Have I discovered Area 51 East?

Once a month or so, the boys and I meet up at Cancun Cantina for beer and cigars.  We've been

meeting under their imported palm trees for years, and although the people have changed (we miss you Alvin!), the stories continue.

We normally get together on a Friday afternoon, but this week, because of my travel schedule, I kicked out a note asking if we could do it Monday... only to realize when I arrived that my guys are standing in the empty parking lot of a closed Cancun Cantina. No cigars tonight --but will have those beers elsewhere.

Back to the point... as I'm driving, I passed the observatory at the end of the runway at BWI.  I've driven past here hundreds of times over the years, and on sunny days, theres one thing in common.. a crew of folks under the trees --some standing, some sitting, with cameras with monster telescoping lenses... and I had always wondered why.

I'd made the mistake of turning right coming out of Cancun Cantina to head for the agreed-upon watering hole where my friends would undoubtedly be waiting for me (because I took the long way), and as I passed the observatory, I again, noticed the gathering of folks with really big cameras --and I had to take a picture. I don't know why, but it struck me. I needed a picture.

So... I turn into the observatory, pull out my phone, step between the cars and snap a quick shot. Of course, they spot me. I didn't try to hide, and as I snap off my second shot (I only took two), they began setting off car alarms around me. One of them (the guy in blue) turns his telescoping lens on me.

I have to wonder --are these guys just plane geeks, or is Northrop keeping something fun in the hangar that someone here's waiting to get a glimpse of??? My tinfoil hat is glowing red. Have I stumbled upon Area 51 East?  Or.. do these guys just really LUV Southwest Air?!

On sunny days, they're here all the time. I wonder if I'm the only guy who scratched his head and asked why. On occasion, there are some pretty cool planes that go in an out of here --I see them from the balcony at my apartment --I'm right in the flight path (I'm cheap).  But do all airports offer access like this? Are there really plane geeks that just for the love of it, snap pictures of every Southwest Air flight? Why?

My friends tell me I'm paranoid --but that's what I get paid to be. I want to know when someone is standing at the end of the runway waiting for something cool to come out --and if it does, and they get that series of shots with that really big lens, who's buying those pictures? And will they soon be sending more big camera guys for more? Or will we begin seeing intrusions into computer aided drafting systems and manufacturing and targeting of engineers? This isn't rocket science. There's a correlation between humans snapping pictures of airplanes and computer intrusions into those companies (and people) that build them... I could go on but for now, I'm taking the tinfoil hat off as my thinking begins to drift more toward Captain America and Iron Man this afternoon with my kids.

BT

We moved into bigger space yesterday, set up that fusion center where the new crop of returning vets will be trained, and we're beginning to kick out new offerings from the work they're producing.  We're having a hell of a lot of fun, making enough money to make a living, teaching people how to do the things we're doing, and helping companies figure out what to protect today, and what to worry about tomorrow.

So, if you need indicators, try ThreatRecon.co. It's free to 1000 indicators per month. Sign in, get an API key, and off you go. Anything marked 90% confidence was directly analyzed and derived by us --very low false positives.

Need more? Try our low cost "Executive Readboard" subscription service --TLP White information written for your executives in a newspaper format... in fact, we hired a journalist to write these things.

Need even more? Drop me a note. We're here to help.

As a reminder, we're doing a Cyber Symposium in Huntsville on the 7th of June at the Johnson Conference Center. It's limited to 100 people and we're filling up fast. If you'd like to attend, please contact our marketing person (Pamela) for information.

OK folks...
Have a great weekend!
Jeff

Training Wounded Warriors

Did you know that when a wounded warrior transitions through the VA, they sweep floors and plant flowers for minimum wage? You see, they're considered patients, and therefore can't be associated with patient care.  I'm happy they're getting help, but I figure there's maybe a better way --so we've started our own training program. We call it Team Jaeger, and it's headed by our newest Director, Bill Schenkelberg.

Bill retired as the Supervisory Special Agent at Coast Guard Investigation Service (CGIS) Boston. As well as retiring as an 1811 after a full Federal stint, ran the Cleveland, OH Fusion Center, and was teaching active shooter classes when I caught up with him.

cio.com

You see, since starting the company, we've had a strong veteran friendly culture. Much of our leadership are vets, and those who aren't learn quickly --we're a bit different. We share values, culture, language, and know what it means to get the job done.

