Work with the government? Get ready.

NIST SP 800-171 is designed to protect controlled unclassified information (CUI) outside of the government, and for those who bid on contracts, several new GSA regulations are being put in place that state that every company must now attest to the fact that they have a security program in place, and (report to the government) when they have a breach that affects CUI.

I’m not a huge fan of compliance models, and this is no different, but it’s a step in a direction that’ll both be praised and criticized. Why praised? Because this is a huge step forward in a national plan for cyber reform. Is it perfect? Not by a long shot but you fill the ocean one drop at a time. Why criticized? Several areas where this is going to require some attention. I’ve been down this path before as both in private industry and as a government guy. I’ve seen the argument from both sides and understand both.

The new rules are going to require that protection of CUI in non-federal systems.

What exactly is CUI? I’m not asking for the definition of CUI, rather exactly what is the CUI that the government wants protected? Give me a list of key components in that widget. If we lose them to espionage actors, I’ll tell you.

How many pieces of CUI has the government defined, in how many contracts, that must have extra controls and be reported if lost during a cyber event? Is there a central repository where these things are stored? Can I log in and search for the list of things my contract requires me to protect?

How has the government protected my CUI? Should we use the same controls as defined by the government when they don’t work? Was OPM FISMA compliant? 800-53?

Do the authors of the rule understand that the vast majority of the companies that this will affect have no idea what those actors look like on the wire, and have very little ability to protect themselves? In the last 30 days I’ve talked to two companies –one 1500 people and one 11,000 people. Both are heavy satellite suppliers to NASA and DoD –but neither had a designated Chief Information Security Officer or security team.

So here’s the deal

There is no way that a company who does any kind of work will escape the requirement to report breaches to the government; and don’t plan on using their tech –Einstein is old tech, and not available for your use. So what should you be thinking about?

I run a small business. We audit our systems annually, and must document our security, attest to several of our customers. If you’re not prepared, this can be a huge cost sink. I get asked the question all the time… How do we do it?

• Place your systems behind those who have the ability to protect them.  Regardless of cloud or on-premise, there are some great MSSPs out there that can protect your data at the baseline level. If you need more specialization, look for more specialized providers.  MSSPs are a great way to get good protection at a reasonable price --it's far less than building it yourself.
• Our data is segmented into multiple levels of sensitivity and we protect them each differently. What could you afford to lose? What must you never lose? When you get that CUI list, what level of protection and monitoring will that require? As an example, we use cloud services for some of our data for our lowest levels of sensitivity –public facing stuff, but we put motes around private data in diverse locations for more sensitive data.
• We use encryption often and we never trust SSL.
• Use VPNs to create motes around highly sensitive data.
• We model to ISO 27001. 

Need more? A plan? Start here. It’s free. I wrote it in 2012, but it’s still highly applicable. Need monitoring and intel? Call us. I’ll set you up with a partner who’ll get you up and running.

Have a great weekend, and..

GO PATS!

Jeff

Get to the left of Kill Chain... The results are coming in!

We had a meeting yesterday in Manhattan, with another large company --non banking, who wanted to know more about our "Get to the Left of Kill Chain" model.  The question is actually two-fold --can you really offer actionable early warning? And is our data any good?

So far, the answer to both appears to be 'yes', even if in a small way.. The model is working,

Can we really do early warning? Last week we sent early warning to two DIB/Aerospace companies in the Space business. One was VERY grateful. The other unsubscribed. One .edu told us that they'd received a similar notice from their primary intel source (they have a source that specializes in .edu) --they'd received six at-risk accounts from their source, but we gave them over 40. And, we provided reports to over two dozen healthcare companies via the National Healthcare ISAC. Perfect model? Hardly. Good? Absolutely. Automated? Not yet but coming.

And for the second question -- is our stuff any good? This week we received feedback from another large company --this one a global security vendor, who'd been testing our data for the last couple of weeks. We provided them with ~3000 indicators, taken directly from Threat Recon, and had them run them against their global network of users. During that time, they found that more than 80% of our indicators were new to them, 2% of the indicators had over 1000 hits in 65 countries, and we had a single digit false positive rate.

threatrecon.co

The test was simple. We pulled only indicators from Threat Recon that we'd derived, taken from external tipping/queuing (our own intel sources), and provided them with the blob of data. We didn't cull anything out. 80% doesn't surprise me at all.  Those who are Red Sky members or subscribers of the lab know that we do things a bit differently.

