.

I purposefully don't criticize government in writing. But... I watch with horror at the continued mishandling of the breach at OPM.  While I'd completely agree that Katherine Archuleta should be fired (note I didn't say resign --she should have been fired), the bigger question (for me) is, where's the information security team in all of this?

I've been digging through the sexy graphic that appears on the organization page of the OPM website, looking for a function (any function) that remotely resembles a Chief Information Security Officer, but sadly, there is none. Even in reading Archuleta's 15 point plan for going forward, there is no Chief Information Security Officer named going forward. If I'm missing something --perhaps there's one of those fancy Deputy Director titles in there somewhere that corresponds to the CISO role --maybe there is, but I've not see it. As close as I can tell, Donna Seymour, OPM's Chief Information Officer - an HR focused CIO has both the IT and Information Security, and should clearly be asked to follow Archuleta out the door.  Regardless of whether she's an appointee or a civil servent, the CIO must follow Archuleta out the door. Clear the room of the bureaucrats.

Beyond who gets fired, there's plenty of bureaucratic blame to go around,

Why was this not identified by US-CERT when it first occurred? 

US-CERT has been monitoring government networks since the mid-2000's. They fly-away to help private corporations, own a forensic capability, malware analysis, and have been running Einstein for years backed a team of PhD's and researchers called NetSA from Carnegie Mellon's Software Engineering Institute, so why was this not detected by US-CERT??  Is their scope so broad that they've become ineffective?  Were they ever?  At what point will DHS's cyber organizations step up to the plate, hire a leader with enough whasta to create the internal change needed.  Should US-CERT be manned by an MSSP and verification services? I don't know.  Maybe the government should be looking at their sub contractors for help.  Northrop Grumman has an amazing internal infosec and intelligence team. Lockheed, Raytheon as well.  The list goes on. Northrop is the prime contractor in US-CERT, but my bet is, it's not the A-team sitting in seats on the contract. I'd also bet the folks at US-CERT don't use them in anything more than a butts-in-seats extension of the government folks running the show.  Is US-CERT using any of the tech developed by Grumman for their own internal network?  They should be. I could go on, but I won't. 

Call me. I'd be happy to author a 100 plan for change. The recipe isn't hard, but you have to want it.

Let's start here...

• Focus: I realize that the mission of US-CERT is for all Americans, but get the government piece right. Knock the government protection piece out of the park. Make others want to participate with you because you're great at what you do, not because you control contract money. 

• Turn off the never ending money spigots to the Federally Funded Research and Development Centers (CMU, SRA, Mitre, etc.).  Focus efforts on effective operational monitoring and response tech and processes in US-CERT --the mission at hand.. monitoring and protecting US Government networks.  Fly away teams and everything else should be tabled until US-CERT can get that one piece right. 

• Give the prime some room to execute. Measure the prime by the output of the operation rather than the cost of labor.  Give them budget and hold them accountable. Blue for bonus means they get incentivized for higher than expected outcomes --72 hour patch cycles, increases in identification/reductions in successful penetrations, faster turn forensic and malware analysis, and more are all possible if commercial thought can be brought to bear in government networks.  Let them hunt.  Beyond FISMA, incentivize the prime to identify, prioritize and fix new, previously unknown security concerns.

Clear the room of the bureaucrats.  Ask the prime what they would do with the current budget.... and then listen.... and then pay them and execute.

And now for the positive.

We're beginning to see Directors and CEO's being removed (or allowed to resign) as a result of information security failures. Boards are building IT Security governance models into their oversight, and while still focused on generating revenue they are also realizing that they  have a responsibility to protect the safety of their customers. 

To assist, earlier in the days of our start-up, we authored a free white paper that discussed

the seven things that every company does to successfully prepare for, navigate, and fight APT events.  And while at the time, we thought of APT has the hardest adversary, many of the tactics used by espionage focused hackers have now used by many others. These lessons learned work. I realize of course that during incident response things move fast, but the dust will settle; and when it does, these seven common steps must be implemented. Many or low cost-high payoff. Some are high cost-high payoff.

The paper is free, and it's a short read, and it's in no way focused on sales.  If you have questions, call me or ask your security team. If you're serious about maturing your governance model, this is where it starts. I've built several of these teams. In every case, I use CMM and ISO as my guide, but this boils it all down to roughly 10 pages.

Ok... Hanging out today, then heading off for the Potomac for en epic day of fly fishing for smally's tomorrow morning. It's going to be a great weekend. So until next time, as they say, 'tight lines!'

Jeff

The difference between Intel and an IOC feed... lemme tell you a story.

