You can't buy life insurance without someone sticking their finger in your butt.

...but you CAN buy a cyber insurance policy!

I spent a couple of days last week talking with Insurance folks --brokers, agents and attorneys.  I heard more about cyber insurance policies in two days than I've heard in the last five years. And you know what I think? As far as I can tell, underwriting cyber policies is still pretty much a jump ball! And payouts are more about legal clauses than losses because of legitimate risk.

I asked... why don't you test the networks before writing that policy? The answer? Brokers worry that if they can't write a policy within a certain period of time (two weeks?), the customer will go somewhere else for that policy.

And what about the payout?  During one panel, one of the attorneys commented during a session on how he'd spend time brainstorming new language for clauses (exclusions?) that could be used in the policy.

So two questions.. and my thoughts:

First... With a 14 day marketing turnaround time, can't an underwriter do some initial testing? 

Hell, you can't get life insurance without someone sticking their finger in your butt.  So why not run a few tests to see if an insured is worthy? Worried about time? Time is always a concern, but even without relying on the 'report card' cyber index systems, a real time perspective on what's going on inside the network can be gleaned without ever looking inside the network.  At the same time, car insurance companies now offer plug-ins for the on-board computer. Why not try the same thing with computers? A week on a span port at an egress point could offer an enormous amount of information about what's happening on that network.. with that information, write the policy! Use the test data to both underwrite, and set a goal-drive process with the company --if they fix what was found during the physical, their premiums drop!  It works this way in car insurance right? Safe drivers get better rates than those who speed? Longer track records of safe driving = lower premiums? So why not cyber?

Second...  Are lawyers the best way to ensure lowered risk when writing one of these?  

My thoughts:  I do not presume to know about the insurance industry, but have had some experience as both an agent and broker (life, health, P&C).. and although that was many years ago, my experience says this.. there's a balancing act between profit, and the need to pay out a claim.  Should lawyers be involved? Probably. Should they be brainstorming new clauses? Probably again, but they do so with the understanding that most insureds (those people who buy those policies) will not catch the clause, will purchase the policy unknowingly exposing themselves to risk, and will expect but not receive payout on everything expected.. and if they do? Heck, don't buy the policy. The market will speak for itself!

Bottom line.. there are a million ways to quickly test for risk. Just ask, and we'll either help, or point you in the right direction! Triage analysis is easy. You can pull logs, attach yourself to the network, or use passive external means to listen for activity that might tip you off to the security posture of the network --all with plenty of time to keep the competitive ball in your court.

Can you hack an airplane from the inflight entertainment system?

Can you hack an airplane's via the in-flight entertainment system? Are there other vectors into the cockpit?  Even if the recent stories aren't true (I haven't enough information to assess whether they are or not)... Even if it isn't every hacker in the world will soon be trying. 

Interesting stuff none the less.  I'm going to start out by stating up front.. this is near pure speculation --a conversation piece; thinking through my keyboard.

First,  there are loads of documents that tell you why you shouldn't be able to do what was claimed:

• He got physical access through the In Flight Entertainment (IFE) System through the Seat Electronic Box under his seat.  Used a Cat 6 Ethernet cable to connectVbox for his environment and Kali to run the exploits. (http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf) --why didn't the flight attendant notice someone screwing with the system?

• His target is the Vortex software (http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/) - "VCT has unique and protected state-of-the-art aerodynamic technology as well as copyright protected software that enables engineers to model, predict, redirect and control aircraft vortex flow" (http://www.vortexct.com/products/finlets/).

• You cannot send a climb command based on this software.  On top of that the IFE systems aren't even integrated:  Boeing, which is manufacturer of the United Airlines plane Roberts was on when he was arrested, said the hack wouldn't even be possible because its entertainment systems are "isolated from flight and navigation systems." (http://www.aol.com/article/2015/05/18/cybersecurity-experts-criticize-united-airlines-hacker/21184502/?ModPagespeed=noscript)

But at the same time... I'm not an Aerospace Electrical Engineer, but...

• The vast number of cockpit simulators, with seemingly high levels of reality, seem to offer a viable place where attackers could practice. In fact, at one of my former employers, a cockpit was built on an XBox platform as a means of showing that all interactivity in the cockpit could be performed using inexpensive COTS software.  My point is, are the integrated cockpit devices connected via APIs or other interfaces, PLCs that may make it open?
• And of course after the missing Malaysian flight, there were a number of warnings, particularly from the British on the very real possibility that the plane had been hijacked by cyber attackers.
• ACARS for example has been known to be vulnerable to attack.  So vectors other than the inflight entertainment system have to be considered, if they're look it from a general threat perspective.
• In cars, the CANBUS is the controller area network that connects everything. Remember, the car was hacked through RFID in the tire air sensors at Blackhat a few years ago.  We've had talks with folks at a very specific research center (~18 months ago), regarding OEM CANBUS issues having similar applicability in the Airline and Railway spaces. The thought that airliners may have the same issues should not come as a surprise. 

I'm going to go out on a limb here folks.  I'll bet a dollar that commercial off the shelf products (or at a minimum,  protocols) are used in cockpits; and networking, APIs, etc. rarely have security built in.
I also believe that now every hacker in the world will be connecting to the under-seat USB, trying to figure out how the connection works from the inflight entertainment system, or, can someone bluetooth to the pilot's cell phone, unlock the electronic controls on the cockpit door, or find another hole that makes the seemingly impregnable system not so.

I'm thinking the Aircraft OEM companies and the ISAC are probably buzzing. I've received a number of calls from folks asking what we know (nothing) --but the assessment and the realms of possibility are not that far off.

Get ready Aviation folks. I have a feeling you're going to be really tested with questions in the next few weeks and new engineering challenges into the foreseeable future.

Insider Threat Panel -- Hartford -- Next week!

