What kind of intelligence do you need?

I'm a daily reader... every morning I kick off my required list reading by about 5:30; coffee with my

print edition of Wall Street Journal. When I finish with that, it's on to an iPad for Foreign Policy, Sratfor, and then I skim at least a dozen tech and security RSS feeds.

Let's examine this a bit more closely...

• I read the Wall Street Journal slowly.
• I read (more quickly) daily editions of Foreign Policy and Stratfor.
• And then I skim dozens of RSS feeds for interesting pieces.

The Wall Street Journal gives me amazing insight into the kinds of things businesses are dealing with from an operational, strategic and technology perspective... I'll give you an example.. A large food/chemical/agriculture company was working hard recently to acquire a Swiss pesticide company. Why do we care about that? Because this US based company is already heavily targeted by MANY cyber actors because they sell GMO plants (corn), chemicals, pesticides, and during the Vietnam War, agent orange. We read this acquisition as yet another reason why someone would want to hack the   company --and my bet is, they probably were. Once we know that, we can look at past attacks to see who favors targeting the company and how... that leads us down yet another path in which warnings can be generated. Sometimes it works, sometimes it doesn't, but when it does, it's cool as hell!

Next, Foreign Policy and Stratfor pieces generally turn into ideas that sometimes get posted to our workflow and analysis request system. This is where I we get much of our long term perspective on things happening in the world that may become problematic in the future, but haven't yet. So, I read the publications, but not as slowly as the WSJ.  Foreign Policy and Stratfor (for me) are geopolitical tipping and queuing.. situational awareness. As the stories get closer, I'll see them in the Wall Street Journal!

The RSS feeds simply get skimmed, read, and posted to Buffer App for sharing across twittersphere and our Linkedin.   I know that I focus more on world and business affairs than I do the tech, but also know that I've got a room full of techies focused more on that then world and business affairs, so when we get the office, the conversation should be pretty amazing --and it usually is --but this is where the new vuls, patches, bugs, etc., are usually discussed.. but because they're in RSS, they're usually a bit time late and written in a format that anyone can understand.. so I also look at some of the google groups to get my fill of deep, running, colorful (sometimes) tech gouge and leading indicators.

Of course I get a ton of this stuff in Red Sky Alliance as well. Usually we don't bring in the original source because everyone sees them too, but the conversations can be awesome --online, phone, video, whatever. The connections become rich and we figure out quickly what's important that day, that week, and sometimes (but not always) next year.

So I have to ask --we talk about this often. What kind of intelligence do you need?  Most folks have no idea what an EEI is. They're really good at incident response, forensics, or operations, but have no idea what the intelligence cycle is or does, why we use it, or the value of great intelligence.

So bear with me. I'd like to take a moment and review the categorization of the kinds of intelligence that we think about. There are many, but this is our perspective:

• TACTICAL Intelligence is used by security operators, incident responders and forensic teams. The information can be long or short lived, and generally, best in short pieces of context (with the deeper work available via one click), and actionable indicators of potential compromise, or indicators of compromise. 
• OPERATIONAL Intelligence, although argued by many because of the varied nature of the reader, from my perspective, focuses on the immediate and short term needs of decision makers NOT in security, but in the business or business lines.  
• STRATEGIC Intelligence focuses on the planners and risk managers. This is for the folks who think about broader situational awareness --the folks who look at the entire chess board and plan the next five moves.

So again, back to the question, what kind of intelligence do you need?

And I'd ask (and I'd really love to see comments on this please)... "How do you want it?" Document? PDF? STIX? Other?? You tell me. I'm all ears.

Who is (are) your primary customer(s)? When you consider writing intelligence for someone, who do you write it for? At what level?

These scratch the surface for me, but we're constantly asking our members and readers "What keeps you up at night?"

I'd love to hear from you...

Thoughts?
Thank you!
Jeff

Lenovo adds another rootkit? So what??

Another blogger just reported finding Lenovo installing another rootkit on laptops.

So I ask... is anyone surprised? iPhones have had WAPI installed for years (by choice). Nearly every computer, cell, display, etc., comes from factories in China. Should anyone be surprised with security issues are found in these devices?

And is China exclusive to this practice? My bet, no.

Why am I talking this? Because your networks are untrusted --for many reasons --bugs in code and hardware, scripts and processes that run for ease of use, autorun, targeted attackers break things to get in... your networks are untrusted... and with every device having components from areas of the world that we may or may not like, there are no computers that I know of with components built exclusively in trusted, high security factories; no chips, no memory, no anything.

So here's the deal... if you trust your laptop, computer, server, or cell to protect your stuff out of the box, you're a fool. The first thing my guys do when we buy new laptops --before powering it on, is to put tape over the webcam. Why? Because we know that the light that goes off when the webcam goes 'off' doesn't necessarily mean that it is. The same for your cell.. even when the power is (ahem) off, cameras and mics can be used against you.

And worse, I happen to love (LOVE) the ThinkPad form factor. I hate some of the clugey things that they've added, but that's personal preference. My other guys happen to like those features (I'm a Mac guy).

So whadya gonna do? Get smart. Hire or rent a CISO. Know that there are controls that should be placed on every computer before it goes into production. Your CISO can help. Need a virtual CISO? Drop me a note. We've recommended several to others.

Have a great day!
Jeff

The Pope, China, Israel, and my Diesel VW

http://www.ibtimes.com/

It's been a big week! The Pope, Xi Jinping in DC on back to back visits, Boehner resigns, and Netanyahu heading to Moscow, meeting with Putin, to ensure there are no misunderstandings between Russian forces (meaning, supplying the Hezbollah).  The Pope story hit GMA first this morning, followed by Boehner, and then, Michelle Obama's Vera Wang gown. Apparently Mrs. Jinping is a bit of a fashionista in China, but I'm looking at this photo, asking myself if we're going to see hacking from Chinese kids motivated by our news suggesting that our first lady is better looking than their first lady! I know it sounds silly, but it was the first thing I thought when GMA put these clearly two gorgeous women in a head to head competition for best dress.

Seriously though... one of the big takeaways from the visit is cyber reform.  The two leaders said they agreed that neither government would knowingly support cyber theft of corporate secrets or business information.  

This talk is huge, but I'm here to tell you... we will continue to see cyber/corporate espionage used to support the Chinese economy.  The US makes it a practice to not use our espionage capabilities for competitive advantage, but most other companies in the world do... including China. In fact, collections are built into their constitution --affecting even those who leave the country.  And if you're a supply chain company, regardless of industry, there will be no rest for your security teams.  Most larger companies have learned to protect themselves, but the companies who support them are largely the soft white underbelly --the place where the cyber dagger penetrates most easily --the place where protections are generally either not in place, or not as effective.

And for the Chinese, they too will continue to be victimized and exploited by those wishing to point the finger at them. Talk to any hacker worth their salt.. they don't go direct. They go through someone else first.. many, through China. The bandwidth is open like the autobahn. There's SO much activity coming from China that hackers can hide in the everyday noise.

http://cdn3.vox-cdn.com/

And why do we think about about Syria, Putin, and Netanyahu? Because Russia is making its way across the middle east looking for easier ways to deliver oil and gas to Europe without going through Ukraine.  In fact, we think Ukraine may become irrelevant in the movement of oil and gas very soon. There's turmoil brewing --Putin's been wooing Turkey, now stepping into Syria, worrying Israel --and for good reason. The graphic to the left shows oil and gas pipelines connecting largely through Turkey, into Syria, and to ports in the Med. Russia and Iran have made some great deals, but Syria offers other advantages. Russia used to deliver much of its fuels through Ukraine, but we all know what's happening there right now. We will see cyber fallout from all of this.  Putin doesn't act without a cyber component. We've seen activities in Georgia and Turkey, and there will be more. We've been tracking Russian cyber geopolitical activities and implications in the area about two years now. And now, we'll see (my opinion) more as Russians establish real estate in Syria.  This is a story for another day. In fact, Rick's probably working on it as we speak.

