More "Getting to the left of Kill Chain"

Getting to the left of Kill Chain has been a theme for the last several months. We're doing this today for a small group of companies. We're not a big data shop, but, Wapack Labs collect an enormous number of individualized, primary sources information --all selected by our analysts to provide specific kinds of information. Primary means that nobody has previously analyzed the data. We're seeing it first hand, untouched.  The data is from sources OUTSIDE of the company.  When we pull it, we check it against everything we know to be bad. When there's a 'hit', we pull the meta data and create a database entry (see above).  We also get information about what a company is using to protect themselves.  Then, we compare the two.

On paper it sounds easy right? It is..

On New Years eve, I sent an Early Warning notification to the CIO of a company who was about to receive a targeted (we believe) email from an unknown attacker. None the less, the email appeared to be coming FROM a legitimate internal user, sent TO a legitimate internal user, and the subject line was "Purchase Order".

I've modified the sample to protect the victimized, but here's how the story goes.

In the example, Purchasing agent "Lew" sent "TargetEmployee" an email with an attachment. The attachment is recognized as bad by our internal processes. We assign the email a hash value and dump a report to an analyst to verify.

In this case, the malware was detected by Qihoo-360, Icarus, Sophos, and Jiangmin.

The company however, doesn't use any of these vendors. 

AND... this company manufactures high tech stuff --for the Aviation, Maritime, and Space industries. This is a supply chain company, and their chosen vendor doesn't recognize this malware as a threat.  

My assessment? Likely targeted, possibly espionage focused. Here's why...

• An malicious email was sent to look legitimate 
• ...from an internal user to an internal users in a a company 
• ...who works in industries known to be targeted for cyber espionage (high tech, aviation, space).
• ...the company isn't getting thousands of hits, they received one email. And that one email had a piece of malware attached that is recognized only by a few AV vendors --and none of them is theirs.

And, we (hopefully) notified them before the breach.

So what can a company do with this information:  Depending on their configuration, the company has options, although based on what we know about them, only a few. In this case, the company has access control, but no real defense in-depth to speak of.. Access control and Watchguard (potentially UTMs, we don't know).

Here's what I told them:

• They use Watchguard. We gave them network indicators that they can push into their Watchguard system. I'm assuming they have a Watchguard admin that's certified on the management of the system.
• We gave them meta data about the malware... enough to identify it in their network.
• They can go directly to the users mailbox (.pst) from their Exchange Server. 
• If all else fails, call us. We work with some great partners that can find it for them. 

So pay attention folks. 2016 is going to be transformative. It's not perfect, and I can guarantee we won't get it right the first time, but if you're looking for ways to get ahead of the problem, drop me a note at jstutzman@wapacklabs.comjstutzman@wapacklabs.com. If you can't do it yourself, we can refer you o someone who can do it for you. 

Have a great weekend!

Jeff

2015 - A look back, and a look forward...

This is my last blog of 2015, so I thought I'd close it out right!

This was another great year in Red Sky Alliance and Wapack Labs.

Red Sky, as planned, added several new members. Our intent was never to have thousands, rather a select group who use the portal and the intelligence that’s provided. So, a few numbers:

Red Sky Alliance has roughly 200 accounts issued. Approximately 10% are issued to Wapack Labs analysts, leaving ~190 accounts. Out of those, an average of 73 people (38%) participate weekly and about half of those participate daily.  Those are staggering numbers in any information sharing environment. Add to that the idea that in nearly four years, only three Red Sky Alliance members have left, and those left because of one member was divested and then dissolved. Another transferred and rejoined after the move. The third, an intelligence manager, took another job in the company and the intelligence team went with another service. Our customer satisfaction remains high. The intent of the Alliance was never to serve the needs of all, rather allow companies who really want it an opportunity to crowdsource questions, and share intelligence and analysis. The price has remained stable for the last two years –significantly lower than others, with the intent of users being ecstatic at the amount of value that they receive as members. We’re not into politics. We don’t drive national policy. We want standards but participate in those national level discussions only tangentially.  We author intelligence and provide it to the members. We stick to our core competency and charge a fair price; and our members seem to love that.

Wapack Labs has really grown into its own this year.  Wapack Labs was spun out of Red Sky Alliance in 2013 as a place where our analysts could do other kinds of projects that didn’t fit nicely into the information sharing construct –professional and tailored intelligence collection and analysis. The Lab sells intelligence subscriptions in forms that allow both the board and C-Suite the ability to get fast, one-page sound bites, and at the same time, corresponding technical reports that the tech teams can use to protect the company from those reports that their CEO reads.

We added a few new pieces of analysis this year. Targeteer® reports profile actor groups and its members. From our perspective, there are dozens of things that can be done outside of the network, without breaking any laws, to turn off an attacker’s ability to execute. Targeteer® reports offer our members the information needed to take political, legal, or other actions as may be desired by their leadership team and counsel.