Those who know me know I enjoy working insider threat cases.  I worked with the Insider team at Carnegie Mellon, and have paid close attention to the landscape ever since.  From a technology perspective, it's one of the hardest.  From a personnel and management perspective, indicators are often identified but misread, or worse, ignored.... if only HR could talk IT and IT could speak HR ... maybe in a perfect world...I won't hold my breath.

But until then, we'll continue to rely on endpoint solutions and monitoring of watch listed employees --perhaps those below the performance line, those followed by HR problems, employees upset by circumstance, or whatever the motivation --technical indicators at the end point can be an effective means of detection and while I'd hate to say mitigation, there is an opportunity to reduce the risk.

I'll be sitting a panel in Rocky Hill, CT next week on just this subject.

Care to join us? Here's the c-vite. The agenda is shown below.

Interested in insider threat?  We look forward to seeing you!

Jeff

"Insider Threat, Incident Response and More..." The ISACA-GHC Members have spoken and we listened! Based on your feedback and requests we have assembled the following topics: Human Side of Data Protection (David Gibson): The most valuable, fastest growing asset a business owns is its human-generated data: documents, spreadsheets, videos, presentations, and emails that people create and share every day. Breaches involving human-generated data happen almost every day. Why? Because employees have far more access than they need, activity is usually not logged or analyzed, and it's difficult to spot abuse. During this presentation you’ll hear how there is a way big data analytics can help lock down overexposed data, prevent breaches, reduce excessive permissions, and enable a sustainable data protection strategy in the face of unprecedented data growth. Massive Scale Endpoint Incident Response (Neal Creighton): Security teams and incident responders are challenged to prioritize the alerts they receive from network-based devices. Next-generation endpoint detection and response technology is helping these teams more contextually investigate, and verify incidents for faster, more efficient resolution. This session will provide an overview of how new endpoint technologies bring in stealth data collection, Big Data correlation and behavioral threat analysis to augment and even improve the ROI of other security ops platforms. Insider Threats (David Gibson): The recent spate of highly publicized breaches has drawn attention to one of the issues that keeps security professionals up at night – once an attacker is “inside” the network, their activities are often difficult to spot and recover from. This is true of outside attackers that compromise the credentials and systems of employees, as well as employees that are “breaking bad” or unwittingly exposing sensitive files. This session will review the anatomy of typical outside-in attacks including infiltration, data gathering, and exfiltration, and then discuss methods and techniques for analyzing file analysis records to spot and stop potentially malicious activity from both insiders and external attackers. Transforming Security Through Distributed Systems and Micro-Segmentation (Colin Ross): With the shift to cloud and mobile computing, security architectures have not kept pace with modern data center architectures. In a world where perimeters have largely disappeared, organizations need to consider security models designed for virtualized and cloud environments. We will discuss how Distributed Systems enable security to scale horizontally, adding capacity dynamically based on need. We will also discuss how Distributed Systems offer a superior architecture for security by providing simplified operations, more effective threat analysis, and better economics. Breaking Down the Cyber Kill Chain (Ryan Wager): The threat landscape continues to evolve faster than the technologies being built to control it.  In this discussion we will focus on breaking down the parts of the Cyber Kill chain that occur within today's datacenter perimeter and current security best practices.  Specific examples of real attacks will be utilized to illustrate each point. Panel Discussion This panel discussion will look at some of the key issues around cybersecurity, threat detection, managed security, next-generation threat modeling and address audience questions on new, innovative ways to effectively counter attackers and eliminate threats.  Moderator: Steven Harper, Northeast Regional Sales manager for CounterTack. Steven manages the U.S and Canadian business on the East Coast.  He has been in the Internet and Cyber Security industry since 1994 and his background includes companies such as BBN (Bolt, Beranek, and Newman) and Exodus Communications where he was a member of the Cyber Attack Tiger Team. He has worked in the SaaS / Cloud industry, founding Plan 2 Win Software which he sold in 2008. Most recently he has worked at Radware and Corero Network Security, focusing on DDoS Prevention and remediation. Prior to working in the Denial of Service arena, he spent time at Still Secure, a Managed Security Service Provider, specializing in PCI Compliance. Panelist #1: Jamie Herman, Information Officer at Ropes & Gray, LLP. Jamie has more than 15 years of experience in information security, risk management and information technology. Currently the Information Security Officer for Ropes & Gray LLP, Jamie's expertise covers a diverse range of areas, including implementing information security programs, data privacy, digital forensics, access control, leading innovation initiatives and leading a global team. His passion for assisting law firms improve their security posture in all facets of business has been a key to his success. Having led vulnerability management plan efforts, security strategy and policy design initiatives, Jamie collaborates with a wide network of public and private industry information security experts to deliver forward-thinking security thought leadership to the legal information security industries. Jamie sits on the LegalSec steering committee and has presented at a multitude of ARMA, ILTA and information security events. Panelist #2: Jeff Stutzman, Co-Founder & CEO of Red Sky Alliance Corporation and Wapack Labs. Jeff served as a Director at the DoD Cyber Crime Center (DC3) where he built and operated the DoD/DIB Collaborative Information Sharing Environment (referred to in the press as the “DIB Program”) and the financial community’s Government Information Sharing Framework (GISF). Mr. Stutzman is a former US Navy Intelligence Officer and has held positions with Cisco Systems, Northrop Grumman, and the Software Engineering Institute at Carnegie Mellon University, and the DoD Cyber Crime Center. He is a founding member of the Honeynet Project, founded the Healthcare ISAC, and was a first watch stander in SANS GIAC (now the SANS Internet Storm Center). Mr. Stutzman holds a BS in Liberal Sciences from Excelsior College, an MBA from Worcester Polytechnic Institute, and is a Harvard Kennedy School Senior Executive Fellow. Panelist #3: Brad Howden is the Founder and CEO HIC Network Security Solutions, LLC. Brad has more than 15 years of experience working in security and network focused consultancies, as well as managing global, customer facing technical organizations.  Howden strategically focused HIC’s expertise to lie in both well established and in emerging security technologies designed to address the evolving threat landscape.  Howden and HIC have also developed proprietary firewall migration software, HIC RAPIDFIRE, which has been used within a multitude of organizations across many verticals, and in a large number of fortune 500 companies. Prior to co-founding HIC Network Security Solutions LLC., Brad served as Director of Technical Services for IGX Global.  He received a B.S. in Computer Science from Rutgers University. Panelist #4: TBD

Attendees are encouraged to send questions in, for our speakers.

