We need to think smarter not harder about cyber - Cyberwatch.

I'm a bit late in posting this week. I know many of you read it on the treadmill on Saturday morning, but it's been a crazy (good) week, and I've just arrived back home from MD. I spent some time with my youngest this morning at a charity yard sale at her HS and then got a workout in... my body's sore.

We've been absolutely slammed this week. From publishing new North Korean cyber TTPs to the end of the week, to getting new features added into Cyberwatch.

That said, here's the happenings...

Cyberwatch? We pushed a new feature last night --monitor up to five companies in a portfolio view...

pretty cool stuff. While the site still lacks documentation (we do have a FAQ page), the idea that a CISO can monitor up to five companies (themself plus four others) to baseline relative levels of threat between them is, in my opinion, a tool that every CISO --and anyone who invests their own money or invests someone else's money, should want.

In fact, in the graphic above, I'm monitoring 10 Aerospace companies --from really big to very small, just to see the comparison of cyber threats looking at them. It gives me great baseline --and tells me there are maybe one or two that I should call and give them a heads-up! And in the near future, we'll be looking at portfolios of up to 1000 companies (at least that's what I'm requiring of my CTO!). So imagine, sitting in your comfy leather chair, worried about hackers because Krebs broke yet another "oh shit" blog post. You simply log into Cyberwatch, check the graphic for your portfolio of companies, and either relax into your single bourbon for the night or put away half the bottle. 

Why do we care? Until recently there's been no really good way to monitor situational awareness in the intelligence space writ large --and because of that, many companies have a hard time articulating the need for security --or worse, know they need it but ignore it.

So this week we showed a security guy how to monitor cyber threat in his supply chain. His reaction? He wanted to buy a single user license on the spot to help predict which stocks he should buy. We didn't really expect that reaction, but it's the second time it's happened.

Then we we told him we'd purchased a equity stake in an investment tool, and our (patent pending) process for monitoring the cyber threat landscape is to be built into the analytic tool designed to help institutional investors make decisions on their portfolio.

He loved it. He still wants a single user license, but he loved it.

So imagine this... you sign into your [you name the broker/dealer's website], and you start combing through the endless amount of financial data -- revenue, costs, liquidity, margins, turns, etc... pretty cool stuff right? Now add in the idea that you can look at a new, fresh variable in your decision making process --cyber threats looking at that company. 

Given the ability to choose between two investments --one with little cyber threat and one with much cyber threat, what would you do? If you're institutional buyer doing an M&A, you'll build it into the deal. If you're not institutional, you might consider choosing the company with the lower risk of being hacked.

BT

We're heading into May, and preparing for our June 7th Cyber Symposium in Huntsville. And yes, I know Steve Lines is going to comment on my blog that he too is running a cyber program for the DIB ISAC in May, so let me just get it out of the way right now for him.  I'm sure it'll be a good show. Steve's a great guy.

And in June? We've got some amazing talent showing up --folks who monitor networks, have built amazing security teams, and my guys --intelligence.  If you have any interest at all in how to deal with APT, the impending DFAR 800-171 or the new insider threat requirements, there'll be people there who can help.

If you want to know how DCISE works, what happens when you report, and the requirement for reporting your cyber activity to the government, it's been a while since I left the government I had a hand in writing some of those documents and built the early operational capability that is now DCISE.  So go enjoy DIB ISAC, and then stop in over for the June 7th Cyber Symposium. The agenda is looking pretty good... Red Sky/Wapack Labs, Lockheed, Morphick and Huntsville's own small company focused rock star, H2L Solutions. If you'd like more information, please reach out to our partner in this, Jonathan Hard, CEO at H2L. Jonathan will give you the gouge on the Symposium and set up a time to talk about doing your 800-171 assessment/attestation and go-forward plan.

Also, we're hosting our second Red Sky Threat Day in Stamford, CT on June 21st, and have some great talks lined up. If you're interested in presenting, shoot me a note. We try and bring in one outsider per quarter to give a talk. Interested? Shoot me a note.

OK folks... sorry for the late post. It's been a long week.

Have a great weekend!
Jeff

Information Overload? No Mas! Get help...

1980. Sugar Ray Leonard v Roberto Duran. I'd just graduated from High School. I remember the

boxrec.com

fight. Sugar Ray overpowering Roberto Duran at the end of the eighth round.  No mas! No more fight! This as Roberto Duran threw his hands in the air, only to take one more blow to the body, ending the fight. Duran was done. He'd been beaten down.

Why am I talking about boxing? Because so, I'm afraid, like Duran, are many of our network defenders are feeling beaten down.