Thankfully no Pope hacks. But attacks from China? We see them every day. Israel, Russia, Syria? There will be major implications here. We've reported on cyber in the middle east on a number of occasions, and I'm betting we'll see more as Russian forces get closer to to access directly to the Med. If only Turkey and Georgia would go along with the plan... will we see cyber being used against them? We already have. 

Last?  As a side note, VW got busted... maybe that was last week... but, do you think for one second that VW is the only company fudging software to offset hardware deficiencies? I could go on with a rant about my diesel VW Touareg (it's not affected), but I'll spare you that.. but for VW, this is nothing more than a sign of things to come. This is the perfect example of how software can be built to deceive; and then be deployed into millions of locations around the world.

On the upside? The Vatican doesn't hack us (at least I don't think so)...

Have a great weekend!
Jeff

Like stars in the sky!

I spend a ton of time talking... talking to my team, talking to others, speaking at meetings

and conferences. And the interesting thing is, on every occasion, when we start to talk about intrusions, there are soooo many different perspectives on the problem. As an example, I had a conversation the other day with a guy who asked me (lead me) into a conversation on the commonalities of the Anthem and OPM breaches. And while we know who Anthem and OPM are, and what they do, and maybe a bit about the malware used, I don't have first hand experience with either case, only secondary and maybe some RUMINT... so I listened to this smart guy who, because of who he his and where he works, probably DOES have first hand information... and here's his thesis:

Anthem is the health insurer for some of our more sensitive intelligence personnel (I'll leave it vague), and OPM manages their records. 

Interesting.

Anthem also insures ME (and our little company), and I too was in the OPM database.

And so I explained, as I do often, that sometimes my guys come to me with these fantastical connections --some right, and some well, maybe not so right... but you can't be right all of the time right?? And when I do hear something that strikes me as a bit of a stretch (hold on, I'm giving away my politically correct response --the one I use instead of an eye roll and colorful fun at their expense!) ---it goes like this:

Analysts and Researchers look at so many breaches happening today; and the commonalities can sometimes be significant, but looking at all of those breaches is like looking at the stars in the sky --you can draw lines between any number of stars to create almost any image that you can make up in your head. 

Does it mean they're wrong? No! It just means that you need more information. Flesh it out for me. I have an old friend that used to call it 'analytic rigor'... meaning, check your facts. Have several sources. Establish theories and then attempt to disprove them before you attempt to support them.  Have three ideas and don't fall in love with just one. Analytic rigor is a message I heard over and over from my old friend "B", and I've passed it on (sometimes with a hammer) to employees ever since.

Interestingly enough, I've heard one message from three different people this week. Our positioning in the market is that of an independent voice. We don't sell hardware or software. We just do our best to produce ground truth, high quality intelligence.  I guess, "B", we're following your advice and it's paying off. This is exactly the place in the market that we'd hoped to occupy!

And so, the million dollar question --Are Anthem and OPM related? I have no idea. But I like drawing pictures between the stars! *I think* they're targeting middle aged, balding, overweight computer guys!

--Jeff

Cyber as the equalizer

On April 6th, Wapack Labs reported an uptick in Iranian hackers stockpiling tools, registering domains for command and control nodes, and seemingly preparing for the idea that nuclear talks may not go Iran's way.

Why did we believe this? Beyond the sheer volume of activity at the time, at a high level, we examined data and planted a stick in the ground, and made what we believed at the time to be a valid, analysis driven intelligence assessment on the implications of the things we'd been sourcing, coupled with open source, historical data and current geopolitical activities (the nuclear talks). In the business, we call this "all source analysis".

Today, it appears we were right. We may see only a small piece of the puzzle compared to the NSA, but you get to read ours. You'll probably never see theirs! In this case however Mike Rogers, director of the NSA was quoted in the Wall Street Journal on the drop in Iran-originated attacks since the close of nuclear talks.

http://si.wsj.net/public/resources/images/BN-KF886_0910IR_M_20150910125728.jpg

While today's blog isn't intended to blow our own horn, it is meant to demonstrate the idea the context in intelligence matters. In fact, without context, it's not intelligence at all...

When we posted that report on Iranian cyber activity in April, I was shocked that ours appeared to be the only story out there talking about the impending close of the nuclear talks, and the rise in what appeared to be cyber attacks from Iran.

• During the uprising of the crisis in Ukraine, cyber attacks were used on both sides of the border --albeit far better mobilized, financed, planned and executed from the Russian side, to manipulate the Ukrainian Parliament and Presidential elections. This activity was expertly planned and executed. And, it involved not only targets in Russia and Ukraine, but others outside the area who appeared to side with one or the other --including US and EU bankers who appeared in investment documents published on the web by Ukrainian banks. Again, I was shocked that we were the only ones talking about Ukraine and Russia, but we thought there'd be some massive lessons that we'd take away.

• Maritime shippers, port operators, logistics companies and more, in and around the Panama Canal, S. China Sea, the Suez and others have all been victimized by cyber activities --why? There are several theories at work, but one suggests to ensure supplies of crude, LNG, LPG remain open for large Asian consumers. 

• Why are the Chinese acquiring land and investments in Iceland? Because there's major fiber convergence there ---and because it may be a staging area for mineral rights, travel rights, or further exploration under the arctic cap. 

Why do we care? We're a cyber shop right? We care because cyber is the equalizer. For us it's not so much about physical threats from Iran during the nuclear talks (although there may be --I'm hoping someone else is watching that), it's the idea that any country can gain access and use cyber tools against any number of targets, for any number of reasons. In every case, where there's heightened geopolitical risk, cyber will be in some way, to level the playing field, gather information, manipulate documentation, steal money, or garner political support.

Our job? Our job is to make sure you know.

---------------------------------------------------------------------------------------------------------------------

Red Sky Alliance: Information Sharing and Collaboration - RedSkyAlliance.org

Wapack Labs: Intelligence production  - WapackLabs.com

Three victim notifications...

I spent last weekend in front of a loaded gaming terminal running forensic analysis software. Why?

22Gb of keylogger credentials.

What do I do with that data? I start dialing.

Three victims this week, with three very different responses. Here's the story:

All three victims are in the US.

• One is a large company - $10b+ in annual revenue
• One is a medium sized energy --smart grid manufacturing company - $2.5b per year
• The last is a privately held company that manufactures static-proof rails for the maritime industry.

In all three cases, sales people had been victimized by keyloggers. In all three, the sales people had no idea that they'd been victimized, and for months had every keystroke, clipboard capture, document and screenshot captured and sent to keylogger capture servers (we call them caches).

So, how'd the victim notifications go?

• Company one never responded.  It's not the first Fortune 500 that we've contacted that simply ignored the notification.  Frankly, I was shocked at even the lack of ACK. 
• The medium sized company? They responded immediately --checked me out on LinkedIn, sent email, and then finally, called me back. 
• The small company was surprised but happy for the call. They had no security team, and when the operator asked who I wanted to see, I asked for the person that handles IT. When she asked why, I told her that the company had been hacked. She asked again. Finally, I got through to the CEO, who was very appreciative. I followed up the next day to ensure all goes well.