False positive rates - single digits are still high, right? Consider this. Some days, X.X.X.X is used for command and control. Other days it's Y.Y.Y.Y.  Both, at the time of their use, are indicators of something happening. An analyst must watch both and know that X.X.X.X is a legitimate IP address -- but sometimes bad guys use it for C2.

So why's this blog worthy? Because we hear every day that every feed looks the same. We try hard not to be just another feed. The goal in 2016? We want to make every customer feel like their our only. And for that, we've been customizing data, pushing early warning notifications (manually for now) out to those we believe need them, and in some cases, non-customers -- just because we are Patriots and it's the right thing to do.

In 2016 as the threat persists, grows and becomes more complex, the ability to individualize data is going to become huge. We're building these models. We'll be pushing information through various new distribution points and partners, and will continue to push to the left of Kill Chain. All we ask is let us know how we're doing?

More "Getting to the left of Kill Chain"

Getting to the left of Kill Chain has been a theme for the last several months. We're doing this today for a small group of companies. We're not a big data shop, but, Wapack Labs collect an enormous number of individualized, primary sources information --all selected by our analysts to provide specific kinds of information. Primary means that nobody has previously analyzed the data. We're seeing it first hand, untouched.  The data is from sources OUTSIDE of the company.  When we pull it, we check it against everything we know to be bad. When there's a 'hit', we pull the meta data and create a database entry (see above).  We also get information about what a company is using to protect themselves.  Then, we compare the two.

On paper it sounds easy right? It is..

On New Years eve, I sent an Early Warning notification to the CIO of a company who was about to receive a targeted (we believe) email from an unknown attacker. None the less, the email appeared to be coming FROM a legitimate internal user, sent TO a legitimate internal user, and the subject line was "Purchase Order".

I've modified the sample to protect the victimized, but here's how the story goes.

In the example, Purchasing agent "Lew" sent "TargetEmployee" an email with an attachment. The attachment is recognized as bad by our internal processes. We assign the email a hash value and dump a report to an analyst to verify.

In this case, the malware was detected by Qihoo-360, Icarus, Sophos, and Jiangmin.

The company however, doesn't use any of these vendors. 

AND... this company manufactures high tech stuff --for the Aviation, Maritime, and Space industries. This is a supply chain company, and their chosen vendor doesn't recognize this malware as a threat.  

My assessment? Likely targeted, possibly espionage focused. Here's why...

• An malicious email was sent to look legitimate 
• ...from an internal user to an internal users in a a company 
• ...who works in industries known to be targeted for cyber espionage (high tech, aviation, space).
• ...the company isn't getting thousands of hits, they received one email. And that one email had a piece of malware attached that is recognized only by a few AV vendors --and none of them is theirs.

And, we (hopefully) notified them before the breach.

So what can a company do with this information:  Depending on their configuration, the company has options, although based on what we know about them, only a few. In this case, the company has access control, but no real defense in-depth to speak of.. Access control and Watchguard (potentially UTMs, we don't know).

Here's what I told them:

• They use Watchguard. We gave them network indicators that they can push into their Watchguard system. I'm assuming they have a Watchguard admin that's certified on the management of the system.
• We gave them meta data about the malware... enough to identify it in their network.
• They can go directly to the users mailbox (.pst) from their Exchange Server. 
• If all else fails, call us. We work with some great partners that can find it for them. 

So pay attention folks. 2016 is going to be transformative. It's not perfect, and I can guarantee we won't get it right the first time, but if you're looking for ways to get ahead of the problem, drop me a note at jstutzman@wapacklabs.comjstutzman@wapacklabs.com. If you can't do it yourself, we can refer you o someone who can do it for you. 

Have a great weekend!

Jeff

2015 - A look back, and a look forward...

This is my last blog of 2015, so I thought I'd close it out right!