SEMINAR (UP 7 CPE CREDITS)  WHEN 05/13/15 8:00 AM - 4:30 PM WHERE CT-CPA Center 716 Brook Street, Suite 100, Rocky Hill, Connecticut 06067, USA FEE            ISACA Members - $10.00 Non-ISACA Members - $20.00 SCHEDULE • 8:00am – 8:30am: Registration (Continental Breakfast) • 8:30am – 12:00pm: Morning Session • 12:00pm – 1:00pm: Lunch • 1:00pm – 4:30pm: Afternoon Session FLYER               Insider Threat Incident Response and More...            RSVP 05/11/15

Please respond by clicking one of the buttons below

Having trouble with the link? Simply copy and paste the entire address listed below into your web browser: http://www.cvent.com/d/PN-iVa9tj0ygTkNapgS2vw/fjxf/P1/1Q? If you no longer want to receive emails from Education Committee please click the link below. Opt-Out

The pools is polluted and we're all swimming in it. Don't get to much in your mouth!

We've been chasing this massive breach --global in scope.  We don't like to publish these things openly -grandiose outings of breaches and defensive conquests are wonderful for a short time, but in the end, one story becomes just like the last, and just like the next.

Rather than becoming yet another intelligence group spending months writing a big story, our preference is to warn folks when we find out --as early as possible, stay under the radar, notify those who need notifying, and moving on to the next place that the data takes us.

At the same time, the story is out.. without the purposeful push, but none-the-less, those outside of our circles tell the story, and at some point, we're going to have to speak publicly and openly about our findings. So how do we do that without becoming yet another, pumping our chest, telling the world how great we are? I didn't know, but I know someone who does.

So I called him.

We talked about the idea that as internet use grows, so does the proportionate crime. First from nuisance focused kiddie-scripters, then organized crime, robot networks (botnets), espionage, and now, integrity attacks.  The normal population has crime --murder, car theft, breakins, etc.,  so does the Internet.  So a thinking person might consider the correlations right?? I'm not taking on a long term academic study, but I'd assume that if someone would attempt a break-in in the physical world, they might also do so in the cyber realm right? And in cyber, many people still think that getting away with something is relatively simple, so those who might have considered a physical breakin, but didn't because of a fear of being caught, might now do so on the Internet because of a lowered risk of ending up in the hooscow... right?

Let's try some simple math... the most dangerous city last year had roughly 1340 crimes per 100,000 people -roughly 1.3% per capita. So what if we transferred that math to internet crime?

The graphic below shows internet users per 100, on a growth plan from 11% in 1996 to over 77% in 2013 --at a time when the world population was ~7 billion people. 31% globally use the Internet. Now plug in that 1.3% crime rate per capita... that means that just over 28 million people are committing crimes --and not on local breakins, murder, theft, it's on a global scale! 28 million people have the ability to touch anyone... and they do.  My thinking is those internet criminals probably don't do just one break-in, they probably do thousands at a time via robot networks (botnets)... the numbers grow exponentially with the use of technology.

http://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users

The Internet knows no boundaries, and the fear uncertainty and doubt argument no longer works... so try maybe math is a better approach. I'm sure mine isn't perfect, but it certainly illustrates the idea that since 1998 the growth in volume, increase in sophistication, and changes in motivation and intent have grown right along with the growth in users... and it ain't gonna get better any time soon. Crime, espionage, integrity, destruction? They're all a part of our new normal --and we better get used to it. Those nice, trusted computers that we thought we owned years ago are as much a thing of the past as the AMC Jeep... that's a steep Internet adoption curve --and a correspondingly steep crime adoption curve.

So when we say we're chasing a currently unpublished global set of breaches, so what right? It's just another day. It's the new normal.  The pools is polluted and we're all swimming in it.  Our best hope? Don't get to much in your mouth!

What're we chasing?  Check it out... https://cms.wapacklabs.com.

Still thinking about joining Red Sky?  Want to know more? Call us. We're here to help.

The God box

I spent a few days with a bunch of bankers in lower Manhattan this week.  After the conference

(caucus? summit?) we headed for the bar.  I ran into someone I've known for years, but worked with right after leaving the Navy in 2001. Over a couple of Guinness stouts, the conversation went from fun, back to business, but on this occasion, he mentioned the phrase "the God box." We hear so much from different vendors about the problems they solve, and in todays environment, it seems CISO's who've not yet really been exposed to what's happening in the dark corners of our infosec world, they're hearing the messages, watching the turnover in CISOs, and are either scared to death or totally confused by all of the crap reported in the news and vendor hype that takes full advantage.

The God box goes like this... My security box slices, it dices, it even juliens fries! It'll stop every think of coming into YOUR house, AND, it'll pour your coffee when you come to work in the morning. It offers long term predictive intelligence (not that you'll ever need it), and will call your mother on her birthday when you forget about it because you're so engrossed in dungeons and dragons (World of Warcraft? Farmville?) that everything else passes you buy; because you've got so much time on your hands while you wait for your layoff notice because you've not had to lift a finger to protect your network since this new system was delivered, installed, and it took over full operation of your networks, authentication, logging, analysis, blah, blah, blah. This box is freak'n amazing.

So the question is this... if that box is so good, why aren't you using it to predict the stock market? 

We see SOOO many vendors out there exploiting fear uncertainty and doubt, overcharging for their otherwise lackluster wares; over-promising and under-delivering, or worse, with so much complexity that you couldn't even begin to scratch the surface of its capabilities. I once had someone tell me that Arcsite is the most expensive SMTP gateway they'd ever owned. It's not because Arcsite is a bad product (I don't believe for a second that it is) but that it requires specialized training to be able take advantage of the amazing capabilities that come with it.