I talked with two companies this week who both seemed to have been flat out exhausted. In both cases,  the sheer volume of data simply overwhelmed them. In both cases, they've resolved to the fact that intelligence (more intelligence) simply isn't going to help their situation --and in both cases, they've given in to the fact that they are being successfully breached on a regular basis. And more? They're being compromised multiple times per day.  Even more, the idea that the sheer flood of data has turned these otherwise really smart guys into folks who've thrown in the towel is turning into a story that I'm hearing more and more.

So what's the next step? More big data? More feeds? No. The companies are suffering from information overload with no real means of prioritizing their efforts. And with new supply chain regulations in effect, and insider threat regulations coming into reality quickly, the simple fact is this... CSOs and CISOs need better information, not more information.

Years ago I blogged about the work required to manage the supply of data from bugtraq. I realize I'm dating myself, and I'm sure I'm not the only one who remembers trying to figure out how to watch every single emerging bug that came out on from the listserv, and I'm certain I'm not the only one who combed through other sources --like USENET messaging and the FIRST emails on a daily basis, but even with that small dataset, on a daily basis, the idea was simply this... bugtraq sometimes cranked out 400+ pieces of vulnerability data daily.  An SOC guy would spend about an hour every day simply scanning ever piece of information. Add to that the idea that if a quarter of those were actionable, that SOC, network manager, or heck, even a swarm of techies couldn't keep with the needs of even a small network.

Now think about the amount of data being called 'intelligence' that comes in today.

With dozens of aggregators out there cranking millions of pieces of data, let's face it, there's no way in hell that even the most efficient security team could keep up.  One team told me that they collect over a million pieces of new information weekly --and I think that number is probably a little on the light side. Automation helps, but rarely prioritizes actions to be taken by the responsible CISO.

So what's the answer? Better information, not just more information.

Current practice looks like this... buy a vendor get a feed. Every vendor has backend intelligence (if they don't, don't buy it).  There are some excellent choices out there.  Cisco, Palo Alto, FireEye, Crowdstrike --all great choices. The process (optimized process) looks like this --collect intelligence, compare the intelligence to exposed systems, pathways, etc., and then patch those systems or close the pathways. As more intel comes in, more fixes need to be installed. When you're receiving a million pieces of intelligence per week, the question becomes this... what to fix first?

Sometimes you just know --that system is really important, or the owner of that system is really gonna be pissed if I don't get if fixed. You know from an internal perspective why the most important system may be the most important system, but what about from an external perspective?

The smarter question that intelligence should attempt to answer is not what's that vendor seeing? Rather, what is coming after you?

To answer this question, most companies establish an internal intelligence team. You need someone a bit more specialized in their view. Someone who can focus on prioritizing efforts for you.  You need analysis that can take that massive list of data that comes from the aggregation of other's lists or the intel that comes from those truly outstanding vendors, and turn it into a work process that you can actually manage.

This is where Wapack Labs comes in. While many receive general subscription information, Wapack Labs has processes in place to allow companies to understand what's coming after them. We've contracted with organizations to be, or assist internal intelligence teams to ensure that the tsunami of intelligence information is focused on your needs, not the rest of the world.

You've heard this from me before... In a bar fight? Fight the guy in front of you first. Then fight his friends. Don't, worry about all of the other bar fights going on in the world. Someone else is going to take care of them... until they come to your bar.

And when you need help? Compare notes? Red Sky(R) Alliance is the place you ask for help. Jump in, get questions answered from folks who've done it before.

BT

It's been another fantastic week --although a bit slower. Two guys on travel in Vegas --I hope you enjoyed meeting my partner, co-founder, and CFO, Jim McKee. Jim doesn't get out much, but when he does, he shakes hands with anyone who'll take it --and then tells our story.  I stayed back, working in the BWI/DC area for a few days. It was actually a nice break from travel. Back to NH next week.

And the team? We've been publishing explanations and mitigations for the rash of SSL activities that have been running around. We also published a report on Netsky (a customer request), an updated version of iRAT, and published Targeteer(R) (DOX) reports on three African guys that we believe to be planting code in networks. If you've ever been victimized by key loggers, you'll want to read that Targeteer(R) report.

Want to know more? Check out the new website or give us a call 844-4-WAPACK.

I'm waiting for the snow in MD --and fly fishing in VA tomorrow when it warms up!

So until next time,
Have a great weekend!
Jeff

Hack the Pentagon? I love it!

Several months ago I blogged about the idea that contractors with mature and information security operations are used as butts in seats in the Pentagon and DHS --only to be not allowed to bring best in breed solutions or out of the box thinking to those posts. The result? Long time government employees continue down the paths they've been on for years because (sigh), it's what they know --and what they believe will work based on their own experience.