We started pushing early warning indicators in September. We love Kill Chain, but many don't understand that while Kill Chain details activities of the breach, it can be used proactively to plan and instrument active defensive campaigns. And because so many don't understand that, if you’re operating in Kill Chain, it may to late for you. To answer that problem we’ve spent a lot of time this year on processes that we’re calling “Getting to the Left of Kill Chain”. There's a bit of a learning curve, but so far, our pilots have been successful. When our infrastructure is built out, any company will have the opportunity to log into our new Cyberwatch® system and receive early warning indicators that they can (should) act on before having their first coffee of the day.

Our desire to push these reports and indicators to larger audiences has showcased a bit of a problem –the ability to scale in distribution. Until this year, scaling the ability to perform human driven analysis has always been the concern. We continue to drive analytic processes. We’re sourcing hundreds of primary sources of information, and to allow us to scale, Cyberwatch® will be released as initial operational capability in January. The goal of Cyberwatch® is to consolidate and create efficiencies. 

Today, we offer products as C-Suite offerings in a low cost format delivered on wapacklabs.com. We offer collaboration in Red Sky Alliance, and we offer a query/response indicator repository on ThreatRecon.co. It's confusing even to me!  The idea of Cyberwatch® is first to translate information security into language that anyone can understand, and know at a glance the implications of growing cyber threats. Second, we’re hoping to solve the problem of a massive need for victim notifications. The number of victims seemed to skyrocket this year, and while we’ve done our best to push out notifications, the numbers are staggering. At the time when I was drafting this blog, another company was victimized; this time for 13 million accounts. How do 13 million people get notified that their computers might have been victimized? And if they knew, what could be done about it? We hope to solve a piece of this problem.

What’s trending?

By far, the biggest activity we saw this year was the distribution of key loggers globally. As of today, we’ve seen over 12,000 unique infrastructures compromised in over 85 countries around the world. We’ve seen Nigerian actors compromising systems in every corner of the world and selling the accounts in TOR based forums. That activity, named by us “Daily Show” seems to focus on a few geographical locations, primarily targeting the maritime community (and those supporting the maritime community) in the South China Sea, maritime routes between Nigeria and the Black Sea, the Nordics, and the Suez Canal.

Angler has easily been number two. We’ve written several reports on Angler, and have had readers and conference goers tell us that Angler delivers roughly 90% of all of the activity seen.

Russian actors have become a tool of the military. Wapack Labs detailed accounts of Russia’s cyber actions in the conflict with Ukraine. The cyber underpinnings of the activity, in our opinion, track closely with the Ivanof Doctrine –a plan for using cyber and other information warfare tools in conjunction with physical activities.  

Iran moved into the top of the threat chart. Starting with the stockpiling of tools to connections with others, Iranian actors appear to have become the new China with one major difference; Iran isn’t interested in espionage. And why should they be? They became one of the first cyber sabotage targets in this new era.  

Last but certainly not least.  We watched this year as attacks turned from espionage and theft to integrity attacks, with documents manipulated to allow the movement of goods, services and money. Cyber has indeed converged with the fraud and physical security spaces... and it's only just starting.

Which brings me to my 2016 predictions:

I’ve authored predictions since 2013, and many more informally before that. I’m running pretty hot right now with nearly all coming true. Feel free to view previous predictions on our blog at henrybasset.blogspot.com.

So here goes…

1. Key loggers aren’t anything new but they’re taking hold in a largely automated way. I’d mentioned in presentations (twice this year), when I followed a consultant who talked about cracking passwords that passwords don’t mean a thing when there’s a keylogger involved. And it seems the number of pieces of malware with key loggers built in are increasing dramatically. Not a rocket science prediction. Common sense.
2. We witnessed what we believe are the early indications of a movement from confidentiality motivated attacks (meaning, espionage) to integrity motivated attacks. This year will be the year of data manipulation.  This is a high probability, high damage risk prediction. Companies everywhere will lose the ability to depend on their computing systems to deliver trusted results. This has already proven true in engineering focused industries, but now, enterprise resource management systems, are becoming targets of opportunity, allowing access into any of the multitude of services they connect to. 
3. Customs offices in several countries were witnessed by Wapack Labs as compromised. One European country’s Visa office was included in that last. This is a major risk to governments everywhere. My prediction? We’ll see key government organizations in the US and elsewhere get compromised in places that vet foreign visitors. Documentation will be generated and delivered. The overarching theme? Fraud is intersecting with information security. Cyber is simply another tool and the Visa offices are not exempt.
4. Resilience has become the name of the game. Leading edge companies are learning to live with untrusted networks, and as 2016 unfolds, we’ll see several key companies focusing on their efforts on resilient networks.  We don’t believe that Chief Information Security Officers will be replaced with Resilience officers, but taking the role to the next step means ensuring organizations can survive, operate successfully while under massive attack.
5. Service accounts aren't getting enough love... but they will. A service account connects two systems not normally accessed by a human. I.e.: One database connecting and querying another requires credentials, but because the process is automated, it will not require human interaction... so credentials are written into the code or query so human interaction is not required.  If one database queries another, and the credentials required either do not change, or may not be changed (because they're built into the code), they become highly coveted targets. Many of the larger companies have already addressed this problem. Many of the smaller companies don't have the ability to act on this enormous risk... and the bad guys know it. In industry, think supply chain. In personal accounts, think interconnections between various social and cloud based tools. If you can log into a system, and query using a social media login, or have your home thermostat connected to your iCloud account, you've created a service connection --and it can be exploited. 
6. Systemic risk is the phrase of the year. Systemic risk means that attackers will find singular points to attack, (probably as a result of staticly credentialed service accounts systems).   Need an example? OPM was a wonderful target from systemic perspective. Compromised in such a way that new tech with new thinking was required to identify the breach (math based behavioral anomaly detection), in a target that held such immense importance that nobody would be spared the possibility of targeting. Brilliant! I wish I'd have thought of that when I was in that business. 