The current status? Company one still has keyloggers sending their stuff out; Company two has turned off the bleeding, and Company three? We'll see. We partner with a couple of strong IR teams. I offered to recommend one (and did) but I don't thing they ever called.

So why would the company with the best opportunity to respond, not?

I had a similar experience last year. I was doing a presentation with a CISO with a reputation as an "empty suit" (not my words).  He's an educated dude (an MSIA) with a long list of publications under his name. The guy does great at building the team, grabbing budgetary real estate, and spending money,  but not so much in actual measured output. We try to come prepared for every presentation, so we did a quick run against our sources to find out what we knew about the company before jumping on the call. The low hanging fruit is passive DNS showing registered VPNs or dynamically generated names.. both red flags. During the presentation, I stop just before the slide with the results and explain that we always try to find something new for each talk.. and in this case, the company had THOUSANDS of names registered... and then I flip to the slide with the results highlighted. The reaction?  None. Most ask if we know whether or not the possible VPNs are active (most times we don't), but still... nothing. Completely ignored.

Another, a notification just yesterday.. a UK based company investment company that we talked to about services two weeks ago... we provided 'on the surface' evidence of compromise, but frankly, not a paying customer, we spent time paying attention to the guys paying us to do so. We're a small company, focused on what we do best, which is often, not aggressive selling. Even so, the company when presented with findings, did their level best to discredit rather than probe and qualify. They didn't want to know.

It happens more times than you'd want to believe. 

Here's what I think... I've seen this before and I'm sure I'll see it again.

CISOs come in two (highly generalized) flavors --technical and managerial. Often times, the technical CISO's skills will carry enough water to allow proper persuasion with upper management... the halo effect coupled with acronyms, brilliance, and the fact that the techie can get in mud and fight the fight; and this alone makes the company happy. Others, the managerial flavor, had someone sign off for their CISSP endorsement (say it ain't so!),  and have figured out that their ability to keep their mouth shut and roll with whatever comes through the SEIM will keep them under the radar; and as long as they can keep the lights on, they'll be fine --until they're not, then they roll ceremoniously on to their next job, like a fallen, but experienced and celebrated hero.

So what's my point?

We've been doing victim notifications, but we're don't work like the windshield repair man  running through parking lots at night with a ball peen hammer.

When we call, yes, we can try and sell you subscriptions, but when we do victim notifications, unless you ask for more information about our services, the notification is just that --a private call to quietly notify you of a breach.  What happens after that is completely up to you. We've been fortunate so far in that almost all of our sales have come from word of mouth --referrals from current Red Sky members or Wapack Labs subscribers... and if you really want to check findings, you can do it without calling us by pulling IOC that we give you during the victim notification from Threat Recon (it's free to 1000 queries per month), or check our public- facing CMS --TLP WHITE and GREEN commentary and/or analysis. Want more than that? Buy a subscription. Give us a call and we'll walk you through the options. We're not going to force your hand.

Katherine Archuleta - Is she the only one leaving?? Clear the room of the bureaucrats.

I purposefully don't criticize government in writing. But... I watch with horror at the continued mishandling of the breach at OPM.  While I'd completely agree that Katherine Archuleta should be fired (note I didn't say resign --she should have been fired), the bigger question (for me) is, where's the information security team in all of this?

I've been digging through the sexy graphic that appears on the organization page of the OPM website, looking for a function (any function) that remotely resembles a Chief Information Security Officer, but sadly, there is none. Even in reading Archuleta's 15 point plan for going forward, there is no Chief Information Security Officer named going forward. If I'm missing something --perhaps there's one of those fancy Deputy Director titles in there somewhere that corresponds to the CISO role --maybe there is, but I've not see it. As close as I can tell, Donna Seymour, OPM's Chief Information Officer - an HR focused CIO has both the IT and Information Security, and should clearly be asked to follow Archuleta out the door.  Regardless of whether she's an appointee or a civil servent, the CIO must follow Archuleta out the door. Clear the room of the bureaucrats.

Beyond who gets fired, there's plenty of bureaucratic blame to go around,

Why was this not identified by US-CERT when it first occurred? 

US-CERT has been monitoring government networks since the mid-2000's. They fly-away to help private corporations, own a forensic capability, malware analysis, and have been running Einstein for years backed a team of PhD's and researchers called NetSA from Carnegie Mellon's Software Engineering Institute, so why was this not detected by US-CERT??  Is their scope so broad that they've become ineffective?  Were they ever?  At what point will DHS's cyber organizations step up to the plate, hire a leader with enough whasta to create the internal change needed.  Should US-CERT be manned by an MSSP and verification services? I don't know.  Maybe the government should be looking at their sub contractors for help.  Northrop Grumman has an amazing internal infosec and intelligence team. Lockheed, Raytheon as well.  The list goes on. Northrop is the prime contractor in US-CERT, but my bet is, it's not the A-team sitting in seats on the contract. I'd also bet the folks at US-CERT don't use them in anything more than a butts-in-seats extension of the government folks running the show.  Is US-CERT using any of the tech developed by Grumman for their own internal network?  They should be. I could go on, but I won't. 

Call me. I'd be happy to author a 100 plan for change. The recipe isn't hard, but you have to want it.

Let's start here...

• Focus: I realize that the mission of US-CERT is for all Americans, but get the government piece right. Knock the government protection piece out of the park. Make others want to participate with you because you're great at what you do, not because you control contract money. 

• Turn off the never ending money spigots to the Federally Funded Research and Development Centers (CMU, SRA, Mitre, etc.).  Focus efforts on effective operational monitoring and response tech and processes in US-CERT --the mission at hand.. monitoring and protecting US Government networks.  Fly away teams and everything else should be tabled until US-CERT can get that one piece right. 

• Give the prime some room to execute. Measure the prime by the output of the operation rather than the cost of labor.  Give them budget and hold them accountable. Blue for bonus means they get incentivized for higher than expected outcomes --72 hour patch cycles, increases in identification/reductions in successful penetrations, faster turn forensic and malware analysis, and more are all possible if commercial thought can be brought to bear in government networks.  Let them hunt.  Beyond FISMA, incentivize the prime to identify, prioritize and fix new, previously unknown security concerns.

Clear the room of the bureaucrats.  Ask the prime what they would do with the current budget.... and then listen.... and then pay them and execute.

And now for the positive.

We're beginning to see Directors and CEO's being removed (or allowed to resign) as a result of information security failures. Boards are building IT Security governance models into their oversight, and while still focused on generating revenue they are also realizing that they  have a responsibility to protect the safety of their customers. 

To assist, earlier in the days of our start-up, we authored a free white paper that discussed

the seven things that every company does to successfully prepare for, navigate, and fight APT events.  And while at the time, we thought of APT has the hardest adversary, many of the tactics used by espionage focused hackers have now used by many others. These lessons learned work. I realize of course that during incident response things move fast, but the dust will settle; and when it does, these seven common steps must be implemented. Many or low cost-high payoff. Some are high cost-high payoff.

The paper is free, and it's a short read, and it's in no way focused on sales.  If you have questions, call me or ask your security team. If you're serious about maturing your governance model, this is where it starts. I've built several of these teams. In every case, I use CMM and ISO as my guide, but this boils it all down to roughly 10 pages.