So when I saw this in my inbox two days ago, I smiled from ear to ear. I doubt anyone read my blog and decided to do this --more likely some smart entrepreneur bent the right ear inside the Pentagon and pulled off a smart coup --BZ to them!. Regardless, on March 31st, DoD announced a "Hack the Pentagon" bug bounty program. Funny, I actually checked the date to make sure it wasn't an April Fools prank because the circular reporting had it on April 1st --I had to find the root article. It apparently is not.

And if this is true? I'm shocked, and elated, and yes, I'll urge my guys to participate. I love the out of the box thinking --a simple solution to a hard problem.

On a second note, I just shared an article from he Register (UK) that talks about the US Marine Corps creating a 'hacker support unit'. Very happy. My first Information Warfare job was at the Navy's Fleet Information Warfare Center in 1997. And now, nearly 20 years later, it seems the stuff is finally filtering into mainstream routine operations as a daily part of what we do.

Well done.

BT

Red Sky and the Labs continue to be busy. We published a couple of new pieces of analysis this week.. two technical papers (Kiler RAT and Kibala), and one of my personal favorites, "Russian Cyber Capabilities: Lessons and Tendencies". This report discusses, in a readable short format,  written by a native speaking Russian analyst, the reasons why Russia as an APT actor (meaning state sponsored), and how we expect them to progress.

BLUF: Russia is one of the most active attackers in the cyber space. With the economy declining in Ukraine, Russia, and Belarus, financial cyber fraud originating in these countries may rise. Political tensions with the West have grown, especially over Ukraine and Syria. Russia is isolating its cyber space, and Russian APTs are getting stronger. These lead to systemic threats with the possibility of large-scale information attacks, and even disruption of the Internet and other critical infrastructure. 

In addition, we requested membership for five new organizations, including a potential integration of another large information sharing group. This is a first for us, but Red Sky has doing well for nearly four years, and while we'd never considered bringing in another group, what the heck.. if it brings value and helps with the defensive mission. We love the idea.

On that, I'm bugging out of NH for MD today... meetings first thing Monday morning and we're expecting snow, so...

Until next week,
Have a great weekend!
Jeff

Iraq's new drone in action..

Iraq's new drone, the Chinese C-4 drew first blood against ISIS, according to an article in Popular Science. And this made me think back... for how many years did we chase Chinese espionage from networks where these things were built? And while I have no idea what the guts of these birds look like, they certainly look similar on the outside.

Iraq's new C4, Optics retracted to reduce drag during flight
http://www.popsci.com/

predator-firing-missile4_c0-90-1080-719_s885x516.jpg

The report discussed general trends, but relating to this morning's blog was the idea that UAVs were near the top of the targeting list... and they had been for five years. So based on that thinking, 2004-2009 were peak UAV harvesting years, at a time when only the US had them.   

In a previous post, I reported that a US bird (at the time) was selling for $3.2 mil, while the Chinese version was selling for ~$800,000 (USD). And now, just a few years later, we're seeing the results of that espionage activity in the air, flying against ISIS. Good for the Iraqi's! Bad for us. 

And then I think about the idea that it seems like only yesterday when UAVs (unmanned arial vehicles) were high in the target for Chinese acquisitions. In fact, in 2010, the Defense Security Service reported in an unclassified report:

"East Asia and the Pacific region were hosts to the highest number of intelligence collection attempts. “For the fifth year in a row, reporting with an East Asia and Pacific nexus far exceeded those from any other region suggesting a continuing, concerted, and growing effort to exploit contacts within United States industry for competitive, economic, and military advantage,” the report states."

We've experienced massive cyber thefts from our R&D EDUs, R&D centers, and OEMs. In the early days, the idea that new technology was obtained through cyber means was shocking. Today, not so much. The targeting of UASs (Unmanned Aerial Systems --the updated term for UAVs) today means stealing IP that allows for refined controls of the previously stolen systems --how can they be made better --navigation, targeting, optics. Regardless if for military or economic gain, the simple idea that these birds sell for a quarter of the price of our own and the skies will soon be full of them means jobs lost --and not just in the US, but also in the international supply chain. 

BT

As always, a busy week. Two new fusion reports were posted to the Red Sky portal. We've been using a new format with all of our new published reports. Members have had problems navigating the number of reports in our socially driven site. The engine isn't machine to machine, rather focusing on the human interaction. So to assist with some of the confusion, we've begun adding snapshot views to each of our products, as well as a cross reference of our previous reporting (links inside Red Sky - redacted for this post) and a link to our indicator database (open to all) where users can download indicators (https://www.threatrecon.co/search?keyword=FR16-011).