2016 is going to bring some big things for Red Sky and the Lab. We're hosting our first Threat Day of the year in January in DC, and we expect to debut Cyberwatch® with our membership. Beyond that, if this works, it's going to transform the way executives look at information security and cyber. So standby. 2016 is going to be transformative... and I can't wait!

Happy New Year!

Jeff

What does "Getting to the left of Kill Chain" look like?

I call it intelligence --forward looking information based on currently known facts.  Others call

https://threatrecon.co

it Early Warning, Indications and Warning, proactive, or simply, intelligence. No matter what you call it, this is what "Getting to the Left of Kill Chain" looks like.  The best intelligence should stop attacks before they occur.  And this is one example of early warning mechanisms that we (Wapack Labs) send to our Red Sky Alliance members and Wapack Labs subscribers.  

This is the a CIW (Cyber Indications and Warning) Malicious Email Digest. 

     ===========================================

     MALICIOUS EMAIL DATA

     EMAIL HASH:0dca67606a345811dff801b6b0678fd6445ad8467b7e5ef23affc54a398f4085

     TARGETS:abcde.de

     DETECTION DATE:2015-12-16 12:29:24

     RECIPIENTS:info@abcde.de

     SENDER:"Tobias B" - TobiasB@fgihj.de

     SUBJECT LINE: Bestellung 96149

     DETECTIONS:F-Secure - Trojan-Downloader:W97M/Dridex.R, Fortinet - WM/Agent!tr

This report tells an operator which email account is being targeted, by what, and how well detected it already is. 

This report is a bit dated.. detected 12/16 at 12:29 but it'll do for now.  

     It was targeting one email address: TO:  info@abcde.de

     FROM:  TobiasB - TobiasB@fghi.de

     SUBJECT LINE:  Bestellung 96149

Each of the italicized indicators can be seen by watching packets on the network. If they can be seen, they can be stopped. So drop them in your favorite network security system and count the drops. 

But what happens when you're not running network defenses? This alert offers host based detection options as well. This the, becomes a case study in why we practice defense in depth... or Kill Chain if you prefer. 

The line: "F-Secure - Trojan-Downloader:W97M/Dridex.R,Fortinet - WM/Agent!tr” show that two different AV vendors were able to see it on the computer. If the network defenses miss it, then one of these two antivirus applications will see it. Sadly, if you don’t have one of these two, you’re stuck. The AV detections also have clues on how to triage the malware.  It may or may not be Dridex with one specific and one generic detection, but we can say with high confidence it's a MS Word macro document from the "W97M" and "WM" abbreviations.

The upside? This didn't come from the target. We capture hundreds of sources of these things on a daily basis, and as of yesterday, have over 22 million indicators that we query on a regular basis looking for signs of to-be malfeasance... and we drop those signs in the Red Sky Alliance portal. In fact, as soon as I publish this report, I'll be sending a victim notification to the Healthcare ISAC. We don't normally pay attention to the Healthcare sector, but this is one of those cases where professional courtesy demands it. 

So beyond the healthcare industry, there's a high probability that our capture and notification may have saved this company at least one new infection. At least that's the hope right? 

Don't have a subscription? Pay attention to Threat Recon and our CMS. I know, it's a pain in the neck to have to find two sites.. we'll have them consolidated soon. In the mean time, bear with us. We post the indicators and sharable reports there. 

It just started snowing up here. First of the season! 

It looks like we may have a white Christmas after all. 

Merry Christmas (or Happy Holidays if you prefer)

Jeff

What about the little guy?