Ok... Hanging out today, then heading off for the Potomac for en epic day of fly fishing for smally's tomorrow morning. It's going to be a great weekend. So until next time, as they say, 'tight lines!'

Jeff

The difference between Intel and an IOC feed... lemme tell you a story.

I just took a few minutes out of my 4th of July - in MD for the weekend - watching the rain, hoping my new fly rod gets delivered - wasting time until the fireworks tonight (fingers crossed)... anyway, I just took a few minutes to read Joe Pizzo's piece on the difference between threat intelligence and threat feeds. And while I know the criticisms taken on the chin by Norse for their marketing campaigns, the idea that someone else writes about the differences between threat intelligence and threat feeds makes me happy. 

I use a graphic in my presentations. I know I'm violating some kind of copyright. Sorry for that. If you're the artist, send me a note and I'll credit you.
I love the graphic. It demonstrates a point.... intelligence attempts to answer the 'you don't know what you don't know'. It's not technical, it's contextual. 

Here's a great example.. for the last two years, we've tracked and analyzed the happenings between Russia and Ukraine.  Ukrainians knew that their smart televisions had been hacked and that their traffic cameras were being used by someone to monitor comings and goings of the Ukrainain people, but the story is much bigger than most know.

We tracked the activites and drew parallels to writings in the Ivanov Doctrine - a paper written by senior Russian officials to use asynchronous warfare methods --computers used to affect a change in behavior by the Ukrainians while other physical actions couple with signals intelligence and psychological operations played out. By comparing actions to the writings, one can quickly identify patterns, reasons for targeting of specific victims, and potentially, what's to come. We believe for example, that one of the major bank hacks of last year was in direct retribution for a combination of US Sanctions against Russia, combined with the fact that the bank was an investor in PrivatBank --the bank who's owner was personally funding much of the Ukrainian resistance. The bank was targeted not by government hackers, but by a criminal element that we believe was operated through 'wink and nod' agreements with the Russian government both asking for the action and then turning the blind eye when it occurred... plausible deniability, but with definitive action.

We knew, from our work, that the Nordics would be taunted, and Poland would fall victim to cyber activities, and many of the banks involved in Ukraine would be hit...  all three occurred... and we from prior forensics, we knew the tools that would likely be used to carry out many of the attacks.

So what's the intelligence? It's the story. The intelligence is the information needed by a decision maker, to make decisions on futures and courses of action.

The feed? IOCS? This is information based on analysis of past events -largely forensic based. Network forensics, host based forensics, intrusion analysis, sandboxing and surface analysis. 

It's that simple. Both are required. The intelligence tells the story. The feed tells you what to look for and how to protect against it. The CISO needs both to make informed decisions --which threat (story) to protect against, and where in the potential kill chain to place defensive measures.

If you'd like to read more of our work, we publish TLP White and Green information at https://wapacklabs.com. One download per month is free.

It's raining like hell here now. I'm going to go see if my new fly rod has been delivered yet.

Until next time, have a great 4th of July!

Jeff

Wapack Labs Analyst Monitors Russian-based Troll Farm

-->Tweeters from a Russian-based troll farm have slipped into sleep mode after proving how easily the media and public perception can be manipulated using social media. But analysts at Wapack Labs have been monitoring the troll farm’s movements on the internet to try and identify the potential targets of future attacks. 

A Russian-based troll farm called the Internet Research Agency, the focus of a recent New York Times Magazine article by Adrian Chen, is suspected to be behind three social media attacks in the US in 2014.

According to Chen, troll farms like the Internet Research Agency employ hundreds of people who sit at desks with computers and flood the internet with comments designed to sway public opinion and manipulate the media. The trolls infiltrate chat rooms and trigger conflict between members, and leave comments on stories posted on the web by newspapers and television networks. But one of the most effective means of spreading the Internet Research Agency’s messages is through Twitter. 

The trolls at the Internet Research Agency are able to create hundreds of Twitter accounts and launch coordinated tweeting assaults. They have shown that they’re able instill fear in the American people and manipulate news outlets into reporting false stories with an arsenal of hashtags and some carefully chosen words.
 

On September 11, 2014, according to Chen, the Internet Research Agency hit the Twitter-sphere with news that there had been an explosion at a Louisiana chemical plant. Tweets and text messages were also sent to specific members of the media and targeted local and national politicians. Once news of the explosion hit the general public and media outlets, the trolls began using carefully crafted videos to give credibility to tweets. From there the trolls began attempting to elicit fear from the public by placing blame for the alleged disaster on terrorist groups like ISIS. Though Columbian Chemicals was able to debunk the explosion hoax within a few hours, the Internet Research Agency revealed just how powerful they were in manipulating the media and the American public.  

The troll farm continued to poke at the vulnerabilities of those who rely on social media for information by again using Twitter to spread a rumor about an outbreak of Ebola in Atlanta, complete with corroborating videos like those used to validate the tweets about the explosion hoax. That day, Atlanta was targeted for a second attack. The trolls took the fear stemming from the phony Ebola outbreak, and mixed it with the racial tension being felt nationwide as the result of the shooting of an unarmed black man by police in Ferguson, Missouri. With the community already on edge, the trolls hit Twitter with reports that an unarmed black woman had been fatally shot by Atlanta police.

An analyst for Wapack Labs who specializes in tracking cyber criminals in Russia and Ukraine, has been watching the moves of the trolls very carefully by tracking their online personas and linking them to the websites and domains they use. The analyst looks for patterns in millions of hashtags and commonalities in language or messaging within social media. Fluent in Russian, and a student of geopolitics in Eastern Europe, the analyst is able to piece together timelines and narratives that reveal the activities of troll farms and their henchmen.

Following the 2014 tweeting assaults in Louisiana and Atlanta, the analyst honed in on the perpetrators of the attacks and has been following their movements ever since and has traced them back to the Internet Research Agency.  Some of the Twitter accounts, including @DanyRoseee, @AndrewMonsonn, and @jessebrannan8, “went to sleep” or were deleted immediately following the September 11, 2014 explosion hoax.

According to Jeffery Stutzman, co-founder and CEO of Wapack Labs, Twitter accounts go to sleep when they aren’t being used regularly or were deleted. If they’re unused or deleted, beyond a certain amount of time, another person can assume that name, thus the sleeping Twitter ID of a soccer mom from Toledo could be commandeered by a Russian hacker in St. Petersburg and used to spread misinformation.

One of the Twitter IDs that particularly caught the Wapack analyst’s attention was @JasonJL100. This user made his first tweet, “Hello Twitter! #myfirstTweet,” on August 25, 2014. On the day of the reported Louisiana explosion, @JasonJL100 joined the noise on the internet by propagating news about Columbian Chemicals. On the surface, he was just a local guy sharing breaking news via Twitter. But something about @JasonJL100 caught the attention of the Wapack analyst, who continued to monitor him long after the explosion story was debunked. The analyst watched as the presumed local guy suddenly began communicating on Twitter in Russian.

@JasonJL100 has been asleep since December 2014, but @zaplatovaalena, @georgiostr, and @GlebushkaGleb, all Russian tweeters, converted to English on the day of the explosion, and back to Russian tweets soon after, are still active but have since deleted any references to the explosions in their twitter history.

The analyst at Wapack Labs will continue to monitor the activity of the Internet Research Agency as the troll farm trains it sights on its next target, whatever it may be.

Nancy Foster
Jun 29, 2015

Small Manufacturers need cyber help... NIST MEP must offer messaging!