Our latest report focuses on Locky:

Executive Summary

In February 2016, the Dridex botnet was observed distributing a new ransomware variant named Locky. Since then, a number of Locky macros and downloaders have been leveraged to distribute the ransomware. This report describes recently observed Javascript Locky downloader that appeared in early March. Similar to Dridex, the delivery infrastructure consists of compromised bots, which send the malicious emails, as well as compromised websites that host the Locky payload.

This report includes technical details and mitigations on this Locky downloader variant and related infrastructure. Mitigations are offered at the end of this report.

Publication date: 24 March 2016; information cutoff date: 18 March 2016

Handling requirements: Traffic light protocol (TLP) AMBER. Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.

Attribution/Threat Actors: The Locky Javascript Downloader variant is a part of the Dridex/Locky botnet.

Actor Type: Adversary capabilities have been assessed as Tier II. Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).

Indicators: https://www.threatrecon.co/search?keyword=FR16-011

As well, this time of year is always busy for us. We've offered membership to one more organization, and have proposals out with three others. Interactions in the portal seemed to have slowed a bit this spring, but we continue to populate it with intelligence, reports, commentary/analysis and actionable data.  Even with the slowdown, we still see over 36% returns month over month, so I'm not complaining. 

What's coming? 

• We're planning our first Cyber Symposium with a partner in Huntsville, AL.  Wapack Labs and H2L Solutions -a DFAR assessment company performing NIST 800-171 assessments in the area will be hosting a Cyber Symposium for local companies on June 7th. 
• Two weeks later, we're doing our pre-summer quarterly Red Sky Alliance Threat Day at a member location in Stamford, CT.

It's busy. We like it this way.

The blog is getting long, so I'm going to take advantage of the sun up here in New England. 

Until next time,

Have a great weekend!

Jeff

A Case Study in Stock Price Movement and Cyber Risk?

We've been doing a bit of R&D. Last week I announced a new tool (Cyberwatch(R))that we've fielded in it's minimally viable form, looking to get feedback.  The thinking was, we wanted to see if there were correlations between the number of times we saw a company show up in our intelligence sources and their stock price.

The example we'd toyed with was a bit ambitious but it made for a great test case.

Last summer, Amazon was reported by the NY Times as pushing its employees to the point where they'd breakdown at their desk. The story broke on August 15th.  We wanted to know if there would be a corresponding action in the underground cyber chatter as a result of the report that broke in the NY Times, and all of the follow-on circular reporting from the other news outlets.

Figure 1: Amazon's Stock Price compared to Wapack Labs' Cyber Threat Index measures

Here's what we did. We have approximately four years of back data. Every day we counted the number of times we saw "amazon.com" or any subdomain or IP addresses in our daily queries. We figured if we kept the model simple, anyone could understand it... I don't like complex algorithms --the only people who understand them are the people who write them. I wanted math that anyone could look at quickly and know what it meant.

Wapack Labs watched the intelligence space (dark web, chatter, etc.) during this time,  and counted the number of times we saw anything associated with Amazon --and we plotted it on a moving timeline against the stock price in a chart resembling a stock chart.  The result? We showed movement in both the cyber threat activity, and movement of the stock price (we recognize that there are many variables that make a company's stock price move, and Amazon's stock takes a lot to market influencers to make it move). There was a spike on August 4th, followed a short period when we lost eyes, and then an increase in underground 'chatter' shortly after as we watched circular reporting by other reporting outlets. The public reaction to the bad press was evidenced by the downward movement in the stock price.  The underground activity? Was this targeting of Amazon because of the bad news? Not sure, but our chart clearly shows something.

So the question is, can increased cyber activity in the underground affect a company's stock price? Probably not directly, but what if the chatter that we monitor turns to action? Absolutely.  Cyber isn't the only indicator that can be used to help predict stock movement, but certainly it's one that should be considered. And our experiment in identifying a new means of monitoring cyber intelligence as a leading indicator to potential damage to a company in the form of stock price movement, is proving very cool. Amazon's stock is affected by millions of variables, not just cyber, but what about the company who's price isn't as resilient to changes in a singular variable --like cyber activities focused on them?

On November 9th we saw a massive spike in activity as we slide our viewing window to the right. Why? We believe this was a lead-up to Black Friday, when folks were planning, talking about, exchanging tools and credentials that could potentially exploit retailers during the holiday season. Are we sure? No. Intelligence never is, but clearly, there's a massive spike and then a drop-off to nearly zero on the actual day --why? Bad guys need time off too, and they've already planted their tools. Now they simply sit back and collect the loot.