We hired a new Business Development Manager yesterday. I'm happy to say that Chuck Nettleship will be starting on Monday morning.  Chuck's an old Norwich guy who's been around the block as many times as I have, and has worked not in the same places, but in similar places. So the conversation was fun as hell. And as he asked more questions, wanting to come up to speed before Monday morning, some of the questions made me go back a bit. I've been hearing some of these questions for years, but haven't really seen a good answer. For example, he asked "How is it that in today's information security environment, that only the most sophisticated companies have the ability to detect and efficiently react to badness in their environments?" What about the little guy?

The other night, I was at our monthly NH ISC2 meeting. And while some (usually not this one) of these meetings can be dry, ISC2 is normally pretty good. It's a smart group and I enjoy the intellectual tennis. So the other night, one comment caught my attention. According to the guy, Angler was responsible for the delivery of over 90% of the malware being dropped into their systems. And being a good group and coming from a smart guy in a great company, I'm going to take this at face value and believe. We wrote in August about it being used for Neutrino and we know that at the time, Angler made up about 80% of the delivery... but this is the tip of the iceberg.

This week's blog was actually going to be about the evolution of the Angler Exploit Kit.  But this morning, I woke up thinking about Chuck's question --the supply chain problem, and if this big company is having a problem with Angler, what about the little guy?

http://aerospacereview.ca

We (Wapack Labs) work in APT. We also work in financial crime, fraud when it intersects (which is becoming more and more), intelligence (know the bad guy), counterintelligence (identify and stop the bad guy), counter branding, incident response and more...

Who cares, right? You knew that already. The idea is, this is a COMPLEX new threat landscape. There are about 150 things in the SANS Top 20 that every defender needs to do right, every minute of every day. And if you miss one? WHAM! Hacking today means money to bad guys - big money. It means espionage --stealing your stuff for a country's (or another company's) gain. It means making a handsome living stealing from others and selling it elsewhere.

So, when I talked with Chuck yesterday afternoon, we spoke at length of the idea that while big companies can, for the most part protect themselves --or at least have process in place that allows efficient response when they do get breached.  What about the supply chain? The picture above shows the supply chain of an airplane. There's a ton of information on airplane supply chain, but only one level deep... but to take this further... according to newairplane.com, the Boeing 787 has approximately 2.3 mil parts with roughly 30% purchased from overseas suppliers. Again, who cares right?

http://tommarch.com

At one point, a partnering person at a large manufacturing company told me that in a survey of their 10,000 critical suppliers, ~60% had less than 100 employees and half of those had less than 25.  So let's do some simple math... 6,000 companies had less than 100 employees, and 3000 had less than 25. I'd bet a dollar that most of those are small engineering or manufacturing firms, and that none of them have a formal Information Security program strong enough to defend against even basic threats.

So how many of those suppliers --in the airplanes that we line up to board, in the laptop I'm using to write this blog (a depiction of the laptop supply chain is shown above), the chip manufacturers for medical devices, or the computer in the car you drive... how do the little guys who supply the basic components of those products protect themselves from having their lunch eaten or worse, code written into those devices that can be accessed later. And when that happens, who's there to help protect the little guy with the cable box for an internet connection and little more?

We are. This isn't new for us, and our focus is intelligence, but we've partnered with some great companies to do consulting, monitoring, alerting, incident response, and remediation. Some of our partners include Morphick Security, Kyrus, Alert Logic, D4C Global, Delta Risk, Ezentria and others offer a range of capabilities that can rival any other --some focus on the espionage and advanced threats. Others focus on monitoring and alerting and do really well in smaller environments. One focuses exclusively on the under 25 market. They handle the 24x7 monitoring, incident response, or consultations. We handle intel and analysis.

Is this the panacea? No. More like the bandaid... but it's something. We've got one partner who just set up a Passive Vulnerability system in an MSSP configuration for companies under 25 employees. When something bad happens, they respond. When something really bad happens, we get a call.

Need help? Interested in partnering? Drop me (or Chuck) a note.

In the mean time, let's keep moving forward!

For me? Time to put up the Christmas Tree. I'm late.
Have a great weekend!
Jeff

Black Friday!

I watched Good Morning America (GMA) yesterday morning as I started to author this blog and saw the CEO of one of the security vendors on television talking about malware on Black Friday.  On LinkedIn, I think I received three notifications before having my second cup of coffee, all with the same theme -- The last, written by a 'Director of Field Marketing'. I love that. A Director of Field marketing warning people of an uptick in cyber activity on Black Friday (no underlying messaging there, right?).

Over the past few weeks we've been working with some models that get us to the left of kill chain. In fact, this is the exact term I've been using in describing a new value proposition to our portfolio of intelligence services --"Getting to the left of Kill Chain*". (*Kill Chain is registered trademark of Lockheed Martin) 

How's it work? We look for things that tell us someone is going to be targeted, and then we track it. We're not 200 data scientists in the MIT Tech corridor or rocket scientists tracking space junk. We're simple guys running simple math. Take it for what it's worth.

It goes like this...