Some of you remember our first guy --an AFG vet --a Marine E5 who came to us about two years ago and I'm happy to say, he just got accepted to college full time.  He started by being taught to dissect email headers and load databases. In the end he was doing all of our pushes into external facing systems. He wasn't much of an IT guy, but he helped out a lot.. he's going to school for Psychology.

Two months ago we hired another --a former Army MP.  He's a young guy that'd been sweeping floors in that VA Transition Program. Turns out he's a pretty skilled guy, running systems, chasing bad guys.  This kid's a rock star in the making. He needs some training and discipline --and we'll help with that, but the skills are all there.

Last week we hired another from that Transition Program --a Marine mechanic of 16 years. This guy had a collateral duty as IT,  and now we've got him running social media and basic forensic analysis processes searching for threats. In my early days I had coworkers grepping for hints child porn in user logs. He is this guy --only not searching for porn, and yesterday he had his first good hit.

Yesterday interviewed another --our last for now. A former Army CI guy who'd been heading for a
'walking security' job in a mall or something. I asked Bill to interview him (which, as a guy who used to do background checks for the CG will now do ALL of our interviews), and we'll likely bring him on as well.

So why do I bring this up?

We've formed this new team. We call it "Team Jaeger" --the Hunt Team.

I really wanted a team who could hunt for threats to our customers (hunt, not hack) --proactively --and know what a threat looks like when they see it; when one of our customers is talked about in a bad way or some knucklehead in the dark web takes conversation a bit to far. Or maybe when our tripwire indicators start throwing flags suggesting a physical event is about to take place using cyber as the catalyst. I wanted a team that could communicate, and when needed, act as one. The team lead by a strong leader who understands what transitioning vets need, and could work both the personalities and the desire to learn something new --and something both valuable and very cool.

Bill is shaping this team of new folks that we're training up, and then introduce to the Red Sky membership for long term jobs. Our first interns (those who survived) did amazingly well.. Now we're (re)training hungry returning warriors in NH who understand the (cyber)warrior, (cyber)hunter mentality, and who can tell a threat when they see it, and, know how to write a SITREP.

Some of you know Jesse.  I dropped him into the cell as the Advanced Cyber Analyst --the senior techie to help teach these wounded warriors. Jesse wears his tinfoil hat like a badge of honor, and knows the space better than anyone. He's a master in the underground and can help these guys navigate. He's the perfect guy for that job.

Results? Within the first couple of weeks we've completely reshaped some of our proactive reporting --reading tea leaves, and following footprints; blending traditional hunter techniques with cyber tipping and queuing and traditional all-source fusion processes. We tipped off a local (Oklahoma local) PD to a possible movie theatre shooting, and one of our banking customers to some negative activity by a guy that we researched a while back. We're tracking from early noise and coordination through the attack, and if need be, after the attack --And we're training wounded warriors to be the tip of the spear. Are we moving from cyber? No. But if we see something, we now have the manpower to say something --and we should --and we will.

Returning Warriors can be funded by a company or organization. We'll train them to hunt on your behalf, and when they're ready --if you choose, we'll roll them over to as an employee, keep them on in our SOC, or get them interview with companies in the Red Sky membership.

We're a cash flow company and we've hired as many of these folks as we can afford right now. We are looking for funding sources to fill our new spaces --we rented a handicapped accessible bunker for the new operations center, and we've partnered with a local NH company (FlowTraq) for the two principals --two Dartmouth PhDs to help teach these guys the ins and outs of monitoring flow.

Some props: Thank You to Richard and Audrey at Manchester, NHs VA Medical Center's Vocational Transition Program for supporting this program. The VA gets a lot of bad press, but these guys are rock stars.  

Interested in participating?  Funding a student? A training provider? Have a great product? Drop me a note. Or better yet, drop Bill Schenkelberg (the Jaeger Miester?) a note! Our guys need training on great products. If you're interested in partnering, we'd love to hear from you.

BT

This week:

• We posted an update on Gh0stRAT, with full technical details and mitigation strategies.
• We pushed information related to SWIFT
• We pushed "new format" tailored cyber threat intelligence to subscribers
• We're preparing for our next round of Threat Intelligence University and...

As a reminder, we're co-hosting a Cyber Symposium in Huntsville, AL on June 7th. The agenda looks great with speakers from Red Sky/Wapack Labs (me and Chris), Lockheed Martin, Morphick Security and i3. Space is limited and we're filling up. If you're interested, drop our marketing person (Pamela) a note to get your name on the list.