I just took a few minutes out of my 4th of July - in MD for the weekend - watching the rain, hoping my new fly rod gets delivered - wasting time until the fireworks tonight (fingers crossed)... anyway, I just took a few minutes to read Joe Pizzo's piece on the difference between threat intelligence and threat feeds. And while I know the criticisms taken on the chin by Norse for their marketing campaigns, the idea that someone else writes about the differences between threat intelligence and threat feeds makes me happy. 

I use a graphic in my presentations. I know I'm violating some kind of copyright. Sorry for that. If you're the artist, send me a note and I'll credit you.
I love the graphic. It demonstrates a point.... intelligence attempts to answer the 'you don't know what you don't know'. It's not technical, it's contextual. 

Here's a great example.. for the last two years, we've tracked and analyzed the happenings between Russia and Ukraine.  Ukrainians knew that their smart televisions had been hacked and that their traffic cameras were being used by someone to monitor comings and goings of the Ukrainain people, but the story is much bigger than most know.

We tracked the activites and drew parallels to writings in the Ivanov Doctrine - a paper written by senior Russian officials to use asynchronous warfare methods --computers used to affect a change in behavior by the Ukrainians while other physical actions couple with signals intelligence and psychological operations played out. By comparing actions to the writings, one can quickly identify patterns, reasons for targeting of specific victims, and potentially, what's to come. We believe for example, that one of the major bank hacks of last year was in direct retribution for a combination of US Sanctions against Russia, combined with the fact that the bank was an investor in PrivatBank --the bank who's owner was personally funding much of the Ukrainian resistance. The bank was targeted not by government hackers, but by a criminal element that we believe was operated through 'wink and nod' agreements with the Russian government both asking for the action and then turning the blind eye when it occurred... plausible deniability, but with definitive action.

We knew, from our work, that the Nordics would be taunted, and Poland would fall victim to cyber activities, and many of the banks involved in Ukraine would be hit...  all three occurred... and we from prior forensics, we knew the tools that would likely be used to carry out many of the attacks.

So what's the intelligence? It's the story. The intelligence is the information needed by a decision maker, to make decisions on futures and courses of action.

The feed? IOCS? This is information based on analysis of past events -largely forensic based. Network forensics, host based forensics, intrusion analysis, sandboxing and surface analysis. 

It's that simple. Both are required. The intelligence tells the story. The feed tells you what to look for and how to protect against it. The CISO needs both to make informed decisions --which threat (story) to protect against, and where in the potential kill chain to place defensive measures.

If you'd like to read more of our work, we publish TLP White and Green information at https://wapacklabs.com. One download per month is free.

It's raining like hell here now. I'm going to go see if my new fly rod has been delivered yet.

Until next time, have a great 4th of July!

Jeff

Wapack Labs Analyst Monitors Russian-based Troll Farm

-->Tweeters from a Russian-based troll farm have slipped into sleep mode after proving how easily the media and public perception can be manipulated using social media. But analysts at Wapack Labs have been monitoring the troll farm’s movements on the internet to try and identify the potential targets of future attacks. 

A Russian-based troll farm called the Internet Research Agency, the focus of a recent New York Times Magazine article by Adrian Chen, is suspected to be behind three social media attacks in the US in 2014.

According to Chen, troll farms like the Internet Research Agency employ hundreds of people who sit at desks with computers and flood the internet with comments designed to sway public opinion and manipulate the media. The trolls infiltrate chat rooms and trigger conflict between members, and leave comments on stories posted on the web by newspapers and television networks. But one of the most effective means of spreading the Internet Research Agency’s messages is through Twitter. 

The trolls at the Internet Research Agency are able to create hundreds of Twitter accounts and launch coordinated tweeting assaults. They have shown that they’re able instill fear in the American people and manipulate news outlets into reporting false stories with an arsenal of hashtags and some carefully chosen words.
 

On September 11, 2014, according to Chen, the Internet Research Agency hit the Twitter-sphere with news that there had been an explosion at a Louisiana chemical plant. Tweets and text messages were also sent to specific members of the media and targeted local and national politicians. Once news of the explosion hit the general public and media outlets, the trolls began using carefully crafted videos to give credibility to tweets. From there the trolls began attempting to elicit fear from the public by placing blame for the alleged disaster on terrorist groups like ISIS. Though Columbian Chemicals was able to debunk the explosion hoax within a few hours, the Internet Research Agency revealed just how powerful they were in manipulating the media and the American public.  

The troll farm continued to poke at the vulnerabilities of those who rely on social media for information by again using Twitter to spread a rumor about an outbreak of Ebola in Atlanta, complete with corroborating videos like those used to validate the tweets about the explosion hoax. That day, Atlanta was targeted for a second attack. The trolls took the fear stemming from the phony Ebola outbreak, and mixed it with the racial tension being felt nationwide as the result of the shooting of an unarmed black man by police in Ferguson, Missouri. With the community already on edge, the trolls hit Twitter with reports that an unarmed black woman had been fatally shot by Atlanta police.