We tested against one intelligence source.  Every day (well, nearly every day) we queried it for keywords, rules, IP addresses and other things that we think might be interesting. We tally the findings and present both the number of hits and detail to the analyst or subscriber who requested it. For the purposes of this blog, I tested PayPal, Amazon and Ebay for a pure online sample, and Walmart, Lowes and Gap for more traditional brick and mortars (although they too have online shopping).  The results were, in this very limited sample, interesting.

I've removed the key from the graph to protect the innocent, but the numbers are interesting. The graph shows higher numbers of malware being sent to the online companies in a lead-up to Black Friday, while the major retailers showed nearly no increase in activity. Tallies of Malware being sent into brick and mortars were negligible throughout.

I'm showing only a few weeks, but even with the small sample, I had some thoughts..

First, this doesn't suggest to me that the sky is falling as a result of Black Friday. In fact, the numbers dropped going into Black Friday. That suggests (to me) that the cyber traps have already been set.  Second, why do pure-play online companies have a higher rate of targeting than brick and mortars

http://www.tricityretail.com/

with an online presence? One would have to believe that cash register (Point of Sale) devices are highly coveted targets. Me? While it's true everything based on a computer will have vulnerabilities, most PoS makers go to great lengths to install encryption, tamperproof architectures, etc. --and the sheer number of individual targets; you'd have to hit SO MANY of them!  I'd argue a softer target would more likely be the backend where those PoS devices aggregate their data, where it's processed, managed by admins, transferred to customer relationship management (CRM) or Enterprise Resource Planning (ERP) systems. There are a million reasons why the disparity in targeted emails.

However, the idea that the traps have already been set in backend systems of brick and mortars wouldn't surprise me at all. We know for a fact that ERP and CRM systems are just as coveted as other aggregation points -heck, we've been watching key loggers in thousands of companies around the world collect this data for over a year.

And why higher numbers in the online companies? Who knows.. maybe because the money flow is concentrated in these places? Pontification without more data would be irresponsible....

On the upside? Chatter in the security community, at least in the channels we monitor, continues as usual. The process is working. Marketers and press need to figure out how to message this stuff correctly, but the security community operates like any other day --because to us, it is. We're just a little more full as we work off the turkey.

So, get a good workout in. After mine I'm going to continue to pontificate about why one type of company gets targeted over another.  We'll continue tracking.

I hope everyone had a great Thanksgiving!
Until next time!
Have a great weekend!
Jeff

The Thread and Xindi...

http://xindibot.pixalate.com/

If you've not watched it yet, you need to take one hour and one minute and watch the Netflix The
Thread". It's a documentary on the Boston Marathon and how amateur internet crowdsourcing played a role ...and how they got it wrong. It's worth the watch.

As I watched the video, it reminded me of days past. I followed bugtraq, alt.hack and about another dozen usenet groups until the pace of keeping up became overwhelming.  Now,  I read closed communities like Red Sky Alliance (of course), and I follow several semi-closed and a few open, Google groups. And again, I'm getting the point where the amount of traffic (some good, some bad) is becoming wild.  If you're looking for heavy loads of raw data as cyber events unfold, there are a dozen places one can look. The open source groups, like Reddit during the Boston Bombing (documented in The Thread), are becoming as much of a bitch session as they are about fact. So be prepared. Open source intelligence isn't always an easy ride, which is what I watched as Xindi unfolded this week.

Nearly two weeks after watching The Threat I remember the power of open source crowd sourcing. It's truly amazing, but one quote has stayed with me since --"Mob rule"--it was a phrase used by one woman to describe how Reddit and other open sourced crowdsourcing news sources got it wrong. I won't spoil the ending, but a theory was offered on circumstantial evidence, emotions ran high, and within hours, internet users from all over the world hogpiled on, singling out one person as the mastermind.

This week, Pixalate, another intelligence company issued a report on a botnet called Xindi. My team was asked to comment on the botnet and whether or not we thought it had any real substance. My malware guy thought it might be a hoax. The intel folks thought otherwise. We watched the open source threads, each with their own opinions. One in particular reminded me of the virtual hogpile I talked about a moment ago on Reddit.

The report was posted. It detailed impression fraud, supported by a vulnerability in a process, and the authors extrapolated out potential damages if left unchecked. From an intel perspective, I actually liked the product! It was a bit heavy on the marketing for my taste, but it laid out the fact that there was a bug, the fact that it was used for impression fraud, and if left unchecked, offered some examples of how it bad it could be (which by the way, reminded me very much, of speculation that ensued during the early hours of Heartbleed).

The malware guys in the group immediately dumped on the report --no indicators; they outed victims; heavy marketing; a F500 was outed.  Even inside my little company, we had two very different thoughts, both at opposite ends of the swing of the pendulum.