Last, Threat Day in Stamford is coming up fast. The agenda there is also pretty full. This is a members only event, so if you've not RSVP'd to Pamela, please do so quickly.

OK folks.. that grass isn't going to mow itself!
Have a great weekend!
Jeff

Don't believe everything you read (or your indicator aggregator tells you!)

If you've been monitoring the story of 270+ million stolen Mail.ru, Google, Yahoo, and Hotmail accounts, you'll know there's still a bit of controversy, but this story is one from the other side of the pond --I'm leaving it in my Analysts's good but still slightly broken English. The point? Don't believe everything thats aggregated and dumped into your defenses. We're still verifying too.

This is a couple of days old and is making its way through the groups, but for the rest, this is yet another great lesson on sourcing quality when it comes to intelligence. What would your company have done if they'd received 270 million personal email accounts? Many of you allow personal accounts to be used --or at a minimum, allow their use from work, or through social networks.

Mistakes and miscommunications sometimes happen, and there's no telling if this was Mail.ru doing damage control, or if it really was a bad source. Either way, the lessons are these... the data is suspect. Know your sources. Know your intel provider. If they're giving you junk, ask for more information.

------------------------------------------------------------

Initially it was reported that Alex Holden's Hold Security got a database with 1.17 billion records with 272.3 million stolen accounts including Mail Ru, GMail, Yahoo and Hotmail users (1). According to Holden, the cache contained nearly 57 million unique Mail.ru accounts - a big chunk of their 64 million monthly active email users (2). While Yahoo and Google are still investigating, Mail Ru, which allegedly was hit the worst, requested the accounts and reported the result of investigation (3):

Mail Ru says that Holden just grabbed different databases together to attract attention to his business (3). They say 99.982% of Mail Ru accounts they got from Holden were not valid.

While 0.018% were possibly working, – and now notified for password change.

In more detailed breakdown of the numbers Mail Ru says:

• 22.56% of the Holden's accounts have e-mail addresses that never existed in the first place
• 64.27% - wrong password
• also 0.74% had no password at all
• 12.42% accounts were already blocked as hacked or automatically created (3)

They also believe that some passwords in the database were automatically created during/for brut-forcing attempts (3).

In another breakdown of the data The Inquirer reports that only 15.4% (42/272M) of the accounts are seen leaked for the first time (2) – which means most of the accounts were seen leaked before and possibly were just copied from previous breaches (2).

(1) http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6

(2) http://www.theinquirer.net/inquirer/news/2456948/huge-data-breach-sees-millions-of-gmail-hotmail-and-yahoo-mail-account-details-stolen

(3) tass[.]ru/obschestvo/3263688 [in Russian]

and corp.mail[.]ru/en/press/releases/9613

BT

Keeping it short this weekend. Feeling a bit under the weather.

In the mean time, we've reworked some of our reporting processes for a more holistic look at cyber threat --getting to the left of Kill Chain continues to be our mantra. Interested? Drop us a note or give us a call.

Until next time,
Have a great weekend.
Jeff

US Steel, Solar, and SpaceX --what do they have in common?

I live in the woods, so my daily Wall Street Journal comes via post office.  I could read it on my

June 7th, Huntsville, AL

iPad, but I still prefer turning the pages and over morning coffee, so I deal with it.

Yesterday one of the guys in my office (who gets his paper on time), and who'd worked for the Steel Industry Association for many years dropped the business and tech section on my desk (a spoiler alert?) with a headline below the fold "U.S. Steel Accuses China of Hacking"... hacking and stealing intellectual property "enabling [China] to manufacture light weight steels the complete with U.S. Steel's products. The lightweight steel is used for manufacturing lighter cars --for better gas mileage.

U.S. Steel (and others) the victims named in the indictment of five Chinese hackers in 2014. 

The indictment was issued because, as it states "An indictment is merely an accusation and a defendant is presumed innocent until proven guilty in a court of law."

So let's look at the bigger picture...

From 2006 through 2012 five guys (I'd bet a Yuan there were more and just one!) hacked into various US companies -- Alcoa, Westinghouse Electric, US subsidiaries of SolarWorld AG, U.S. Steel, Allegheny Technologies (ATI), and the United Steel, Paper, Forestry, Rubber, Manufacturing, Energy, and Allied Industrial and Services Workers Union (USW).