I'm on a bit of a diversion this year. My goal is to not attend any security conferences during the year. I've blown that of course, but so far, I've attended conferences for insurance, litigation, and yesterday, manufacturing.  Why? Well, first, security conferences are becoming just to crowded. There's a boatload of noise out there, and even the best conferences are becoming overrun. Second, I really want to see how other industries are dealing with cyber, and there's not a better way than to sit in on meetings, attend a conference, or smoke a couple'a cigars with someone you've never met before in another industry.

So yesterday I spent two hours in a session with the Research Triangle Park Institute (RTI) in Manchester, NH. They've partnered with NIST's Manufacturing Extension Program (I'm not sure the parallel is correct, but I likened it to the Agriculture's Cooperative Extension Service but for Manufacturing companies). Anyway, RTI partnered with NIST MEP to produce market intelligence for companies who are considering moving into other products, expanding what they currently sell, etc.

Essentially what RTI offered was an analysis framed by Porter's five forces. Porter authored a model that framed five competitive forces that every business should (must?) consider when devising strategy.  I'm a believer.  I used this model in nearly every job and start-up that I've been involved with in the last 15 years --including (especially) my government position as the Director of the DCISE.  RTI offers a simplified view of Porter --something for manufacturers. They work with the company, mind-map the forces, using free software, exchange the mind map with the manufacturers, and in the end, offer a report --how best to build, position, and market this new R&D or technology.

I was a bit taken aback however... do they realize that that newtech that they're researching is probably highly sought after by others? And that the reason the mind mapping software is free is because someone else is reading your stuff? Do they consider that in this new normal, someone will steal that newtech if they're not careful?

So I asked the question (you knew I would!) "Do you consider who will want to steal that technology?" "How do you protect it during R&D?" "How long can you hold that market if the tech gets stolen during early stage strategy development?"  I've written hundreds of pieces over the years. Many describe stolen R&D. Manufacturing companies aren't the target because they make cool stuff, they're targeted for efficiencies, processes, and industrial engineering techniques. Wouldn't it be nice if it could be stolen during development of those processes?

OK NIST,   if you're going to send an FFRDC out to see small and medium sized manufacturing companies, eat your own dogfood and talk to them about protecting their IP.  RTI is your FFRDC.  Check their messaging before sending them into the field..

Great idea. Incomplete messaging and execution.

Cyber espionage compaign targeting the Iran nuclear talks... Is this really a surprise?? Really?

My email has been lighting up all afternoon. Duqu in Kaspersky's networks, and espionage targeting

SOURCE: www.freerepublic.com

the hotels where negotiators of the nuclear talks were staying? Kaspersky I understand, but hotels where diplomats were staying?

I'm appalled!

If this comes as a surprise to anyone that hotels are targeted because of the diplomats staying there... or if you're a diplomat and you're soooo smart, and believed for one second that your hotel wasn't bugged and computer networks targeted, and you operated without good, fresh cyber condoms  (like, hypothetically, from your own blackberry over your own personal email server), well, resign and then throw away your computers and cell phones. You're not smart enough to own them.

I can't remember a year (during my tenure with the government) when I didn't have to endure a force protection or opsec brief --or,  you remember, one of those annual re-certification training sessions that we slogged through (and made fun of the really bad videos) just to be allowed to log into our government computers. Why?

BECAUSE YOUR COMPUTERS, AND PHONES, AND MOBILES, AND WHATEVER ELSE YOU COMMUNICATE ON SHOULD BE ASSUMED BUGGED!

So let's review for a moment...

1. In March, toward the end of that phase of the talks, we reported that Iranian hackers were stockpiling tools. We speculated at the time that the stockpiles were being built up in case cyber became the force equalizer during or after the talks. My point? Do you think for one second that the Iranians weren't spying?
2. Nigerian news reported last year that a deal was in midst where Iran would supply nuclear power technology to them (Nigeria). Nigeria gets nuclear power plant tech from Iran. Iran gets paid to build them and train the Nigerian operators. Russia had the maintenance contracts.  My point is, does Russia have a stake in the talks? Absolutely. Are there other interests? Absolutely. Do any of those other interests have cyber espionage capabilities? (It's a rhetorical question.. you don't have to answer.)
3. Would Israel spy on someone to protect their interests? Would anyone? I just can't believe it.

I have one more... we also reported (early April) that hotels around key maritime ports in the world were compromised; likely to monitor comings and goings of ship's masters and crews.  There is precedent to suggest that hotels are easy targets for intelligence collection.  I'd also argue that any hotel in any major city in the world where diplomats frequent will have been, or is currently, targeted for espionage --cyber and other.

So what to do about it... when you travel overseas, or to politically sensitive areas, or if you've got information that you don't want to lose...

• Use strong encryption. Always. Even if it's not allowed in that country. There are easy ways around that. TOR combined with web based Hushmail are two of my favorites... and their free! VPN works as well if you're afraid of TOR.
• Connect to hotel or public wireless? Never.
• Is it safe to use the hotel business office or conference supplied IT? Never.
• Take a throw-away laptop, cell phone, tablet, or whatever your work style demands. Connect to offsite services where your working documents are encrypted with a non-cloud provider encryption key. 
• When you return home, have the throw-away device examined for trojans, keyloggers, etc..  Expect to find them. 
• And never, ever, believe for one second that all of your communications aren't monitored and recorded. Because they are.  How many reporters have been killed because they used unencrypted email in hot zones?  The price of bad cyber opsec can be really high.

I feel better now.
-Jeff

You can't buy life insurance without someone sticking their finger in your butt.

...but you CAN buy a cyber insurance policy!

I spent a couple of days last week talking with Insurance folks --brokers, agents and attorneys.  I heard more about cyber insurance policies in two days than I've heard in the last five years. And you know what I think? As far as I can tell, underwriting cyber policies is still pretty much a jump ball! And payouts are more about legal clauses than losses because of legitimate risk.

I asked... why don't you test the networks before writing that policy? The answer? Brokers worry that if they can't write a policy within a certain period of time (two weeks?), the customer will go somewhere else for that policy.

And what about the payout?  During one panel, one of the attorneys commented during a session on how he'd spend time brainstorming new language for clauses (exclusions?) that could be used in the policy.

So two questions.. and my thoughts:

First... With a 14 day marketing turnaround time, can't an underwriter do some initial testing? 

Hell, you can't get life insurance without someone sticking their finger in your butt.  So why not run a few tests to see if an insured is worthy? Worried about time? Time is always a concern, but even without relying on the 'report card' cyber index systems, a real time perspective on what's going on inside the network can be gleaned without ever looking inside the network.  At the same time, car insurance companies now offer plug-ins for the on-board computer. Why not try the same thing with computers? A week on a span port at an egress point could offer an enormous amount of information about what's happening on that network.. with that information, write the policy! Use the test data to both underwrite, and set a goal-drive process with the company --if they fix what was found during the physical, their premiums drop!  It works this way in car insurance right? Safe drivers get better rates than those who speed? Longer track records of safe driving = lower premiums? So why not cyber?

Second...  Are lawyers the best way to ensure lowered risk when writing one of these?  

My thoughts:  I do not presume to know about the insurance industry, but have had some experience as both an agent and broker (life, health, P&C).. and although that was many years ago, my experience says this.. there's a balancing act between profit, and the need to pay out a claim.  Should lawyers be involved? Probably. Should they be brainstorming new clauses? Probably again, but they do so with the understanding that most insureds (those people who buy those policies) will not catch the clause, will purchase the policy unknowingly exposing themselves to risk, and will expect but not receive payout on everything expected.. and if they do? Heck, don't buy the policy. The market will speak for itself!