An analyst for Wapack Labs who specializes in tracking cyber criminals in Russia and Ukraine, has been watching the moves of the trolls very carefully by tracking their online personas and linking them to the websites and domains they use. The analyst looks for patterns in millions of hashtags and commonalities in language or messaging within social media. Fluent in Russian, and a student of geopolitics in Eastern Europe, the analyst is able to piece together timelines and narratives that reveal the activities of troll farms and their henchmen.

Following the 2014 tweeting assaults in Louisiana and Atlanta, the analyst honed in on the perpetrators of the attacks and has been following their movements ever since and has traced them back to the Internet Research Agency.  Some of the Twitter accounts, including @DanyRoseee, @AndrewMonsonn, and @jessebrannan8, “went to sleep” or were deleted immediately following the September 11, 2014 explosion hoax.

According to Jeffery Stutzman, co-founder and CEO of Wapack Labs, Twitter accounts go to sleep when they aren’t being used regularly or were deleted. If they’re unused or deleted, beyond a certain amount of time, another person can assume that name, thus the sleeping Twitter ID of a soccer mom from Toledo could be commandeered by a Russian hacker in St. Petersburg and used to spread misinformation.

One of the Twitter IDs that particularly caught the Wapack analyst’s attention was @JasonJL100. This user made his first tweet, “Hello Twitter! #myfirstTweet,” on August 25, 2014. On the day of the reported Louisiana explosion, @JasonJL100 joined the noise on the internet by propagating news about Columbian Chemicals. On the surface, he was just a local guy sharing breaking news via Twitter. But something about @JasonJL100 caught the attention of the Wapack analyst, who continued to monitor him long after the explosion story was debunked. The analyst watched as the presumed local guy suddenly began communicating on Twitter in Russian.

@JasonJL100 has been asleep since December 2014, but @zaplatovaalena, @georgiostr, and @GlebushkaGleb, all Russian tweeters, converted to English on the day of the explosion, and back to Russian tweets soon after, are still active but have since deleted any references to the explosions in their twitter history.

The analyst at Wapack Labs will continue to monitor the activity of the Internet Research Agency as the troll farm trains it sights on its next target, whatever it may be.

Nancy Foster
Jun 29, 2015

Small Manufacturers need cyber help... NIST MEP must offer messaging!

I'm on a bit of a diversion this year. My goal is to not attend any security conferences during the year. I've blown that of course, but so far, I've attended conferences for insurance, litigation, and yesterday, manufacturing.  Why? Well, first, security conferences are becoming just to crowded. There's a boatload of noise out there, and even the best conferences are becoming overrun. Second, I really want to see how other industries are dealing with cyber, and there's not a better way than to sit in on meetings, attend a conference, or smoke a couple'a cigars with someone you've never met before in another industry.

So yesterday I spent two hours in a session with the Research Triangle Park Institute (RTI) in Manchester, NH. They've partnered with NIST's Manufacturing Extension Program (I'm not sure the parallel is correct, but I likened it to the Agriculture's Cooperative Extension Service but for Manufacturing companies). Anyway, RTI partnered with NIST MEP to produce market intelligence for companies who are considering moving into other products, expanding what they currently sell, etc.

Essentially what RTI offered was an analysis framed by Porter's five forces. Porter authored a model that framed five competitive forces that every business should (must?) consider when devising strategy.  I'm a believer.  I used this model in nearly every job and start-up that I've been involved with in the last 15 years --including (especially) my government position as the Director of the DCISE.  RTI offers a simplified view of Porter --something for manufacturers. They work with the company, mind-map the forces, using free software, exchange the mind map with the manufacturers, and in the end, offer a report --how best to build, position, and market this new R&D or technology.

I was a bit taken aback however... do they realize that that newtech that they're researching is probably highly sought after by others? And that the reason the mind mapping software is free is because someone else is reading your stuff? Do they consider that in this new normal, someone will steal that newtech if they're not careful?

So I asked the question (you knew I would!) "Do you consider who will want to steal that technology?" "How do you protect it during R&D?" "How long can you hold that market if the tech gets stolen during early stage strategy development?"  I've written hundreds of pieces over the years. Many describe stolen R&D. Manufacturing companies aren't the target because they make cool stuff, they're targeted for efficiencies, processes, and industrial engineering techniques. Wouldn't it be nice if it could be stolen during development of those processes?

OK NIST,   if you're going to send an FFRDC out to see small and medium sized manufacturing companies, eat your own dogfood and talk to them about protecting their IP.  RTI is your FFRDC.  Check their messaging before sending them into the field..

Great idea. Incomplete messaging and execution.