In my own words, these five guys (and their friends) mapped networks, planted access, grew access, made themselves at home. They prepared the networks for future exploitation... and that's exactly what happened.  And I'd bet another Yuan that they've exploited these companies ever since. 

So now you know the cause. What about the effect? Theft of lightweight steel manufacturing alone is going to have ripple effects across the board from the manufacture of knockoff cars that compete directly with US (and other) cars to those lightweight steel 2x4's that are now used as studs in the construction business. 

contractortalk.com

And what about the others? In the solar business? The world, especially China, needs more energy, and solar processes are needed to offset the limited supplies of future oil and natural gas... but turning solar into energy --especially in a massive scale requires specialized process.

What's next? On page B3 of my (yesterday's) Wall Street Journal is a picture of Elon Musks SpaceX with the caption "Air Force will pay SpaceX $83 million to put a satellite into orbit." Watch out Elon, you, and the other companies mentioned in the article just become the next top target --Space Exploration Technologies (SpaceX), United Launch Alliance, Boeing, Lockheed Martin, and any company in the supply chain building these new, lower cost commercial rockets will have crosshairs on their cyber foreheads just like the steel industry did.  Space technologies has been declared high on the Chinese priority list for several year. 

BT

We had an interesting week. On Monday we kicked off a new effort to train transitioning vets. We've hired two in the last month and expect to hire several more in the coming weeks. And because many of them are not (yet) cyber experts (we're training them), we have them do other things --like reading social media, translating pages, and in general, watching for physical threats via cyber means.  Over time we'll transition these guys up to reading packets, malware analysis, and other critical skills needed in our space. Some will choose to stay with us, but others will have the opportunity to be introduced into Red Sky member companies for longer term, higher paying jobs.  In fact, we hired the former Supervisory Special Agent from the Coast Guard First District's (Boston) CGIS unit--Bill Shenkleberg to run this new team. Bill was involved in the NH Fusion Center, Cleveland and now sits on the board of the National Fusion Center Association. We're looking forward to having him join us!

As a reminder, we're preparing for our joint H2L Solutions | Wapack Labs Cyber Symposium in Huntsville on June 7th. We'll be joined by folks from H2L, Lockheed, Morphick Security, and so far about a dozen of our closest friends at the Jackson Center in Huntsville. 

Care to join us? Drop our marketing person a note. Her name is Pamela, and she'd be happy to help.

OK. That grass isn't going to mow itself. 
Until next time,
Have a great weekend!
Jeff

Beware of Female (or Male) Spies!

 I

http://news.sky.com

I have a poster in my office in New Hampshire. Remember the "Beware of Female Spies" poster? I have one framed and hanging in my office.

This morning when I scanned my morning RSS feeds, I found a story about the Chinese warning its young girls not to fall for handsome strangers that might be looking to steal state secrets, and it immediately made me think of the old poster hanging in my office.

The Chinese version of the story starts out with two young girls, followed by what appears to be a dinner date with wine, and ends up showing the girl in handcuffs after both she and David are arrested, and a police officer telling her that she has a shallow understanding of the need to protect state secrets.  The caption shown with the comic above reads "David, the red-headed man, should not be trusted."

The comic not only reminded me of the need for OPSEC, but also that intelligence is very personal. David is obviously attempting to collect from a young girl, plying her with compliments, wine, affections and probably a bit of money. He's doing this because he needs information on something specific, from someone specific. And while it's good to know that there are big things that people want to steal from each other, it's more important to the company to know what someone wants to steal from them...

And so we've begun a bit of an overhaul in the way we author our own reports. I talked about Cyberwatch last week, and that's one output --one way that we individualize our reporting to the specific customer. We write daily reports --it includes some open source material, but it starts out with the what's coming for you? and then leads into the broader now here's what's happening around the world... I've challenged my team to write to the individual --make every one of our readers feel like the product was written for them specifically, and to that we've started pushing products to every customer, tailored to them. What kinds of things can you expect from us? Here are a few use cases:

For the enterprise --intelligence for network defense --this is the stuff we write every day. But what about the bigger picture? Here are a few examples of intelligence work we've been doing...

• Counter branding
• Anti-counterfeit
• M&A and Supply Chain assessments
• Log analysis
• Strategic intelligence --what do you have that someone will want to steal next week?