Bottom line.. there are a million ways to quickly test for risk. Just ask, and we'll either help, or point you in the right direction! Triage analysis is easy. You can pull logs, attach yourself to the network, or use passive external means to listen for activity that might tip you off to the security posture of the network --all with plenty of time to keep the competitive ball in your court.

Can you hack an airplane from the inflight entertainment system?

Can you hack an airplane's via the in-flight entertainment system? Are there other vectors into the cockpit?  Even if the recent stories aren't true (I haven't enough information to assess whether they are or not)... Even if it isn't every hacker in the world will soon be trying. 

Interesting stuff none the less.  I'm going to start out by stating up front.. this is near pure speculation --a conversation piece; thinking through my keyboard.

First,  there are loads of documents that tell you why you shouldn't be able to do what was claimed:

• He got physical access through the In Flight Entertainment (IFE) System through the Seat Electronic Box under his seat.  Used a Cat 6 Ethernet cable to connectVbox for his environment and Kali to run the exploits. (http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf) --why didn't the flight attendant notice someone screwing with the system?

• His target is the Vortex software (http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/) - "VCT has unique and protected state-of-the-art aerodynamic technology as well as copyright protected software that enables engineers to model, predict, redirect and control aircraft vortex flow" (http://www.vortexct.com/products/finlets/).

• You cannot send a climb command based on this software.  On top of that the IFE systems aren't even integrated:  Boeing, which is manufacturer of the United Airlines plane Roberts was on when he was arrested, said the hack wouldn't even be possible because its entertainment systems are "isolated from flight and navigation systems." (http://www.aol.com/article/2015/05/18/cybersecurity-experts-criticize-united-airlines-hacker/21184502/?ModPagespeed=noscript)

But at the same time... I'm not an Aerospace Electrical Engineer, but...

• The vast number of cockpit simulators, with seemingly high levels of reality, seem to offer a viable place where attackers could practice. In fact, at one of my former employers, a cockpit was built on an XBox platform as a means of showing that all interactivity in the cockpit could be performed using inexpensive COTS software.  My point is, are the integrated cockpit devices connected via APIs or other interfaces, PLCs that may make it open?
• And of course after the missing Malaysian flight, there were a number of warnings, particularly from the British on the very real possibility that the plane had been hijacked by cyber attackers.
• ACARS for example has been known to be vulnerable to attack.  So vectors other than the inflight entertainment system have to be considered, if they're look it from a general threat perspective.
• In cars, the CANBUS is the controller area network that connects everything. Remember, the car was hacked through RFID in the tire air sensors at Blackhat a few years ago.  We've had talks with folks at a very specific research center (~18 months ago), regarding OEM CANBUS issues having similar applicability in the Airline and Railway spaces. The thought that airliners may have the same issues should not come as a surprise. 

I'm going to go out on a limb here folks.  I'll bet a dollar that commercial off the shelf products (or at a minimum,  protocols) are used in cockpits; and networking, APIs, etc. rarely have security built in.
I also believe that now every hacker in the world will be connecting to the under-seat USB, trying to figure out how the connection works from the inflight entertainment system, or, can someone bluetooth to the pilot's cell phone, unlock the electronic controls on the cockpit door, or find another hole that makes the seemingly impregnable system not so.

I'm thinking the Aircraft OEM companies and the ISAC are probably buzzing. I've received a number of calls from folks asking what we know (nothing) --but the assessment and the realms of possibility are not that far off.

Get ready Aviation folks. I have a feeling you're going to be really tested with questions in the next few weeks and new engineering challenges into the foreseeable future.

Insider Threat Panel -- Hartford -- Next week!

Those who know me know I enjoy working insider threat cases.  I worked with the Insider team at Carnegie Mellon, and have paid close attention to the landscape ever since.  From a technology perspective, it's one of the hardest.  From a personnel and management perspective, indicators are often identified but misread, or worse, ignored.... if only HR could talk IT and IT could speak HR ... maybe in a perfect world...I won't hold my breath.

But until then, we'll continue to rely on endpoint solutions and monitoring of watch listed employees --perhaps those below the performance line, those followed by HR problems, employees upset by circumstance, or whatever the motivation --technical indicators at the end point can be an effective means of detection and while I'd hate to say mitigation, there is an opportunity to reduce the risk.

I'll be sitting a panel in Rocky Hill, CT next week on just this subject.

Care to join us? Here's the c-vite. The agenda is shown below.

Interested in insider threat?  We look forward to seeing you!

Jeff

"Insider Threat, Incident Response and More..." The ISACA-GHC Members have spoken and we listened! Based on your feedback and requests we have assembled the following topics: Human Side of Data Protection (David Gibson): The most valuable, fastest growing asset a business owns is its human-generated data: documents, spreadsheets, videos, presentations, and emails that people create and share every day. Breaches involving human-generated data happen almost every day. Why? Because employees have far more access than they need, activity is usually not logged or analyzed, and it's difficult to spot abuse. During this presentation you’ll hear how there is a way big data analytics can help lock down overexposed data, prevent breaches, reduce excessive permissions, and enable a sustainable data protection strategy in the face of unprecedented data growth. Massive Scale Endpoint Incident Response (Neal Creighton): Security teams and incident responders are challenged to prioritize the alerts they receive from network-based devices. Next-generation endpoint detection and response technology is helping these teams more contextually investigate, and verify incidents for faster, more efficient resolution. This session will provide an overview of how new endpoint technologies bring in stealth data collection, Big Data correlation and behavioral threat analysis to augment and even improve the ROI of other security ops platforms. Insider Threats (David Gibson): The recent spate of highly publicized breaches has drawn attention to one of the issues that keeps security professionals up at night – once an attacker is “inside” the network, their activities are often difficult to spot and recover from. This is true of outside attackers that compromise the credentials and systems of employees, as well as employees that are “breaking bad” or unwittingly exposing sensitive files. This session will review the anatomy of typical outside-in attacks including infiltration, data gathering, and exfiltration, and then discuss methods and techniques for analyzing file analysis records to spot and stop potentially malicious activity from both insiders and external attackers. Transforming Security Through Distributed Systems and Micro-Segmentation (Colin Ross): With the shift to cloud and mobile computing, security architectures have not kept pace with modern data center architectures. In a world where perimeters have largely disappeared, organizations need to consider security models designed for virtualized and cloud environments. We will discuss how Distributed Systems enable security to scale horizontally, adding capacity dynamically based on need. We will also discuss how Distributed Systems offer a superior architecture for security by providing simplified operations, more effective threat analysis, and better economics. Breaking Down the Cyber Kill Chain (Ryan Wager): The threat landscape continues to evolve faster than the technologies being built to control it.  In this discussion we will focus on breaking down the parts of the Cyber Kill chain that occur within today's datacenter perimeter and current security best practices.  Specific examples of real attacks will be utilized to illustrate each point. Panel Discussion This panel discussion will look at some of the key issues around cybersecurity, threat detection, managed security, next-generation threat modeling and address audience questions on new, innovative ways to effectively counter attackers and eliminate threats.  Moderator: Steven Harper, Northeast Regional Sales manager for CounterTack. Steven manages the U.S and Canadian business on the East Coast.  He has been in the Internet and Cyber Security industry since 1994 and his background includes companies such as BBN (Bolt, Beranek, and Newman) and Exodus Communications where he was a member of the Cyber Attack Tiger Team. He has worked in the SaaS / Cloud industry, founding Plan 2 Win Software which he sold in 2008. Most recently he has worked at Radware and Corero Network Security, focusing on DDoS Prevention and remediation. Prior to working in the Denial of Service arena, he spent time at Still Secure, a Managed Security Service Provider, specializing in PCI Compliance. Panelist #1: Jamie Herman, Information Officer at Ropes & Gray, LLP. Jamie has more than 15 years of experience in information security, risk management and information technology. Currently the Information Security Officer for Ropes & Gray LLP, Jamie's expertise covers a diverse range of areas, including implementing information security programs, data privacy, digital forensics, access control, leading innovation initiatives and leading a global team. His passion for assisting law firms improve their security posture in all facets of business has been a key to his success. Having led vulnerability management plan efforts, security strategy and policy design initiatives, Jamie collaborates with a wide network of public and private industry information security experts to deliver forward-thinking security thought leadership to the legal information security industries. Jamie sits on the LegalSec steering committee and has presented at a multitude of ARMA, ILTA and information security events. Panelist #2: Jeff Stutzman, Co-Founder & CEO of Red Sky Alliance Corporation and Wapack Labs. Jeff served as a Director at the DoD Cyber Crime Center (DC3) where he built and operated the DoD/DIB Collaborative Information Sharing Environment (referred to in the press as the “DIB Program”) and the financial community’s Government Information Sharing Framework (GISF). Mr. Stutzman is a former US Navy Intelligence Officer and has held positions with Cisco Systems, Northrop Grumman, and the Software Engineering Institute at Carnegie Mellon University, and the DoD Cyber Crime Center. He is a founding member of the Honeynet Project, founded the Healthcare ISAC, and was a first watch stander in SANS GIAC (now the SANS Internet Storm Center). Mr. Stutzman holds a BS in Liberal Sciences from Excelsior College, an MBA from Worcester Polytechnic Institute, and is a Harvard Kennedy School Senior Executive Fellow. Panelist #3: Brad Howden is the Founder and CEO HIC Network Security Solutions, LLC. Brad has more than 15 years of experience working in security and network focused consultancies, as well as managing global, customer facing technical organizations.  Howden strategically focused HIC’s expertise to lie in both well established and in emerging security technologies designed to address the evolving threat landscape.  Howden and HIC have also developed proprietary firewall migration software, HIC RAPIDFIRE, which has been used within a multitude of organizations across many verticals, and in a large number of fortune 500 companies. Prior to co-founding HIC Network Security Solutions LLC., Brad served as Director of Technical Services for IGX Global.  He received a B.S. in Computer Science from Rutgers University. Panelist #4: TBD