So why is it that a simple intelligence report, with obvious gaps, but also obvious positives, drew such attention. How could it be that this one report generated so much (negative) discussion?  Not sure, but here's what I do know... I love analytic differences. It makes for better decision making. Crowdsourcing isn't always right, but it gives every participant the ability to come to their own conclusions. Should one use crowdsourced data blindly? Of course not. Think for yourself --but don't be afraid to take on the thoughts of others in coming to your own conclusions.

Interestingly enough, in one group, pounding the Xindi report got more air time than the ISIS attack in Paris. In another, there were no mentions of either. In another, a very busy industry list, Paris got four mentions, Xindi none. 

And now? First reported in one of the more active groups at 9:06AM on the 17th, by 10PM on the 19th the conversation is nearly dead.... on to the next topic. Starwood Hotels is now under the spotlight.

Have a great weekend and a fattening Thanksgiving!
Jeff

Attribution counts. Good intelligence counts.

We've had one of the guys on the road for the the last week. He spent some time in the Nordics, and

http://world.edu

during one visit, he was told a story that I'd like to share (we have permission).

About two months ago we received a high priority request from an overseas bank.

They'd come to us with a fast-turnaround request for information on what they were seeing during their ongoing attack. We authored an (attribution) profile with the material we had, and a bit more that we needed to dig for, but by the next morning we were able to give them some pointed gouge. The bank used it to verify the guy, and within a very short window, used the intel to kill the accounts, turn off the attack, chase down the guy, and return the money.

When asked if there was money saved by the bank, the response was ‘a ton of money’ was saved, and the profile was the information they needed to kill the (at the time) live attack.

On our end, this was a small request. We turned-to for a few hours and pulled together what we had, but for the bank, apparently it meant much more. We talked with their security team, legal, and compliance --all grateful.

This is a great story of where good intel was able to help thwart an intrusion, track down a bad guy, and stop the bleed.  We have others. I'm a believer... Attribution counts.

Other analysts don't necessarily share my views on attribution. I'm good with that. Analytic differences almost always lead to better intelligence. In our case, we believe that by knowing the attacker we can track the way they operate, why they do what they do, and how they're likely to act.  We track several dozen intrusion sets and hundreds of thousands of high confidence indicators associated with them. For many of the intrusion sets, we've broken down the groups, individuals, and the tools they like to use. And because of that level of detail in attribution, we can (sometimes, not always) help companies get to the left of the Kill Chain but even when we can't, we almost always have information that can shorten response times.

There's value in good intelligence. There's value in attribution.

BT

We don't sell boxes. We don't sell infrastructure. We sell subscriptions. We live on customer dollars, not investor dollars, and nearly all who've subscribed or joined Red Sky remain with us today. 

So as we begin to wind down 2015, if you're thinking about buying a cyber intelligence service or joining an information sharing group, give us a call! In the mean time, get 1000 Threat Recon queries free per month, or, if you're a ThreatConnect customer, ask for your 30 day free trial.

Until next time,
Have a great weekend!
Jeff

Spy sentenced! BZ!

This is a simple, short blog. I'm traveling this morning but wanted to acknowledge the arrest of a CT resident sentenced for stealing F35 engine materials and sending it to Iran. 

WASHINGTON — A former Connecticut resident has been sentenced to 97 months in jail for

Wikipedia - uploaded by Hpeterswald

attempting to send sensitive technical data on the F-35 engine to Iran.

I have one thing to say... BRAVO ZULU to the LE/CI folks who made this happen.

Without restating the  DefenseNews article, in addition to the F-35 and F-22, the guy (I refuse to rename him) also stole documents from numerous other U.S. military engine programs, including the V-22 Osprey, the C-130J Hercules and the Global Hawk engines.

Very little, very late. However, one down, many more to go... Nice job.

A shift in Intelligence Community thinking?? Don't let perfect get in the way of good...

(Photo: Courtesy/ Northrop Grumman)

The Senate passed a bill Tuesday aimed at improving cybersecurity "Senate Passes Cybersecurity Bill Aimed at Hacker Threats". It took roughly six years to win approval for such a program.

This is a big deal. The government, at least on the surface, is radically shifting its position on use of the intelligence community.  Traditionally focused on intelligence assistance to policymakers and the military, the intelligence community (IC) is now coming to the assistance of, and will supply intelligence to, the owner/operators of the US Critical Infrastructure.

What does this mean? Organizations and people who want this kind of intelligence must still undergo security and potentially facility clearance processes, and the data will still come out as classified, but it will now be made available.

What does this mean? It means that companies who are considered critical to the US (the government calls them "critical infrastructure") will be offered opportunities to receive government collected and analyzed intelligence.  For example...