This was another great year in Red Sky Alliance and Wapack Labs.

Red Sky, as planned, added several new members. Our intent was never to have thousands, rather a select group who use the portal and the intelligence that’s provided. So, a few numbers:

Red Sky Alliance has roughly 200 accounts issued. Approximately 10% are issued to Wapack Labs analysts, leaving ~190 accounts. Out of those, an average of 73 people (38%) participate weekly and about half of those participate daily.  Those are staggering numbers in any information sharing environment. Add to that the idea that in nearly four years, only three Red Sky Alliance members have left, and those left because of one member was divested and then dissolved. Another transferred and rejoined after the move. The third, an intelligence manager, took another job in the company and the intelligence team went with another service. Our customer satisfaction remains high. The intent of the Alliance was never to serve the needs of all, rather allow companies who really want it an opportunity to crowdsource questions, and share intelligence and analysis. The price has remained stable for the last two years –significantly lower than others, with the intent of users being ecstatic at the amount of value that they receive as members. We’re not into politics. We don’t drive national policy. We want standards but participate in those national level discussions only tangentially.  We author intelligence and provide it to the members. We stick to our core competency and charge a fair price; and our members seem to love that.

Wapack Labs has really grown into its own this year.  Wapack Labs was spun out of Red Sky Alliance in 2013 as a place where our analysts could do other kinds of projects that didn’t fit nicely into the information sharing construct –professional and tailored intelligence collection and analysis. The Lab sells intelligence subscriptions in forms that allow both the board and C-Suite the ability to get fast, one-page sound bites, and at the same time, corresponding technical reports that the tech teams can use to protect the company from those reports that their CEO reads.

We added a few new pieces of analysis this year. Targeteer® reports profile actor groups and its members. From our perspective, there are dozens of things that can be done outside of the network, without breaking any laws, to turn off an attacker’s ability to execute. Targeteer® reports offer our members the information needed to take political, legal, or other actions as may be desired by their leadership team and counsel.

We started pushing early warning indicators in September. We love Kill Chain, but many don't understand that while Kill Chain details activities of the breach, it can be used proactively to plan and instrument active defensive campaigns. And because so many don't understand that, if you’re operating in Kill Chain, it may to late for you. To answer that problem we’ve spent a lot of time this year on processes that we’re calling “Getting to the Left of Kill Chain”. There's a bit of a learning curve, but so far, our pilots have been successful. When our infrastructure is built out, any company will have the opportunity to log into our new Cyberwatch® system and receive early warning indicators that they can (should) act on before having their first coffee of the day.

Our desire to push these reports and indicators to larger audiences has showcased a bit of a problem –the ability to scale in distribution. Until this year, scaling the ability to perform human driven analysis has always been the concern. We continue to drive analytic processes. We’re sourcing hundreds of primary sources of information, and to allow us to scale, Cyberwatch® will be released as initial operational capability in January. The goal of Cyberwatch® is to consolidate and create efficiencies. 

Today, we offer products as C-Suite offerings in a low cost format delivered on wapacklabs.com. We offer collaboration in Red Sky Alliance, and we offer a query/response indicator repository on ThreatRecon.co. It's confusing even to me!  The idea of Cyberwatch® is first to translate information security into language that anyone can understand, and know at a glance the implications of growing cyber threats. Second, we’re hoping to solve the problem of a massive need for victim notifications. The number of victims seemed to skyrocket this year, and while we’ve done our best to push out notifications, the numbers are staggering. At the time when I was drafting this blog, another company was victimized; this time for 13 million accounts. How do 13 million people get notified that their computers might have been victimized? And if they knew, what could be done about it? We hope to solve a piece of this problem.

What’s trending?

By far, the biggest activity we saw this year was the distribution of key loggers globally. As of today, we’ve seen over 12,000 unique infrastructures compromised in over 85 countries around the world. We’ve seen Nigerian actors compromising systems in every corner of the world and selling the accounts in TOR based forums. That activity, named by us “Daily Show” seems to focus on a few geographical locations, primarily targeting the maritime community (and those supporting the maritime community) in the South China Sea, maritime routes between Nigeria and the Black Sea, the Nordics, and the Suez Canal.