Attendees are encouraged to send questions in, for our speakers.

SEMINAR (UP 7 CPE CREDITS)  WHEN 05/13/15 8:00 AM - 4:30 PM WHERE CT-CPA Center 716 Brook Street, Suite 100, Rocky Hill, Connecticut 06067, USA FEE            ISACA Members - $10.00 Non-ISACA Members - $20.00 SCHEDULE • 8:00am – 8:30am: Registration (Continental Breakfast) • 8:30am – 12:00pm: Morning Session • 12:00pm – 1:00pm: Lunch • 1:00pm – 4:30pm: Afternoon Session FLYER               Insider Threat Incident Response and More...            RSVP 05/11/15

Please respond by clicking one of the buttons below

Having trouble with the link? Simply copy and paste the entire address listed below into your web browser: http://www.cvent.com/d/PN-iVa9tj0ygTkNapgS2vw/fjxf/P1/1Q? If you no longer want to receive emails from Education Committee please click the link below. Opt-Out

The pools is polluted and we're all swimming in it. Don't get to much in your mouth!

We've been chasing this massive breach --global in scope.  We don't like to publish these things openly -grandiose outings of breaches and defensive conquests are wonderful for a short time, but in the end, one story becomes just like the last, and just like the next.

Rather than becoming yet another intelligence group spending months writing a big story, our preference is to warn folks when we find out --as early as possible, stay under the radar, notify those who need notifying, and moving on to the next place that the data takes us.

At the same time, the story is out.. without the purposeful push, but none-the-less, those outside of our circles tell the story, and at some point, we're going to have to speak publicly and openly about our findings. So how do we do that without becoming yet another, pumping our chest, telling the world how great we are? I didn't know, but I know someone who does.

So I called him.

We talked about the idea that as internet use grows, so does the proportionate crime. First from nuisance focused kiddie-scripters, then organized crime, robot networks (botnets), espionage, and now, integrity attacks.  The normal population has crime --murder, car theft, breakins, etc.,  so does the Internet.  So a thinking person might consider the correlations right?? I'm not taking on a long term academic study, but I'd assume that if someone would attempt a break-in in the physical world, they might also do so in the cyber realm right? And in cyber, many people still think that getting away with something is relatively simple, so those who might have considered a physical breakin, but didn't because of a fear of being caught, might now do so on the Internet because of a lowered risk of ending up in the hooscow... right?

Let's try some simple math... the most dangerous city last year had roughly 1340 crimes per 100,000 people -roughly 1.3% per capita. So what if we transferred that math to internet crime?

The graphic below shows internet users per 100, on a growth plan from 11% in 1996 to over 77% in 2013 --at a time when the world population was ~7 billion people. 31% globally use the Internet. Now plug in that 1.3% crime rate per capita... that means that just over 28 million people are committing crimes --and not on local breakins, murder, theft, it's on a global scale! 28 million people have the ability to touch anyone... and they do.  My thinking is those internet criminals probably don't do just one break-in, they probably do thousands at a time via robot networks (botnets)... the numbers grow exponentially with the use of technology.

http://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users

The Internet knows no boundaries, and the fear uncertainty and doubt argument no longer works... so try maybe math is a better approach. I'm sure mine isn't perfect, but it certainly illustrates the idea that since 1998 the growth in volume, increase in sophistication, and changes in motivation and intent have grown right along with the growth in users... and it ain't gonna get better any time soon. Crime, espionage, integrity, destruction? They're all a part of our new normal --and we better get used to it. Those nice, trusted computers that we thought we owned years ago are as much a thing of the past as the AMC Jeep... that's a steep Internet adoption curve --and a correspondingly steep crime adoption curve.

So when we say we're chasing a currently unpublished global set of breaches, so what right? It's just another day. It's the new normal.  The pools is polluted and we're all swimming in it.  Our best hope? Don't get to much in your mouth!

What're we chasing?  Check it out... https://cms.wapacklabs.com.

Still thinking about joining Red Sky?  Want to know more? Call us. We're here to help.

The God box

I spent a few days with a bunch of bankers in lower Manhattan this week.  After the conference

(caucus? summit?) we headed for the bar.  I ran into someone I've known for years, but worked with right after leaving the Navy in 2001. Over a couple of Guinness stouts, the conversation went from fun, back to business, but on this occasion, he mentioned the phrase "the God box." We hear so much from different vendors about the problems they solve, and in todays environment, it seems CISO's who've not yet really been exposed to what's happening in the dark corners of our infosec world, they're hearing the messages, watching the turnover in CISOs, and are either scared to death or totally confused by all of the crap reported in the news and vendor hype that takes full advantage.