Figure 2: Amazon - spike in Cyber Threat Index (Intelligence activity) leading up to Black Friday

Activity remained fairly consistent throughout until after the holiday, then spiked again during return season, including a massive dump of credentials (AKA Pony Dump) that affected just about every large company --not targeted, but massive. We had to change the scale to show the massive number of times that we saw Amazon in our intelligence sources... from hundreds to thousands. The good news for Amazon? It wasn't just them. It affected everyone out there. A quick comparison of the average Cyber Threat Index(R) for the companies in the Dow Jones and S&P 500 (both shown on our website -cyberwatch.wapacklabs.com) show that the average large enterprise company was mentioned over 5000 times. Amazon actually faired better than most.  

Figure 3: Amazon's Cyber Threat Index on the day of the "Pony" dump of credentials

We launched Cyberwatch(R) this week in bare bones format. There's a place to submit feature requests and bugs, but the idea is, subscribers will be able to monitor portfolios of companies in addition to their own. I'd encourage you to log in with your company domain and a stock ticker if you have one. Viewing the graphics and looking at industry or geographic trends won't cost you anything, but pulling the actual intelligence behind the graphics will.

Our thinking in this is simple... Boards, CEOs and CFOs want to know how all that money they're spending on security affects the profitable operation of the business, the stock price, and value to the shareholders.  CIOs, CISOs, and techies want to know how to fix the problems that their CEO's are aware of (hopefully before he or she asks). Because we monitor non-public sources, the graphics are often times leading indicators of potential threats. Is it actionable? You bet. If you see five threats (shown in Figure 2) on that particular morning when you're monitoring the Cyber Threat Index(R) for that day, according to our sources, you have five things to monitor for or block before you finish your first coffee in the morning. 

Your money guys know you've seen the problems and fixed them.  They also know they can monitor their threat activity levels for spikes and have awareness of how it might affect the company. And investors and portfolio managers now have (admittedly early maturity) a tool that can be used to measure risk before they invest.

While not a perfect science, predicting the stock market never is, we clearly show intelligence (primary sourced --not circular reporting or social media) activity increasing shortly after the the NY Times called out Amazon as a harsh place to work. Is it related? Not sure. But certainly there's a corresponding movement in Amazon's stock price during the timeframe. And one sample isn't nearly enough to be able to show a 1-to-1 correlation, but for any investor considering the purchase of a large block of stock, or an M&A, monitoring a portfolio deal, or supply chain, I'd think that the idea that price of that new investment can be influenced by movement in what we're calling (and trademarked and now patent pending) Cyber Threat Index(R), is actually pretty cool. If this works --and I suspect it will, there's now a cyber means of identifying trends that *could* move stock prices, and for any executive or board wanting to understand the value of the security required (and funded), they can monitor that activity by simply watching the trend line. 

This is a bit unusual, but it's one of the reasons we did't take external investments. We want to be able to experiment and find new ways to transcend things like the language barrier, and how CISOs show the value of their spend and efforts, and how companies translate security posture wording into something their investors understand. Is it perfect? Not by a long shot. Is it promising? You bet. 

Want to know more? Sign on and try it yourself --https://cyberwatch.wapacklabs.com

Need intel? Call me (844-4-WAPACK) or drop me a note. I'd be happy to schedule a demo or send material. 

Jeff

Wapack Labs' Threat Recon Indicator Database

Wapack Labs has been populating this database for about a year. It's essentially the indicators taken from our own analysis, and then grown.

Every day we get asked "Why buy another feed?"  This is a bit different. If I'm a bad guy and I have one domain registered for a C2 node, there's a good chance my other domains are also used for C2 nodes. We try and find all of them, starting from the one we know, and then provide them all to our subscribers... and they're in Threat Recon.

Sign up for your free API key. Every user gets 20 queries and 1000 free indicators per month. Plug in your search and off you go. Threat Recon runs from the web interface, or machine to machine.

Enjoy.
Jeff

BZ! Wildfire!

When I was young, my great grandmother used to have a saying "self praise stinks", and for that reason I never authored my own military medal recommendations, and for years struggled with writing my own inputs for my annual fitness reports. But this week my team had a nice success, and I thought I'd share the story.

Earlier in the week one of our 'tripwires' fired off suggesting that one of our Red Sky members might be the target of in impending attack. After checking the facts, it turned out that we were right.

We authored a situation report and a warning, called the member, and fired off the written warning --complete with names of actors believed involved, tools expected to be used, the expected target, and the time of the attack. I authored the initial report, and sadly, the old man mistakenly offset for the wrong timezone and called the attack time for 12 hours earlier than it really was. We corrected the timezone, informed the member, and when the time came, stood by them in an online bridge throughout the process.

For over two hours on the bridge, we assisted with the online cyber ruckus, eventually pointing the member to exact file that we believed would be exploited. Once the file was deleted from the host, the attack stopped.