Interestingly enough, much of what many of these guys promise can be done on your own --including what we do (although, we try really hard to do it better than you could on your own!).  All I'm saying is this... there is no God box. Put your filters on and don't believe everything you hear. Pick a few great tools (open source, commercial, home grown, whatever!), but pick them based on the needs in your environment. Haven't started? Set up a Bro box, a Security Onion ISO, or another favorite tool, connect it to a great intel source (ours is inexpensive and easy to hit, or again, choose your favorite). Watch the outputs and do the initial diagnosis. Pick tools based on what you need to move to the next step. Don't swallow the elephant whole at first, rather look for tools that can help create your plan. Need help? There are tons of places to find that too.

Our favorite diagnostic tools? We're huge fans of Bro and Security Onion. Prefer commercial? Try Countertack. Want a Managed Security Service? Red Canary just started integrating Threat Recon, or for the broader spectrum MSSP, try AT&T, Solutionary, Morphick, or Alert Logic.

Bottom line: There are some very cool options out there. None are the God box. Nor is there a simple green light that you can watch flicker, turn red temporarily, and then back to green when the thing mitigates the risk... it doesn't exist.  Brains exist. Good intel exists. Critical thinking exists. And most of all? Common sense exists.

Mike Rogers - Destructive offensive actions are coming...

“I think it’s only a matter of time until we see destructive offensive actions taken against critical U.S. infrastructure,” said Adm. Mike Rogers, the director of the National Security Administration and commander of the U.S. Cyber Command.

“History has shown us to date that you can [look at] any confrontation, any crisis to date and that there’s a cyber component to it,” he said. “Cyber is going to be a fundamental component of the world we’re living in.”

http://www.washingtontimes.com/news/2015/feb/23/adm-mike-rodgers-nsa-director-says-us-infrastructu/

Interesting. I spent two days with the CI community last week, and a couple of hours with the cyber folks in the White House on Friday. I'm thinking Mike Rogers is living in a bit of a government enshrouded cave. Think there's not been damage to companies already and that destructive offensive attacks haven't occurred already? 

We've seen hard drives spun to failure. We've seen DDoS and telephone interruptions and massive operations used to keep incident responders busy. We've seen election computers trojaned to manipulate elections. 

I'd bet a dollar, although I have no direct proof, critical infrastructures in not only the US, but abroad, have already occurred. 

New agency to sniff out threats in cyberspace

Maybe it shouldn't bother me as much as it does... oh hell, yes it should.

This piece ran, above the fold, front page, column one in the Washington Post this morning. It was the first headline that I read as I had my morning coffee and poached eggs before heading out to the second day of my conference.  

According to the Washington Post:

"The Obama administration is establishing a new agency to combat the deepening threat from cyberattacks, and its mission will be to fuse intelligence from around the government when a crisis occurs.

The agency is modeled after the National Counterterrorism Center, which was launched in the wake of the Sept. 11, 2001, attacks amid criticism that the government failed to share intelligence that could have unraveled the al-Qaeda plot." 

Here's the deal...  The government is preparing to build yet another cyber fusion center --a group that can reach across the stovepipes and pull together the story in time of cyber crisis. This, on the heals of hacks into Sony —because movies are important right? 

So another $35 mil spend to stand up a new 50 person team just bothers the hell out of me. Why? Well, first, $35 mil in DC is what they call budget dust. It’s not a lot of money inside the beltway (of course, it is to the rest of us!).. But the idea that it's ANOTHER $35 mil spent on top of the others in the space --NSA, DHS, FBI, DoD, US Cyber Command --all have or are cyber organizations in our government, and the last time I checked, DHS had the mission for coordinating across the stovepipes. So my thinking? Why are we spending another $35 mil (and this is only the first year folks), to built another cyber organization instead of forcing the existing agencies to do their job? 

So, who's losing cyber budget to stand up the new team? Call me. I'd be happy to offer up a few recommendations.

(Source: http://www.washingtonpost.com/world/national-security/white-house-to-create-national-center-to-counter-cyberspace-intrusions/2015/02/09/a312201e-afd0-11e4-827f-93f454140e2b_story.html?hpid=z5)

The Absence of Basic OPSEC

I'm in DC through Wednesday for a conference. I drove down from the tundra that is New

Hampshire, arriving late last night. The conference doesn't start until 9:00 this morning so I thought I'd relax a bit and have breakfast before I walk up.

So I'm assigned a table in my favorite place in DC. It's a coat and tie kind of place where there are no cell phones allowed in the main dining room. As I skim the Washington Post (which is surprisingly light these days!), I can't help but overhear a man's voice --from nearly clear across the room. There are at least a dozen tables occupied, although admittedly, most are either singles or still in their caffeinated silence. And this one guy, probably 70ish, white hair, fit, is sitting with two much younger women... one a nice looking late 30's blonde; the other about the same age, and still attractive, slightly heavier and a brunette... the brains at the table who never stopped writing... and the man who I believe had to be able to breath through his ears because I didn't see gills and his mouth never stopped moving.

In this city, where the highest per capita ratio of human intelligence operators perform diligently, reporting everything heard back to their handlers, this white haired retired (I believe) senior (again, an assumption), talked about Navy plans for future undersea warfare, nuclear options being developed, and close-in warfare. He talked about presenting at the "National War College"(at the National Defense University on Ft. McNair). And while I believe this man works for a local think tank, the simple absence of OPSEC of in this hotel dining room, where so many other ears could overhear this man who seemingly misses the attention of being a decision-maker on active duty, working like hell to either task, or impress with his deep understanding of Navy issues, these two obviously younger women, well, it really p*ssed me off.

At the same time, I thought to myself "Is this what we've become?" OPSEC is an afterthought to impressing women over a fancy hotel breakfast, or that capitalism is more important that national security, or that the ego, lacking in validation simply needs to be stroked --and that stroking can be forced by pushing opinions and deep thought over breakfast while young women hang on every word.