Angler has easily been number two. We’ve written several reports on Angler, and have had readers and conference goers tell us that Angler delivers roughly 90% of all of the activity seen.

Russian actors have become a tool of the military. Wapack Labs detailed accounts of Russia’s cyber actions in the conflict with Ukraine. The cyber underpinnings of the activity, in our opinion, track closely with the Ivanof Doctrine –a plan for using cyber and other information warfare tools in conjunction with physical activities.  

Iran moved into the top of the threat chart. Starting with the stockpiling of tools to connections with others, Iranian actors appear to have become the new China with one major difference; Iran isn’t interested in espionage. And why should they be? They became one of the first cyber sabotage targets in this new era.  

Last but certainly not least.  We watched this year as attacks turned from espionage and theft to integrity attacks, with documents manipulated to allow the movement of goods, services and money. Cyber has indeed converged with the fraud and physical security spaces... and it's only just starting.

Which brings me to my 2016 predictions:

I’ve authored predictions since 2013, and many more informally before that. I’m running pretty hot right now with nearly all coming true. Feel free to view previous predictions on our blog at henrybasset.blogspot.com.

So here goes…

1. Key loggers aren’t anything new but they’re taking hold in a largely automated way. I’d mentioned in presentations (twice this year), when I followed a consultant who talked about cracking passwords that passwords don’t mean a thing when there’s a keylogger involved. And it seems the number of pieces of malware with key loggers built in are increasing dramatically. Not a rocket science prediction. Common sense.
2. We witnessed what we believe are the early indications of a movement from confidentiality motivated attacks (meaning, espionage) to integrity motivated attacks. This year will be the year of data manipulation.  This is a high probability, high damage risk prediction. Companies everywhere will lose the ability to depend on their computing systems to deliver trusted results. This has already proven true in engineering focused industries, but now, enterprise resource management systems, are becoming targets of opportunity, allowing access into any of the multitude of services they connect to. 
3. Customs offices in several countries were witnessed by Wapack Labs as compromised. One European country’s Visa office was included in that last. This is a major risk to governments everywhere. My prediction? We’ll see key government organizations in the US and elsewhere get compromised in places that vet foreign visitors. Documentation will be generated and delivered. The overarching theme? Fraud is intersecting with information security. Cyber is simply another tool and the Visa offices are not exempt.
4. Resilience has become the name of the game. Leading edge companies are learning to live with untrusted networks, and as 2016 unfolds, we’ll see several key companies focusing on their efforts on resilient networks.  We don’t believe that Chief Information Security Officers will be replaced with Resilience officers, but taking the role to the next step means ensuring organizations can survive, operate successfully while under massive attack.
5. Service accounts aren't getting enough love... but they will. A service account connects two systems not normally accessed by a human. I.e.: One database connecting and querying another requires credentials, but because the process is automated, it will not require human interaction... so credentials are written into the code or query so human interaction is not required.  If one database queries another, and the credentials required either do not change, or may not be changed (because they're built into the code), they become highly coveted targets. Many of the larger companies have already addressed this problem. Many of the smaller companies don't have the ability to act on this enormous risk... and the bad guys know it. In industry, think supply chain. In personal accounts, think interconnections between various social and cloud based tools. If you can log into a system, and query using a social media login, or have your home thermostat connected to your iCloud account, you've created a service connection --and it can be exploited. 
6. Systemic risk is the phrase of the year. Systemic risk means that attackers will find singular points to attack, (probably as a result of staticly credentialed service accounts systems).   Need an example? OPM was a wonderful target from systemic perspective. Compromised in such a way that new tech with new thinking was required to identify the breach (math based behavioral anomaly detection), in a target that held such immense importance that nobody would be spared the possibility of targeting. Brilliant! I wish I'd have thought of that when I was in that business. 

2016 is going to bring some big things for Red Sky and the Lab. We're hosting our first Threat Day of the year in January in DC, and we expect to debut Cyberwatch® with our membership. Beyond that, if this works, it's going to transform the way executives look at information security and cyber. So standby. 2016 is going to be transformative... and I can't wait!

Happy New Year!

Jeff