This is hard stuff folks. There are a ton of intel companies out there, and most collect from the same sources, and you can't swing a dead cat without someone else standing up an EC2 instance with a fancy front end and calling themselves cyber intelligence. But if you really want individualized attention, to whom to you call?  You call Wapack Labs.  Someone told me two weeks ago "23 people does not an intelligence company make" --but when you're 25 people and you service only a small number of high quality companies, 23 (we'll be 26 by May 1st) is the perfect size.

BT

Need easy to read material for your boss? Check out our TLP WHITE Executive Read Board --now set up on our main website.  We put up a simple Wordpress site last year on a whim and it caught on,  but we'd heard more and more that there were log-in issues, and my poor old version of Wordfence was taking a beating, so finally, today, we went live on a new TLP WHITE Executive Read Board. Why do we call it the Executive Read Board? My my early days as a shipboard Radioman, we packaged up a daily 'read board' for the old man. Every day, we took the read board up to his cabin and asked that he chop off (initial) every document that he reads. So enjoy. It's priced right --even with a couple of no cost reads per month, and for every story there are indicators in our Threat Recon indicator database. And if you need more, for every indicator there's a report in Red Sky...
Context, depth, indicators. Have a look:

http://www.wapacklabs.com/subscribe/

Last, we're preparing for some upcoming events:

• We'r hosting a Cyber Symposium in Huntsville with H2L Solutions on June 7th (yes, Steve, I know --DIB ISAC is doing something too!). 
• On the 8th, I'll be in Philadelphia for a talk with insurance lawyers, and on the 8th, 
• Chuck Nettleship (our inbound Lab Director) will be speaking in Toronto. 
• And on the 21st, our second Threat Day of the year, hosted at a member location in Connecticut. It's busy.

Need information? Drop us a note. 

Interested in sponsoring or speaking at one of our events? Drop us (Pamela --our marketing person) a note!

Until next time,
Have a great weekend!
Jeff

We need to think smarter not harder about cyber - Cyberwatch.

I'm a bit late in posting this week. I know many of you read it on the treadmill on Saturday morning, but it's been a crazy (good) week, and I've just arrived back home from MD. I spent some time with my youngest this morning at a charity yard sale at her HS and then got a workout in... my body's sore.

We've been absolutely slammed this week. From publishing new North Korean cyber TTPs to the end of the week, to getting new features added into Cyberwatch.

That said, here's the happenings...

Cyberwatch? We pushed a new feature last night --monitor up to five companies in a portfolio view...

pretty cool stuff. While the site still lacks documentation (we do have a FAQ page), the idea that a CISO can monitor up to five companies (themself plus four others) to baseline relative levels of threat between them is, in my opinion, a tool that every CISO --and anyone who invests their own money or invests someone else's money, should want.

In fact, in the graphic above, I'm monitoring 10 Aerospace companies --from really big to very small, just to see the comparison of cyber threats looking at them. It gives me great baseline --and tells me there are maybe one or two that I should call and give them a heads-up! And in the near future, we'll be looking at portfolios of up to 1000 companies (at least that's what I'm requiring of my CTO!). So imagine, sitting in your comfy leather chair, worried about hackers because Krebs broke yet another "oh shit" blog post. You simply log into Cyberwatch, check the graphic for your portfolio of companies, and either relax into your single bourbon for the night or put away half the bottle. 

Why do we care? Until recently there's been no really good way to monitor situational awareness in the intelligence space writ large --and because of that, many companies have a hard time articulating the need for security --or worse, know they need it but ignore it.

So this week we showed a security guy how to monitor cyber threat in his supply chain. His reaction? He wanted to buy a single user license on the spot to help predict which stocks he should buy. We didn't really expect that reaction, but it's the second time it's happened.

Then we we told him we'd purchased a equity stake in an investment tool, and our (patent pending) process for monitoring the cyber threat landscape is to be built into the analytic tool designed to help institutional investors make decisions on their portfolio.

He loved it. He still wants a single user license, but he loved it.

So imagine this... you sign into your [you name the broker/dealer's website], and you start combing through the endless amount of financial data -- revenue, costs, liquidity, margins, turns, etc... pretty cool stuff right? Now add in the idea that you can look at a new, fresh variable in your decision making process --cyber threats looking at that company. 