At the top of the new tech heap likely to be targeted heavily by hackers, insiders, and spies?  "Northrop Grumman Wins Air Force's Long Range Strike Bomber Contract"

This was one of those deals that Northrop needed one in the win column… and they did it. But imagine what kind of cyber (and traditional) espionage targeting is going to come with this… China is launching strategic missile submarines (with nukes) as a strategic deterrence and shiny new bombers would give them the ability to project power anywhere in the world. Strategic deterrence and the ability to reach out to anywhere in the world is squarely in the Chinese playbook.... and a shiny new long range stealth bomber is a huge (critical) part of that plan. So pay attention folks… China pays attention to news release in the defense industry.  What happens next? First, my guess is, there's already an airplane that's been built --because that's the way these things work. Several companies build airplanes. Government pilots test them, engineers evaluate them, and they pass the stealth tests, someone gets a contract --yes, an airplane has probably all ready been built. But now that the decision has been made, Northrop will be exploited. And they damn sure better be getting high quality, timely intelligence from the government to help them protect it. At a price tag of $550 mil (2010 dollars) per copy, and a lifetime price tag of over $55 billion (in taxpayer dollars),  if I were sitting in the procurement shop that purchased made this award, I'd want two things:

1. I want (demand) that the US Government provide Northrop with the intelligence (cyber and other) to protect this enormous investment.  
2. I'd want how well this program is actually protected using that intelligence. I'd want the ability to know, at any moment, how well protected, and what the threats are, to this new tech and supersized investment of taxpayer dollars. 

What I wouldn't want? I wouldn't want every line in their SEIM sent to the govermnent. I wouldn't want seventeen different government information sharing, regulatory, and LE/CI organizations, banging on their door asking (sometimes demanding) logs from the new program.  I'd want to know that Northrop can, and does use that intelligence in a responsible way and can show the metrics that prove it. Assessing the ability of a defense contractor's use of government intelligence should be a requirement in awarding these contracts. Additionally, as prime, Northrop needs to be ready to assess that their supply chain is also adequately protected --it's a cost of doing business, and yes, intelligence should be used to protect them too.

Back to the point  --This government sharing initiative does nothing for security, but does allow for government intelligence sharing. It offers anti-trust protections (although the FTC has already ruled), and requires intrusions be reported to the government (we'll see how that works.. certainly I have some opinions on this --I bet you already knew that!). So, congratulations to Northrop Grumman, but more importantly, congratulations to us. Aircraft carriers can't turn on a dime, and the government takes a long time to make change, but this massive shift in intelligence community thought is an enormous milestone. It may not be perfect; the government paints with a very broad brush and one *thing* is never detailed enough to make everyone happy.

I had a boss once who used to tell me "don't let perfect get in the way of good'. My thinking? The lawyers and lobbyists will take care of the warts.

I see this as a good thing.

Jeff

Are we finally in an era when a new CISO can put the pedal on the floor??

russelreynolds.com

There are many reasons why CISOs succeed and why CISO's fail. The recipe isn't always reliant on secret sauce, but in this case, there's been what appears to be a shift in thinking.. at least on the surface. My sample size is four, but recent, and all interesting...

CISO #1 just started with a large federal government organization. He'd literally just retired from the military (after probably hundreds of years of service) as a plain clothes senior law enforcement officer and just took over with this federal organization. He'd been on the job two weeks when we first talked. CISO 1 is ready to burn down down the house, take no prisoners, and doesn't care who knows about it.

CISO #2 has been on the job for about eight months now, and since the day he started (working at a large healthcare company), he wanted to go "APT hunting". CISO 2, in my opinion (I've already expressed concern) is going to find something that's going to cost a ton of dough *like millions* without adequately preparing/socializing his bosses to what this might actually mean.

CISO #3 works in a large financial.. fairly new. Very smart guy, coming from the high tech space prior to being named CISO at this bank. CISO 3 wants intelligence, but before jumping into a collaboration, wants to turn his new banking security team into hunters and security producers --the top of the CTI Maturity ladder... because that's what he had before.

CISO #4 works in a large manufacturing company.. 100K+ computers.  CISO 4 is a brand new CISO, who told me last week that the board was requesting a brief within TWO WEEKS of reporting onboard. TWO WEEKS!? In an enterprise this size (100k+), it takes two weeks to learn where the bathrooms rooms are... let alone figure out the inter-dependencies of of the network and the business.

All four of these CISO's have exemplary careers; all very smart, motivated, and without a doubt, have earned the right to be in their CISO seats.  But I have to wonder... these guys are all pretty aggressive. I know... I'm one to talk right?  These guys are hitting the ground running hard. In past cases, I'd worry if they'd burn out, lose the support of their champions, find out the company really doesn't want to know what's really happening in their networks, or simply don't have time to build the relationships needed to be successful.

Are these guys wrong? Who am I to say? Are we finally in an era when a new CISO can put the pedal on the floor?? I can't wait to see!

In the mean time I'm running hard in the DC area preparing to fly to San Diego for the FS-ISAC conference. I'll be presenting our Cyber Threat Intelligence Assessment of Venezuela. This is the fifth such report we've written presented.

I'm looking forward to seeing many of you in Coronado. These guys pick the best spots for conferences!