So yes, this is what we've become. The internet is a place where all three of these things exist. OPSEC has become an extinct after-thought, like the Zanzibar Leopard and the Black Rhino, these once powerful animals have gone by the wayside. Where OPSEC, Tempest, CMS, and guarded radio rooms and swift and strict punishments were imposed on those who broke the rules, it seems that the bar has been reset and speaking openly, regardless of the consequences, online or in public have become the new norm.

And this white haired old man, well, he should know better.

That's enough of my rant for this morning. I haven't blogged in a while and it was starting to build a head of steam that just needed to escape.

Now, I'm off to my Intelligence conference.

Have a great day!
Jeff

Victim Notification Service and new Wapack Labs Subscriptions

If you've noticed, we've begun sending victim notifications in the last few weeks... and for good reason. As we listen to the market (that is information security), we're concerned that much of the talk is falling away from what we've become to know as APT. And there are good reasons for it. Vendors (and yes, I am one) have overused APT to the point where those who know it take it for granted --it's simply become the new normal.... and those who don't know it have simply become numb to the idea that there's bad stuff happening, but they're not feeling it (so it must not really be all that bad right?).

Wrong.

Here's my concern.. I've tweeted this a few times in the last couple of weeks.

What you don't know can, and probably already has, hurt you. And if you think I'm mistaken, send me a couple of days of your netflow data and I'll show you.  Ooops sorry, you don't know how to collect netflow? Well there ya go.

The truth is, the folks that tell me that they don't have a problem are the same folks who can't configure snort, have never heard of Bro, and for the most part, focus on the checklist (that they use like a safety blanket). It's that warm woolly PCI (FISMA, HIPAA, 800-53, ISO, other) checklist that says you've done what you've supposed to, and therefore must be safe. But on the same day when we're sending out literally tens of thousands of victim notifications, I'll sit at a meeting of qualified information security folks who are smart as hell, but still haven't come to the realization that much of what lies slightly below the waterline is really a huge iceberg just waiting to sink your unmonitored, unprotected, but compliant boat.

So... A few weeks ago, we started sending victim notifications. We don't charge for them. They just go out periodically. We're hoping for karma points somewhere along the line.  The idea was simple... let's raise some awareness. We post a short piece to our new distro site (cms.wapacklabs.com), and you can pull a bit on the victim alert that you may have received, and it'll probably have a link to an authoritative incident response process --maybe one of the AV vendors, or Microsoft, or when needed, someone that can help with a larger problem.

So here you go... we've posted a few good pieces recently. You should go look. Between the CMS and our API, Threat Recon, every infosec pro from the entry level IPS virgin to the hardened coffee-breathed greybeard, you can get what you need. Not enough? Red Sky Alliance is alive and well --for three years now in just a couple of weeks. So if you need more information, join the conversation in Red Sky.

Need a reintroduction? Call us. We've added a bunch of new offerings to our lineup from feeds to the collaboration to being integrated into a number of new products. I'd love nothing more than to show you how we've matured.

So here's the deal.. at no charge, you can pull two victim notification explanations, sometimes with mitigations; sometimes with links to others who've already analyzed it.

For $250 per year you can sign up to be notified when new notifications go up, and be able to download anything that we post to that area.

Need more? Our intel reporting can be purchased for slightly more, but when paired with Threat Recon, you'll have a pretty good picture of what's going on. Intel reports give you the full 'story', and if you need to dive down, search for the intel report on Threat Recon.

As a teaser... here are a few of our recent posts on our new CMS.

RECENT POSTS

• Victim Notifications: Tinba
• Emotet Victim Analysis and Notifications – Update
• EARLY WARNING ANALYSIS WITH SNORT SIGNATURES (MEDIUM-HIGH CONFIDENCE): UPTICK IN ACTIVITY RELATED TO Win32/Cidox
• China puts cybersecurity squeeze on US technology companies
• Victim Notifications – Emotet

Have a great weekend!

--Jeff

Gas Deal to Benefit Russia, Turkey

You've heard or seen me present on the issues between Russia and Ukraine. We published a paper to our members and Wapack Labs subscribers.  We've been telling the story (loudly) about Russian desires to recapture gas distribution and the cyber activities underpinning the physical and geopolitical. 

...and now...

This unexpected turn in Russian-Turkish energy cooperation raises many new questions about the future development of the EU energy market, as well as the evolution of the geopolitical situation in the region.

http://csis.org/publication/gas-deal-benefit-russia-turkey
By canceling South Stream and redirecting the same volumes of gas to Turkey, Russia has weakened the EU’s negotiating position with respect to gas deliveries via Ukraine. At the same time, it has empowered Turkey.

In other words, Moscow has prevented Brussels from exercising its veto over South Stream, which was designed to reduce Gazprom’s dependence on Ukrainian transit routes. The Russian company can now work with Turkey to diminish or even eliminate Ukraine’s role in gas shipments to Europe, thereby leaving Kyiv with little or no income from transit fees and much less leverage over Russia.
 
Gazprom head Alexei Miller stressed this point last week, declaring that Ukraine’s role as a natural gas transit route between Russia and the European Union would be “nullified” as soon as the new pipeline to Turkey was completed. Ironically, Miller was speaking after Ukrainian prime minister Arseny Yatsenyuk told members of the country’s parliament that Kyiv was calling on Brussels “to block South Stream because the pipeline was designed to bypass Ukrainian territory.” It looks like Yatsenyuk got what he wished for, but he may not be happy with the new situation.

If the deal goes through, Russia has a vested interest in Turkey, which may lead to cooperation in other areas.  Turkey already has a cyber culture.  Russia will play the EU discrimination card to the Turks all they can. 

Let's try this again! My 2015 predictions!