Given the ability to choose between two investments --one with little cyber threat and one with much cyber threat, what would you do? If you're institutional buyer doing an M&A, you'll build it into the deal. If you're not institutional, you might consider choosing the company with the lower risk of being hacked.

BT

We're heading into May, and preparing for our June 7th Cyber Symposium in Huntsville. And yes, I know Steve Lines is going to comment on my blog that he too is running a cyber program for the DIB ISAC in May, so let me just get it out of the way right now for him.  I'm sure it'll be a good show. Steve's a great guy.

And in June? We've got some amazing talent showing up --folks who monitor networks, have built amazing security teams, and my guys --intelligence.  If you have any interest at all in how to deal with APT, the impending DFAR 800-171 or the new insider threat requirements, there'll be people there who can help.

If you want to know how DCISE works, what happens when you report, and the requirement for reporting your cyber activity to the government, it's been a while since I left the government I had a hand in writing some of those documents and built the early operational capability that is now DCISE.  So go enjoy DIB ISAC, and then stop in over for the June 7th Cyber Symposium. The agenda is looking pretty good... Red Sky/Wapack Labs, Lockheed, Morphick and Huntsville's own small company focused rock star, H2L Solutions. If you'd like more information, please reach out to our partner in this, Jonathan Hard, CEO at H2L. Jonathan will give you the gouge on the Symposium and set up a time to talk about doing your 800-171 assessment/attestation and go-forward plan.

Also, we're hosting our second Red Sky Threat Day in Stamford, CT on June 21st, and have some great talks lined up. If you're interested in presenting, shoot me a note. We try and bring in one outsider per quarter to give a talk. Interested? Shoot me a note.

OK folks... sorry for the late post. It's been a long week.

Have a great weekend!
Jeff

Information Overload? No Mas! Get help...

1980. Sugar Ray Leonard v Roberto Duran. I'd just graduated from High School. I remember the

boxrec.com

fight. Sugar Ray overpowering Roberto Duran at the end of the eighth round.  No mas! No more fight! This as Roberto Duran threw his hands in the air, only to take one more blow to the body, ending the fight. Duran was done. He'd been beaten down.

Why am I talking about boxing? Because so, I'm afraid, like Duran, are many of our network defenders are feeling beaten down.

I talked with two companies this week who both seemed to have been flat out exhausted. In both cases,  the sheer volume of data simply overwhelmed them. In both cases, they've resolved to the fact that intelligence (more intelligence) simply isn't going to help their situation --and in both cases, they've given in to the fact that they are being successfully breached on a regular basis. And more? They're being compromised multiple times per day.  Even more, the idea that the sheer flood of data has turned these otherwise really smart guys into folks who've thrown in the towel is turning into a story that I'm hearing more and more.

So what's the next step? More big data? More feeds? No. The companies are suffering from information overload with no real means of prioritizing their efforts. And with new supply chain regulations in effect, and insider threat regulations coming into reality quickly, the simple fact is this... CSOs and CISOs need better information, not more information.

Years ago I blogged about the work required to manage the supply of data from bugtraq. I realize I'm dating myself, and I'm sure I'm not the only one who remembers trying to figure out how to watch every single emerging bug that came out on from the listserv, and I'm certain I'm not the only one who combed through other sources --like USENET messaging and the FIRST emails on a daily basis, but even with that small dataset, on a daily basis, the idea was simply this... bugtraq sometimes cranked out 400+ pieces of vulnerability data daily.  An SOC guy would spend about an hour every day simply scanning ever piece of information. Add to that the idea that if a quarter of those were actionable, that SOC, network manager, or heck, even a swarm of techies couldn't keep with the needs of even a small network.

Now think about the amount of data being called 'intelligence' that comes in today.

With dozens of aggregators out there cranking millions of pieces of data, let's face it, there's no way in hell that even the most efficient security team could keep up.  One team told me that they collect over a million pieces of new information weekly --and I think that number is probably a little on the light side. Automation helps, but rarely prioritizes actions to be taken by the responsible CISO.

So what's the answer? Better information, not just more information.

Current practice looks like this... buy a vendor get a feed. Every vendor has backend intelligence (if they don't, don't buy it).  There are some excellent choices out there.  Cisco, Palo Alto, FireEye, Crowdstrike --all great choices. The process (optimized process) looks like this --collect intelligence, compare the intelligence to exposed systems, pathways, etc., and then patch those systems or close the pathways. As more intel comes in, more fixes need to be installed. When you're receiving a million pieces of intelligence per week, the question becomes this... what to fix first?