Shortly after, we pulled the team together and authored the after action. I realize that many companies fight these fights on a regular basis, but in this case, my guys aren't incident responders, they're intelligence pros, and in this case, they called it dead on... and for that, I'd like to take a moment and offer my team a very strongly worded BRAVO ZULU. Nice job!

BT

On nearly every sales call lately, someone says to me, "Why do I need another feed?"

My answer? A feed tells you about everything. Intelligence tells you about you.  I've used this analogy may times --If I walk into a bar and end up in a bar fight, I'll hit the guy standing in front of me first, then deal with his friends, and probably won't worry to much about all of the fights in all of the other bars around the world --at least not tonight. Feeds tell you about the bar fights happening around the world, but not how to deal with the guy standing in front of you.  We run an indicator database that you can use inexpensively --ThreatRecon.co starts at free, then increases slightly based on volume. Cyberwatch(R), our newest offering is also free --it creates a Cyber Threat Index(R) based on the number of times that we see you in our intelligence sources and plots the score daily --against your stock price. Again, no cost to log in and look --only to buy intelligence behind the graphics.

We send cyber early warning reports several times every day. I've written in previous posts about some of our 'get to the left of kill chain' processes. We have small successes every day, but this week we had a good one. And to have my guys sit on the bridge while a member was able to successfully defend themselves --at least this time. And we're happy to have been part of putting this one 'X' in the win column.

Until next time,
Have a great weekend!
Jeff

Post RSA thoughts

I returned from San Francisco late last night. What a week. 50,000 of my closest friends and I shared

parties like you wouldn't believe, and some great security talks. I wonder if it was a mistake that I mentioned the parties before the security talks? Not really, no. You see, this year (at least for me), the theme was all about analytics and threat. We've been hearing this for a couple of years now, but the tech and associated messaging are maturing, and now it's big data analytics, presenting the pretty picture and inching ever closer to the God Box.. you know, the one that can heal the rift in the universe, bet successfully 100% of the time on the stock market and predict every lottery number with complete accuracy weeks in advance.. that God Box.

I snapped pictures of dozens of analytic portals, desktops, and mobiles representations. And you know what? THEY ALL LOOK THE SAME!

And the data that they collect? IT LOOKS THE SAME TOO!

So my question is this.. are we happy knowing that SOOOO many intelligence providers out there are simply gobbling up as much open source crap as they can, pre-chewing the food and spitting it back out so some unsuspecting CISO with a board-endorsed checkbook can gobble up the now diluted food without thinking about it, or tasting how bad it really is. Is this where we're headed??

Not me.

I stayed at the Metropolitan Club this week. The Met is a private women's club outside of the Moscone area --across the street from the Marine Corps Club if you know where that is. Everything else was full up, and the Met offered reciprocity with the Harvard Club of Boston --my home club. When you check in, you're required to sign a "guarantee of privacy" that ensures no business will take place in the club, and that any conversations that happen in the club, stay in the club. The place was a safe haven for weary overstimulated guys like me who, by the end of the day, could take no more. And so every night, I'd retreat back to my private, woman's club, like crawling back to the safety of my mothers arms, and think.  What'd I think about? Better ways of doing things.

I think about the idea that a board doesn't care if we reverse engineer, what the threats are, or if spies are stealing stuff. They care that the stock price moves and if the CISO isn't doing the right things to keep the stock price up, they'll be held liable.

I think about the fact that the CEO's are measured on the profits, growth and goals, and report to the board; and beyond the scope of those factors, the CEO doesn't care what ports are left open and exposed.

...and I know that when I showed Cyberwatch(R) at a party on my last night there, I went from being a middle aged, balding overweight white guy to being the prettiest girl at the dance... and everyone wanted a demo. I gave them until my phone died.  One guy told the crowd that it was the best thing he'd seen all week. Another talked about the fact that such a simple idea solved a really hard problem --cutting across the language barrier between levels of management and enabling (finally) rudimentary predictive analysis.

Why so much excitement? We represent security data like the market shows dollars. I talked about this a bit last week, but we filed patent paperwork on a process that shows the effects of security intelligence, peaks and valleys on a company's stock price.

So there's a 100% chance that we didn't get it right on the first try, but the model works --keeping it simple stupid and presenting intelligence in a meaning and actionable way.

The site is currently at it's "minimal viable product" form but it works... not much documentation up there yet, but enough information to get customer feedback.

Want a demo? Drop me a note. I'd be happy to set one up.

Until next week,
Have a great weekend!
Jeff

Got eyes on your supply chain?

In the past month I've had conversations with several supply chain companies in the Aerospace industry. In one case, I informed them of 400+ dynamically generated domains registered to one specific IP address in their externally facing cloud presence.

What's that mean? I'm betting that some of you are very familiar with DGA domains. The presence of DGA domains could mean that someone is attempting to perform command and control into the IP address. And it means that someones going to have to find out.