2015 Predictions Paper
Jeff Stutzman, Co-Founder, Red Sky Alliance and Wapack Labs
December 31, 2014

I started writing the papers in 2011. My earlier papers are all available on this blog. Surprisingly enough, even with some being a total stretch, many came true. This year is a little different. Where I'd looked at tech exploitation in previous years,  my fear is that this year, technical exploitation will take a backseat to "we're already in and this is what we want". So watch out for objectives on target. This, in my opinion, is what's going to be the big message for 2015.

2015 will bring massive change. 

Ransomware will become highly targeted, significantly more efficient and far more damaging

In October, Wapack Labs responded to a call from help from a local company. The company had fallen victim to ransomware.  While Wapack Labs doesn’t normally undertake incident response, the request came in from a friend, and we felt compelled to assist.  In this case, the CEO paid the ransom (about $800 in Bitcoin) to retrieve the files that were encrypted on his personal computer.  The corporate drives however, were a different story.  The company’s IT staff had been forced to restore the entire company from backup taken 24 hours earlier.  Our analysis resulted in sink-holing the command and control channels, revealing nearly 1500 other victims - within the first hour!

Ransomware is a type of malware that restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.[2] Ransomware often times uses scare tactics to coerce the owner of the victim computer into paying money to unlock or unencrypt files or the computer that will be held until the ransom is paid. In many cases, users are even walked through the process of paying the ransom.  It is a non-discriminating attack.  Nearly anyone can fall victim.  Figure 2 shows the screen presented to an earlier victim at Scotland Yard.[3]

The idea that ransomware has become a big deal should come as no surprise. But when you combine it with underground currency (thereby removing controls imposed by the banking and finance system) and couple it with highly efficient delivery mechanisms (see the next prediction), the use of ransomeware could, and likely will, become a very real and significant threat. 

Malware delivery will become highly efficient, utilizing traffic delivery systems to increase the probability of successful intrusions.

Imagine walking into a massive grocery store to buy a carton of milk.  You’ve never been to this store before.  You can run through every isle looking for the dairy case, or you ask a clerk to walk you to it.  Now imagine that the clerk knows the exact kind of milk you like, and hands it to you before you even ask him/her for directions to the dairy case.  Traffic distribution systems (TDS) work the same way in cyber space.  They know the configuration of the computers, and push specific legitimate content only to computers who actually want it, or in the case of malware delivery, the TDS knows the configuration of specific computer systems, and delivers malware only to those computers who will actually be able to execute the payload.  By knowing which computers have specific vulnerabilities, and delivering malware only to those computers, the likelihood of a successful exploitation increases dramatically, thereby increasing the attacker’s return on his hacking investment with very little additional effort.

For example, Wapack Labs witnessed and reported on (November 2014) hackers abusing a Traffic Distribution Service (TDS) called Sutra.

The Sutra TDS is designed with the intention of managing (and capturing) legitimate analytic data from a web server’s traffic.  In design, Sutra systems are designed to manage affiliate advertisements and maximize referral monetization through advanced management.   However, malicious actors have found a way to abuse this technology.[4]

This occurs by the system understanding not only the IP or MAC address of the system to which content should be delivered, but also the operating system, patch status, vulnerabilities and port openings.  The system acts as a traffic cop delivering malware to only those systems vulnerable to a specific attack.

We believe this will only grow in 2015.

OEM trojaning activities will become the norm.

In August 2014, Wapack Labs received malware specimens that were reported as targeting a Russian commercial bank.  Analysis of the malware uncovered a wide criminal infrastructure as well as a targeted malware component designed for attacking a specific application used in many financial institutions.  While the activity appeared to be targeted in nature, the associated infrastructure had also been linked to a number of other generic cybercrime activities.  The interesting thing was that all of the malware, after triggered remotely, communicated back to the software developer that built and sold the application to the banks.  While this may suggest the OEM wrote the backdoor into the code, it may also suggest that the OEM had been exploited.  We are not clear on which option may have been true, but the fact that the command and control channels called home to the developer suggested at a minimum, some involvement.

We’ve heard of other cases of suspected OEM poisoning, but this, although unproven, suggests, at least to us, a leading indicator.  OEM poisoning through companies with distribution channels for software, hardware, and services should consider themselves prime targets for exploitation for hackers who look for the early foothold.

Companies will (if  not already) will grow tired of being victimized.  Top companies (the “one-percenters”) will begin to shoot back.  The Sony case is famous. 

According to one media report, Sony Pictures is alleged to have conducted a retaliatory DDoS attack against websites currently holding its leaked information for public download.  The unconfirmed strike-back follows the two weeks of relentless attacks on Sony networks, punctuated by extortion demands, and the theft and release of personal information, emails and other business documents, all supposedly by the hacker collective the "Guardians of Peace".[5]  I’ve heard this before. Sony isn’t the only one.  .  Over ten years ago while working onsite at a bank, the CISO talked openly about hiring an offshore company to attack servers that were used to spam bank customers and the servers hosting the fake banking sites they linked to.

During our first year with Red Sky Alliance, we visited a non-member defense contractor who’d fallen victim several times to determined adversaries who were believed to be state sponsored, and who were stealing intellectual property being developed by them for the US Department of Defense.  The company spoke openly about having taken the offensive during attacks where sensitive technologies were believed targeted and being stolen. 

So is this real? Absolutely. Is it likely? Absolutely. Widespread? Probably not yet but it should come as no surprise that cyber activities are popping up in some unlikely locations around the world –possibly those locations that do not yet have strict cyber laws –and my belief is they will be used for proactive offensive, retaliatory, and active defensive operations.

The continued growth of government-sponsored operations will dramatically alter the cyber landscape.

In 2013 Wapack Labs analysts began tracking the growth in numbers of countries building their own ‘Cyber Command’. At the time, we found evidence of six versions of government sponsored cyber organizations.  In February ’14 when we mapped it out, there were 22, and today, not even a year later, there are believed to be over 100 in various stages of maturity.