So until next time,
Have a great weekend!
Jeff 

Wapack Labs acquires Project DataSafe

Red Sky Alliance caters to primarily large enterprise companies. Our membership for the most part

own at least 100K computers.

Wapack Labs authors intelligence for Red Sky Alliance, a couple of managed security service providers,  a large information sharing and analysis center, and several companies --also large.

So what about the smaller guy? How do they get intelligence?

Many of the folks we talk to simply don't have the ability to even use intelligence. They understand that there are threats out there, but haven't been adequately equipped to consume it, let alone push it into their defenses. Heck, some have great tools, but aren't really sure how to even push IOCs into an intrusion prevention system. It's not to say they have any less skill. They simply don't have the resources.

On that, I'm happy to announce Wapack Labs acquisition of Project DataSafe service offerings. 
Wapack Labs now performs remote website security testing, hardening, and maintenance.  The operation is in full swing, already performing work for several hosting companies around the US and making calls into others. 

So, what about the smaller guy? They get intelligence through its use by service providers. While any company can purchase a subscription from us, they can also request initial hardening and long term maintenance.

Interested? Drop me a line.. jstutzman@wapacklabs.com or join our mailing list.

I'm keeping it short for now. Preparing to run out for a workout and then prepare to travel tomorrow. So, until next time, have a great weekend!

Jeff

Got IOCS?

IOCs are easy.  Any number of folks can feed you IOCs all day long.  You can't swing a dead cat
without hitting an vendor who aggregates hundreds of thousands of them from open sources every day and calls themselves an intelligence shop.  I'm not saying they don't do some of their own work but literally, within minutes, crank up an EC2 instance, write a few pieces of code, and viola --IOCs in a container. Add a search engine, a way to push them out, and all of the sudden you've got yourself

a security feed.

Everybody needs them right?

IOCs are a mandatory piece of the information security landscape. UTMs and IPSs are the largest segment of the security business right now. And what do you feed them? IOCs.

So what's my point?

IOCs are great. You can buy tons of them from any number of sources on any given day. Here's the rub --how many can your UTM or IPS handle? a million? 10 million? 500 million?  When IOCs change, sometimes minute by minute, can you pump these things into your systems in a never ending stream of real time feeds? Would you even want to? It's becoming just silly. It's like the little Dutch boy who keeps sticking his finger in the dike hoping to make the water stop coming through.. he doesn't have enough fingers!  And worse, as an intel provider, some customers like to measure effectiveness of their provider(s) on IOC volume! And while that works great for some companies, remember, they too must spend time to ensure that the IOCs that they pump into their systems are in fact, the ones that will most likely result in a dropped bad inbound or outbound connection.

How does an organization make sense of it all? With context. And here's the thing.. anyone who knows me has heard me say this hundreds of times --What's old is new again. What the heck does that mean? It means this... every risk management process, as far back as I can remember, measures risk based on information brought in that tells the practitioner what the risk is, why that risk is important and where it should be prioritized in the stack. The most important risk gets mitigated, minimized, or transferred first. It's that simple. The next important happens next, and so on.

How do we know which IOCs get pushed to our security tools first? By understanding which of those IOCS are attached to the wolf closest to your sled. And how do you know that? By reading context, by receiving a heads-up when something important happens, and by having someone else in your neighborhood watch (Red Sky Alliance or others) tell you what's happening.

So here's the bottom line folks... companies who have their oh sh*t moment --that moment when they realize they've got a problem; start out as voracious consumers of IOCs... they'll eat anything; and then they find out that they need help qualifying them. The false positives are overwhelming. As they become a bit more mature, they learn to qualify them before they get pumped into their systems. At some point, they get really good at qualifying them and they learn to grow their own --they become intelligence producers; a bit higher on the maturity scale. 

So where do you get context? Where's the easy button?

Red Sky Alliance and Wapack Labs

Skip some of those steps and learn lessons from others who've had their oh sh*t moment before you. Wapack Labs produces intelligence, context, IOCS, snort, and yara rules --every piece of work is tied to a primary sourced piece of analysis, and grown from there.  Red Sky Alliance is the place where you get answers from others --privately.

Need more? Use an MSSP? Ask us. We've partnered with a couple of great MSSPs. They handle the 24x7 monitoring, the 15 minute SLAs, triage --all of the wonderful things you'd expect from them. At the same time, we get to watch the glass, monitoring for targeted threats to your company, performing what we call 'second level analysis', and feeding that second level analysis back to the MSSP to allow them to provide you with an individualized security offering.  MSSPs are not intelligence organizations but when they partner with Wapack Labs, you get the best of both worlds.  Your MSSP not a partner? Tell them to reach out. We'll hook'em up.

Gotta jet.. Early day. Kids' hiking today with school.

So until next time,
Have a great Columbus Day weekend!
I'll be back in the saddle on Tuesday!
Jeff