Why do you care? The companies we've been talking to are Aerospace supply chain companies between 50 and 1500 employees and they don't have the ability to defend themselves.  They make things for the US Government --DoD, NASA, probably others, and a new regulation requires them to report these incidents through their prime contractor and to the government. That's good right?

Here's the rub: Very small companies generally have a part timer, or at best, one person handling IT. Mid sized companies, well, some at least some mid sized companies have a problem making the jump from being a larger small company to a small enterprise, and rarely have dedicated security people. And even in bigger companies, full visibility on the network, protecting from those who really want access into these Aerospace suppliers is really really hard. The biggest companies --the primes, have invested millions in creating processes to fix themselves. The smaller companies simply haven't built that into prior cost models, and as a result suffer the fate of the hamster on a wheel. They can't build new security until revenue supports it. And if revenue supports it, the staff is busy fulfilling the contract.

So, in an attempt to help some of the really small guys (50-1500) we partnered with a couple of Managed Security Providers to be able to drop sensors/protections in the network --basically, outsourced security. But most companies look for the low cost options first. They won't go to an MSSP. They go to open source. So... we experimented with some of the open source stuff out there.

For the last few weeks I've been running one popular security package in an offsite office... pfSense is a great little suite of tools --very powerful, but even in our very simple environment, pfSense (I tested with Suricata and Snort packages), running default rule sets (like most new security folks will) killed off the ability to visit key locations because we research and talk about bad things happening on networks. The string matching automatically assumes the site to be bad, and the sessions are killed off.  So in these small companies (some are using Suricata and/or Snort), when they need customization of those rules because a CNC machine can't reach back to it's licensing library because the oddball port is blocked by a default rule. How long do you think that device will stay on the network when a machining operation is stopped because the CNC can't communicate over the network. Here's a hint... not long. And that IT guy that put it there? He just lost a whole bunch of credibility, and is going to have a heck of hard time convincing his boss to try it again next time.

But these suppliers MUST be able to detect bad things in their network. Many can not do it alone. Is there an answer? Of course. but some of these companies are asking for help in places that promise not to talk to their primes. Others are looking for DFAR assessments as an attestation that they're doing the right thing (the assessment is, at least a step in the right direction). Others are ignoring it, hoping it'll go away.

We have a solution. It's patent pending and being beta tested, but I'm doing demos at RSA next week. We've partnered with a cool little company called H2L to provide DFAR 800-171 and 800-53 assessments with companies in the Huntsville area.

As an output of this DFAR assessment, We recommend fixes as part of their get-well plan.  We're can show the prime what risks to supply chain actually look like --in near real time. Contract officials have the ability to monitor threats to their suppliers. Suppliers have the ability to know the threats they face, and the IT folks or MSSP has the ability to react to current threats before they occur.

Pretty cool huh? We're not deployed yet, but if you'd like a demo of the beta, or want to talk about the DRAR assessment, intelligence subscriptions, or those MSSPs that we've partnered with, stop me at RSA next week. I love talking about this stuff and I'm always up for demo, coffee or a beer!

Have a great weekend.
See you in San Francisco!
Jeff

New Wapack Labs Blogger

Hi all, Chuck Nettleship here, the new Business Development Director at Wapack Labs.  This is my first guest BLOG to give CEO Jeff Stutzman who I have been running ragged for the last 2 plus weeks in the DC area, using the Glen Burnie Safe House and Army Navy Club as our Operation Center’s.  We’ve been networking with my Norwich University alumni buddies and Beltway Bandit contacts after 25 plus years of military and business in the area.

 

We focused our meetings this week in “snowy DC” connecting with a large defense contractor, a state Fusion Center, DC Think Tanks and international Chamber of Commerce organizations.  As a former US European Command Joint Security Cooperation Planner and DHS Advisor to ADM (USN retired) Jim Stavridis (now Dean at the Fletcher School at Tufts), the work we do at Wapack Labs is similar terrain to what my Joint Operation days required - early warning, actionable and targeted Intel.  After meeting our talented Analyst Team over the holidays, I wanted to start introducing Jeff to areas that may leverage our GEOPOL skills.  Since we cue off of underground activity to find the “why’s” for the nefarious activity we see.  As one of our potential clients said this week, cyber is only a conduit to the “key terrain.”  Trying to decipher the motivations of the cyber underground actors with GEOPOL and commercial activity is perplexing. At Wapack Labs, we are trying to get clients to “the left of the kill chain” in order to influence decision makers to make the right decision” based on facts and valid assumptions.