What does this mean?  I use a term that I heard David Awksmith use at a conference in Colorado a few years ago.  He used an economics term –disintermediation, to describe removing the middleman (middleman being the military) in cyber space. Why?  Old-school military leaders won’t give up their bullets, but the younger generation of officers are believers that cyber is a viable weapon, and non-kinetic, non-blood yielding options can have as good or better effects on many fronts than kinetic weapons.   We’ve seen the removal of the military middleman play out already in several cases, and even in those countries with strong national level computer emergency response teams, non-governmental victims who are attacked can suffer significant damage.  

According to one source, Smart TVs were hacked during the Ukrainian parliamentary election.  Local channels were blocked and ‘aggressor’ (according to our source, Russian) messaging was played instead.   The Ukrainian military was not targeted, rather the population in an attempt to sway voting.

In another, Privatbank, Ukraine’s largest commercial bank was hacked repeatedly because the owner of the bank spoke out against Putin and personally funded much of the Ukrainian resistance.

Voter election, tampering and monitoring of the telephone systems, use of traffic cameras and security webcams to collect intelligence, the ability manipulate through cyber connections to just about any controller, media outlet, and telephone system offer significant advantages.  Cyber activities do not carry the same “Washington Post effect” --generate public outcry and influence US leadership through media reporting, as physical bombings and killings of people, are far less expensive to carry out by an adversary, and offer significant plausible deniability -but on the targeted victim(s), can be devastating.

So yes, future cyber, in my opinion, will remove the middleman and companies will be targeted directly by state sponsored (or at a minimum, state condoned) activities.  This will become the norm.  Need other examples?

The leader of the Syrian Electronic Army is actually President Assad’s cousin. The SEA was created in as a result of, and for retribution for the assets of the Assad regime being frozen.  We’ve seen heavy SEA activity over the last twelve months, and from our perspective, we should expect to see more.

North Korea’s unit 121 is reported by the FBI to be the actor behind the Sony breaches.  Regardless of heavy public speculation on attribution, the activity certainly cost Sony –both hard and soft dollars, and the fight, if the FBI is correct, was military-on-private corporation, not military-on-military.

China has long believed to be using government sponsored cyber espionage units to target and exploit intellectual property residing in corporations outside of China.  State sponsorship (or, at a minimum, state countenance) of activities against global corporations suggests governments are targeting non-government victims when that non-government entity has something in their collection requirements.

The US Cyber Command nearly doubled its budget heading into 2015.   There should be no doubt that others will follow, if only to protect themselves against future cyber, SIGINT, and espionage activities.

Life in cyber is not all that bad

There are some very strong positives.

First, the intelligence space is maturing nicely.  Not only are CISO’s becoming aware of the need for intelligence (even though risk models called for it years ago!), the idea that effort and spend can be prioritized by having great intelligence is a good thing. In fact, not only is it maturing, verticals are forming! 

Second, nearly every company that I wander into today either has a CISO or understands the need. That’s not to say they’ll all run out and hire one, but the awareness is there. I see this as a positive.

The ISO 27001 business is booming.  ISO isn’t going to stop determined adversaries, but it marks progress.  Again, I see this as a strong positive.

---

[1] Henrybasset.blogspot.com

[2] http://en.wikipedia.org/wiki/Ransomware

[3] http://en.wikipedia.org/wiki/Ransomware#mediaviewer/File:Metropolitan_Police_ransomware_scam.jpg

^[4] https://www.usenix.org/sites/default/files/conference/protected-files/leet_ferguson_threats_preso.pdf

[5] http://www.theregister.co.uk/2014/12/12/sony_allegedly_targets_file_sharers_following_guardians_of_peace_hack/

Table 1: Stutzman’s 2015 Predictions

Stutzman's 2015 Predictions	Type of risk	To whom	Risk	Probability	Impact if successful	Stage of maturation	Leading indicators present?	Overall risk score
Ransomware will become highly targeted and significantly more efficient	Tech exploitation and ransom	All	5	5	5	3	Yes	4.5
Malware delivery will move from broad phishing delivery through content aware (traffic cop) systems	Tech exploitation	All	5	5	3	3	Yes	4
Previously unpublished activities surrounding OEM integrated trojaning activities will become more public	OEM exploitation	All	4	3	5	3	Yes	3.75
Companies will grow tired, and begin shooting back	Policy and Legal	Top 1 percenters	5	5	1	1	Yes	3
The continued growth of government sponsored cyber operations will drastically alter the landscape.	GEOPOL	Targeted companies	4	5	3	2	Yes	3.5

---

Jeff Stutzman, Co-Founder, Red Sky Alliance and Wapack Labs

December 29, 2014

I started writing these prediction papers in 2011, and while many people author prediction papers, one of the differences in the way I write mine is that I like to look back and see how many of mine actually came true. The old ones are published earlier in this blog. Please feel free to check them out.

2015 will bring massive change. 

In October, Wapack Labs responded to a call from help from a local company. The company had fallen victim to ransomware.  While Wapack Labs doesn’t normally undertake incident response, the request came in from a friend, and we felt compelled to assist.  In this case, the CEO paid the ransom (about $800 in Bitcoin) to retrieve the files that were encrypted on his personal computer.  The corporate drives however, were a different story.  The company’s IT staff had been forced to restore the entire company from backup taken 24 hours earlier.  Our analysis resulted in sink-holing the command and control channels, revealing nearly 1500 other victims - within the first hour!

Ransomware is a type of malware that restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.[2] Ransomware often times uses scare tactics to coerce the owner of the victim computer into paying money to unlock or unencrypt files or the computer that will be held until the ransom is paid. In many cases, users are even walked through the process of paying the ransom.  It is a non-discriminating attack.  Nearly anyone can fall victim.  

The idea that ransomware has become a big deal should come as no surprise, but when you combine it with underground currency; thereby removing security controls imposed by the banking/finance system; and couple it with a highly efficient delivery mechanism (see the next prediction), the use of ransomware could, and likely will, become a very real, and significant threat.