The God box goes like this... My security box slices, it dices, it even juliens fries! It'll stop every think of coming into YOUR house, AND, it'll pour your coffee when you come to work in the morning. It offers long term predictive intelligence (not that you'll ever need it), and will call your mother on her birthday when you forget about it because you're so engrossed in dungeons and dragons (World of Warcraft? Farmville?) that everything else passes you buy; because you've got so much time on your hands while you wait for your layoff notice because you've not had to lift a finger to protect your network since this new system was delivered, installed, and it took over full operation of your networks, authentication, logging, analysis, blah, blah, blah. This box is freak'n amazing.

So the question is this... if that box is so good, why aren't you using it to predict the stock market? 

We see SOOO many vendors out there exploiting fear uncertainty and doubt, overcharging for their otherwise lackluster wares; over-promising and under-delivering, or worse, with so much complexity that you couldn't even begin to scratch the surface of its capabilities. I once had someone tell me that Arcsite is the most expensive SMTP gateway they'd ever owned. It's not because Arcsite is a bad product (I don't believe for a second that it is) but that it requires specialized training to be able take advantage of the amazing capabilities that come with it.

Interestingly enough, much of what many of these guys promise can be done on your own --including what we do (although, we try really hard to do it better than you could on your own!).  All I'm saying is this... there is no God box. Put your filters on and don't believe everything you hear. Pick a few great tools (open source, commercial, home grown, whatever!), but pick them based on the needs in your environment. Haven't started? Set up a Bro box, a Security Onion ISO, or another favorite tool, connect it to a great intel source (ours is inexpensive and easy to hit, or again, choose your favorite). Watch the outputs and do the initial diagnosis. Pick tools based on what you need to move to the next step. Don't swallow the elephant whole at first, rather look for tools that can help create your plan. Need help? There are tons of places to find that too.

Our favorite diagnostic tools? We're huge fans of Bro and Security Onion. Prefer commercial? Try Countertack. Want a Managed Security Service? Red Canary just started integrating Threat Recon, or for the broader spectrum MSSP, try AT&T, Solutionary, Morphick, or Alert Logic.

Bottom line: There are some very cool options out there. None are the God box. Nor is there a simple green light that you can watch flicker, turn red temporarily, and then back to green when the thing mitigates the risk... it doesn't exist.  Brains exist. Good intel exists. Critical thinking exists. And most of all? Common sense exists.

Mike Rogers - Destructive offensive actions are coming...

“I think it’s only a matter of time until we see destructive offensive actions taken against critical U.S. infrastructure,” said Adm. Mike Rogers, the director of the National Security Administration and commander of the U.S. Cyber Command.

“History has shown us to date that you can [look at] any confrontation, any crisis to date and that there’s a cyber component to it,” he said. “Cyber is going to be a fundamental component of the world we’re living in.”

http://www.washingtontimes.com/news/2015/feb/23/adm-mike-rodgers-nsa-director-says-us-infrastructu/

Interesting. I spent two days with the CI community last week, and a couple of hours with the cyber folks in the White House on Friday. I'm thinking Mike Rogers is living in a bit of a government enshrouded cave. Think there's not been damage to companies already and that destructive offensive attacks haven't occurred already? 

We've seen hard drives spun to failure. We've seen DDoS and telephone interruptions and massive operations used to keep incident responders busy. We've seen election computers trojaned to manipulate elections. 

I'd bet a dollar, although I have no direct proof, critical infrastructures in not only the US, but abroad, have already occurred. 

New agency to sniff out threats in cyberspace

Maybe it shouldn't bother me as much as it does... oh hell, yes it should.

This piece ran, above the fold, front page, column one in the Washington Post this morning. It was the first headline that I read as I had my morning coffee and poached eggs before heading out to the second day of my conference.  

According to the Washington Post:

"The Obama administration is establishing a new agency to combat the deepening threat from cyberattacks, and its mission will be to fuse intelligence from around the government when a crisis occurs.

The agency is modeled after the National Counterterrorism Center, which was launched in the wake of the Sept. 11, 2001, attacks amid criticism that the government failed to share intelligence that could have unraveled the al-Qaeda plot." 

Here's the deal...  The government is preparing to build yet another cyber fusion center --a group that can reach across the stovepipes and pull together the story in time of cyber crisis. This, on the heals of hacks into Sony —because movies are important right? 

So another $35 mil spend to stand up a new 50 person team just bothers the hell out of me. Why? Well, first, $35 mil in DC is what they call budget dust. It’s not a lot of money inside the beltway (of course, it is to the rest of us!).. But the idea that it's ANOTHER $35 mil spent on top of the others in the space --NSA, DHS, FBI, DoD, US Cyber Command --all have or are cyber organizations in our government, and the last time I checked, DHS had the mission for coordinating across the stovepipes. So my thinking? Why are we spending another $35 mil (and this is only the first year folks), to built another cyber organization instead of forcing the existing agencies to do their job? 

So, who's losing cyber budget to stand up the new team? Call me. I'd be happy to offer up a few recommendations.

(Source: http://www.washingtonpost.com/world/national-security/white-house-to-create-national-center-to-counter-cyberspace-intrusions/2015/02/09/a312201e-afd0-11e4-827f-93f454140e2b_story.html?hpid=z5)

The Absence of Basic OPSEC

I'm in DC through Wednesday for a conference. I drove down from the tundra that is New

Hampshire, arriving late last night. The conference doesn't start until 9:00 this morning so I thought I'd relax a bit and have breakfast before I walk up.

So I'm assigned a table in my favorite place in DC. It's a coat and tie kind of place where there are no cell phones allowed in the main dining room. As I skim the Washington Post (which is surprisingly light these days!), I can't help but overhear a man's voice --from nearly clear across the room. There are at least a dozen tables occupied, although admittedly, most are either singles or still in their caffeinated silence. And this one guy, probably 70ish, white hair, fit, is sitting with two much younger women... one a nice looking late 30's blonde; the other about the same age, and still attractive, slightly heavier and a brunette... the brains at the table who never stopped writing... and the man who I believe had to be able to breath through his ears because I didn't see gills and his mouth never stopped moving.

In this city, where the highest per capita ratio of human intelligence operators perform diligently, reporting everything heard back to their handlers, this white haired retired (I believe) senior (again, an assumption), talked about Navy plans for future undersea warfare, nuclear options being developed, and close-in warfare. He talked about presenting at the "National War College"(at the National Defense University on Ft. McNair). And while I believe this man works for a local think tank, the simple absence of OPSEC of in this hotel dining room, where so many other ears could overhear this man who seemingly misses the attention of being a decision-maker on active duty, working like hell to either task, or impress with his deep understanding of Navy issues, these two obviously younger women, well, it really p*ssed me off.

At the same time, I thought to myself "Is this what we've become?" OPSEC is an afterthought to impressing women over a fancy hotel breakfast, or that capitalism is more important that national security, or that the ego, lacking in validation simply needs to be stroked --and that stroking can be forced by pushing opinions and deep thought over breakfast while young women hang on every word.

So yes, this is what we've become. The internet is a place where all three of these things exist. OPSEC has become an extinct after-thought, like the Zanzibar Leopard and the Black Rhino, these once powerful animals have gone by the wayside. Where OPSEC, Tempest, CMS, and guarded radio rooms and swift and strict punishments were imposed on those who broke the rules, it seems that the bar has been reset and speaking openly, regardless of the consequences, online or in public have become the new norm.

And this white haired old man, well, he should know better.

That's enough of my rant for this morning. I haven't blogged in a while and it was starting to build a head of steam that just needed to escape.

Now, I'm off to my Intelligence conference.

Have a great day!
Jeff