What we discovered this week listening to the folks we met with is cyber intelligence is and art and science.  The main driver for adding value is to keep economies stable.  Providing proactive, actionable intelligence to keep the commercial sector safe and viable is key to economic stability.  Trying to place the human dimension with malicious cyber actions is what we are good at.  Big data is a resource, but until you can neck-down the adversaries motivation, network and link that to a pending attack is painstaking.  Our Team is very passionate, diligent and successful at this.  To cite an example, I have been tracking the cyber threat to the power grid for several years via OSINT sources.  In talking with a Director at a prestigious Think Tank this week, I asked if he had insight into the power outage in Turkey in March 2015.  He stated he had no early warning or post event indicators to his knowledge.  In doing a search through our archives, I found a piece that Rick Gamache published on March 27 “Wapack Labs ‘GEOPOL Spot Report’ - Rise of the Arab Army -Saudi Arabia and Iran square off over Yemen.”  In this report, Rick forecast “Cyber Targeting of the maritime, transportation, energy, and logistics sectors are on the rise.”  On 30 March, ~90% of the Turkish power grid went down, attributed to President Recep Erdoğan’s public statements backing Saudi Arabia’s action in Yemen.

As we work our magic on tipping and queuing from our stellar Wapack Team, Red Sky Alliance Partners and clients, we are able to connect significant dots in the GEOPOL world.  Our aim is to assist these policy and GEOPOL organizations in DC with our cyber threat intelligence networks by adding value to their OSINT and HUMINT networks enabling a focused policy analysis.  Wapack Labs is an untapped resource to the DC establishments that often narrowly focus on hardware, software and “big data” rather than tailored cyber intelligence sources using human factors.  This differentiates us.

As the snow continues to fall here at our Maryland Safe House, we look forward to a successful 2016 to all.  Go Pats!

Chuck Nettleship, Wapack Labs Business Development Director

Work with the government? Get ready.

NIST SP 800-171 is designed to protect controlled unclassified information (CUI) outside of the government, and for those who bid on contracts, several new GSA regulations are being put in place that state that every company must now attest to the fact that they have a security program in place, and (report to the government) when they have a breach that affects CUI.

I’m not a huge fan of compliance models, and this is no different, but it’s a step in a direction that’ll both be praised and criticized. Why praised? Because this is a huge step forward in a national plan for cyber reform. Is it perfect? Not by a long shot but you fill the ocean one drop at a time. Why criticized? Several areas where this is going to require some attention. I’ve been down this path before as both in private industry and as a government guy. I’ve seen the argument from both sides and understand both.

The new rules are going to require that protection of CUI in non-federal systems.

What exactly is CUI? I’m not asking for the definition of CUI, rather exactly what is the CUI that the government wants protected? Give me a list of key components in that widget. If we lose them to espionage actors, I’ll tell you.

How many pieces of CUI has the government defined, in how many contracts, that must have extra controls and be reported if lost during a cyber event? Is there a central repository where these things are stored? Can I log in and search for the list of things my contract requires me to protect?

How has the government protected my CUI? Should we use the same controls as defined by the government when they don’t work? Was OPM FISMA compliant? 800-53?

Do the authors of the rule understand that the vast majority of the companies that this will affect have no idea what those actors look like on the wire, and have very little ability to protect themselves? In the last 30 days I’ve talked to two companies –one 1500 people and one 11,000 people. Both are heavy satellite suppliers to NASA and DoD –but neither had a designated Chief Information Security Officer or security team.

So here’s the deal

There is no way that a company who does any kind of work will escape the requirement to report breaches to the government; and don’t plan on using their tech –Einstein is old tech, and not available for your use. So what should you be thinking about?

I run a small business. We audit our systems annually, and must document our security, attest to several of our customers. If you’re not prepared, this can be a huge cost sink. I get asked the question all the time… How do we do it?

• Place your systems behind those who have the ability to protect them.  Regardless of cloud or on-premise, there are some great MSSPs out there that can protect your data at the baseline level. If you need more specialization, look for more specialized providers.  MSSPs are a great way to get good protection at a reasonable price --it's far less than building it yourself.
• Our data is segmented into multiple levels of sensitivity and we protect them each differently. What could you afford to lose? What must you never lose? When you get that CUI list, what level of protection and monitoring will that require? As an example, we use cloud services for some of our data for our lowest levels of sensitivity –public facing stuff, but we put motes around private data in diverse locations for more sensitive data.
• We use encryption often and we never trust SSL.
• Use VPNs to create motes around highly sensitive data.
• We model to ISO 27001. 

Need more? A plan? Start here. It’s free. I wrote it in 2012, but it’s still highly applicable. Need monitoring and intel? Call us. I’ll set you up with a partner who’ll get you up and running.

Have a great weekend, and..

GO PATS!

Jeff