Imagine walking into a massive grocery store to buy a carton of milk.  You’ve never been to this store before.  You can run through every isle looking for the dairy case, or you ask a clerk to walk you to it.  Now imagine that the clerk knows the exact kind of milk you like, and hands it to you before you even ask him/her for directions to the dairy case.  Traffic distribution systems (TDS) work the same way in cyber space.  They know the configuration of the computers, and push specific legitimate content only to computers who actually want it, or in the case of malware delivery, the TDS knows the configuration of specific computer systems, and delivers malware only to those computers who will actually be able to execute the payload.  By knowing which computers have specific vulnerabilities, and delivering malware only to those computers, the likelihood of a successful exploitation increases dramatically, thereby increasing the attacker’s return on his hacking investment with very little additional effort.

For example, Wapack Labs witnessed and reported on (November 2014) hackers abusing a Traffic Distribution Service (TDS) called Sutra.   The Sutra TDS is designed with the intention of managing (and capturing) legitimate analytic data from a web server’s traffic.  In design, Sutra systems are designed to manage affiliate advertisements and maximize referral monetization through advanced management.   However, malicious actors have found a way to abuse this technology.  This occurs by the system understanding not only the IP or MAC address of the system to which content should be delivered, but also the operating system, patch status, vulnerabilities and port openings.  The system acts as a traffic cop delivering malware to only those systems vulnerable to a specific attack.

We believe this will only grow in 2015.

In August 2014, Wapack Labs received malware specimens that were reported as targeting a Russian commercial bank.  Analysis of the malware uncovered a wide criminal infrastructure as well as a targeted malware component designed for attacking a specific application used in many financial institutions.  While the activity appeared to be targeted in nature, the associated infrastructure had also been linked to a number of other generic cybercrime activities.  The interesting thing was that all of the malware, after triggered remotely, communicated back to the software developer that built and sold the application to the banks.  While this may suggest the OEM wrote the backdoor into the code, it may also suggest that the OEM had been exploited.  We are not clear on which option may have been true, but the fact that the command and control channels called home to the developer suggested at a minimum, some involvement. 

We’ve heard of other cases of suspected OEM poisoning, but this, although unproven, suggests, at least to us, a leading indicator.  OEM poisoning through companies with distribution channels for software, hardware, and services should consider themselves prime targets for exploitation for hackers who look for the early foothold.

During our first year with Red Sky Alliance, we visited a non-member defense contractor who’d fallen victim several times to determined adversaries who were believed to be state sponsored, and who were stealing intellectual property being developed by them for the US Department of Defense.  The company spoke openly about having taken the offensive during attacks where sensitive technologies were believed targeted and being stolen. 

So is this real? Absolutely. Is it likely? Absolutely. Widespread? Probably not yet but it should come as no surprise that cyber activities are popping up in some unlikely locations around the world –possibly those locations that do not yet have strict cyber laws –and my belief is they will be used for proactive offensive, retaliatory, and active defensive operations.

What does this mean?  I use a term that I heard David Awksmith use at a conference in Colorado a few years ago.  He used an economics term –disintermediation, to describe removing the middleman (middleman being the military) in cyber space. Why?  Old-school military leaders won’t give up their bullets, but the younger generation of officers are believers that cyber is a viable weapon, and non-kinetic, non-blood yielding options can have as good or better effects on many fronts than kinetic weapons.   We’ve seen the removal of the military middleman play out already in several cases, and even in those countries with strong national level computer emergency response teams, non-governmental victims who are attacked can suffer significant damage.  

·       In another, Privatbank, Ukraine’s largest commercial bank was hacked repeatedly because the owner of the bank spoke out against Putin and personally funded much of the Ukrainian resistance.

·       Voter election, tampering and monitoring of the telephone systems, use of traffic cameras and security webcams to collect intelligence, the ability manipulate through cyber connections to just about any controller, media outlet, and telephone system offer significant advantages.  

·       The leader of the Syrian Electronic Army is actually President Assad’s cousin. The SEA was created in as a result of, and for retribution for the assets of the Assad regime being frozen.  We’ve seen heavy SEA activity over the last twelve months, and from our perspective, we should expect to see more.

·       North Korea’s unit 121 is reported by the FBI to be the actor behind the Sony breaches.  Regardless of heavy public speculation on attribution, the activity certainly cost Sony –both hard and soft dollars, and the fight, if the FBI is correct, was military-on-private corporation, not military-on-military.

·       China has long believed to be using government sponsored cyber espionage units to target and exploit intellectual property residing in corporations outside of China.  State sponsorship (or, at a minimum, state countenance) of activities against global corporations suggests governments are targeting non-government victims when that non-government entity has something in their collection requirements.

·       The US Cyber Command nearly doubled its budget heading into 2015.   There should be no doubt that others will follow, if only to protect themselves against future cyber, SIGINT, and espionage activities.

There are some very strong positives.

First, the intelligence space is maturing nicely.  Not only are CISO’s becoming aware of the need for intelligence (even though risk models called for it years ago!), the idea that effort and spend can be prioritized by having great intelligence is a good thing. In fact, not only is it maturing, verticals are forming! 

Second, nearly every company that I wander into today either has a CISO or understands the need. That’s not to say they’ll all run out and hire one, but the awareness is there. I see this as a positive.  The ISO 27001 business is booming.  ISO isn’t going to stop determined adversaries, but it marks progress.  Again, I see this as a strong positive.

Risk scoring is qualitative, from 1-5 with one being low and 5 high. The model is simple. Overall risk scores are a simple un-weighted average of Risk, Probability, Impact, and Estimated Stage of Maturity. Leading indicators are Yes or No.

[1] Henrybasset.blogspot.com

[2] http://en.wikipedia.org/wiki/Ransomware

[3] http://en.wikipedia.org/wiki/Ransomware#mediaviewer/File:Metropolitan_Police_ransomware_scam.jpg

^[4] https://www.usenix.org/sites/default/files/conference/protected-files/leet_ferguson_threats_preso.pdf

[5] http://www.theregister.co.uk/2014/12/12/sony_allegedly_targets_file_sharers_following_guardians_of_peace_hack/