Sometimes you just know --that system is really important, or the owner of that system is really gonna be pissed if I don't get if fixed. You know from an internal perspective why the most important system may be the most important system, but what about from an external perspective?

The smarter question that intelligence should attempt to answer is not what's that vendor seeing? Rather, what is coming after you?

To answer this question, most companies establish an internal intelligence team. You need someone a bit more specialized in their view. Someone who can focus on prioritizing efforts for you.  You need analysis that can take that massive list of data that comes from the aggregation of other's lists or the intel that comes from those truly outstanding vendors, and turn it into a work process that you can actually manage.

This is where Wapack Labs comes in. While many receive general subscription information, Wapack Labs has processes in place to allow companies to understand what's coming after them. We've contracted with organizations to be, or assist internal intelligence teams to ensure that the tsunami of intelligence information is focused on your needs, not the rest of the world.

You've heard this from me before... In a bar fight? Fight the guy in front of you first. Then fight his friends. Don't, worry about all of the other bar fights going on in the world. Someone else is going to take care of them... until they come to your bar.

And when you need help? Compare notes? Red Sky(R) Alliance is the place you ask for help. Jump in, get questions answered from folks who've done it before.

BT

It's been another fantastic week --although a bit slower. Two guys on travel in Vegas --I hope you enjoyed meeting my partner, co-founder, and CFO, Jim McKee. Jim doesn't get out much, but when he does, he shakes hands with anyone who'll take it --and then tells our story.  I stayed back, working in the BWI/DC area for a few days. It was actually a nice break from travel. Back to NH next week.

And the team? We've been publishing explanations and mitigations for the rash of SSL activities that have been running around. We also published a report on Netsky (a customer request), an updated version of iRAT, and published Targeteer(R) (DOX) reports on three African guys that we believe to be planting code in networks. If you've ever been victimized by key loggers, you'll want to read that Targeteer(R) report.

Want to know more? Check out the new website or give us a call 844-4-WAPACK.

I'm waiting for the snow in MD --and fly fishing in VA tomorrow when it warms up!

So until next time,
Have a great weekend!
Jeff

Hack the Pentagon? I love it!

Several months ago I blogged about the idea that contractors with mature and information security operations are used as butts in seats in the Pentagon and DHS --only to be not allowed to bring best in breed solutions or out of the box thinking to those posts. The result? Long time government employees continue down the paths they've been on for years because (sigh), it's what they know --and what they believe will work based on their own experience.

So when I saw this in my inbox two days ago, I smiled from ear to ear. I doubt anyone read my blog and decided to do this --more likely some smart entrepreneur bent the right ear inside the Pentagon and pulled off a smart coup --BZ to them!. Regardless, on March 31st, DoD announced a "Hack the Pentagon" bug bounty program. Funny, I actually checked the date to make sure it wasn't an April Fools prank because the circular reporting had it on April 1st --I had to find the root article. It apparently is not.

And if this is true? I'm shocked, and elated, and yes, I'll urge my guys to participate. I love the out of the box thinking --a simple solution to a hard problem.

On a second note, I just shared an article from he Register (UK) that talks about the US Marine Corps creating a 'hacker support unit'. Very happy. My first Information Warfare job was at the Navy's Fleet Information Warfare Center in 1997. And now, nearly 20 years later, it seems the stuff is finally filtering into mainstream routine operations as a daily part of what we do.

Well done.

BT

Red Sky and the Labs continue to be busy. We published a couple of new pieces of analysis this week.. two technical papers (Kiler RAT and Kibala), and one of my personal favorites, "Russian Cyber Capabilities: Lessons and Tendencies". This report discusses, in a readable short format,  written by a native speaking Russian analyst, the reasons why Russia as an APT actor (meaning state sponsored), and how we expect them to progress.

BLUF: Russia is one of the most active attackers in the cyber space. With the economy declining in Ukraine, Russia, and Belarus, financial cyber fraud originating in these countries may rise. Political tensions with the West have grown, especially over Ukraine and Syria. Russia is isolating its cyber space, and Russian APTs are getting stronger. These lead to systemic threats with the possibility of large-scale information attacks, and even disruption of the Internet and other critical infrastructure. 

In addition, we requested membership for five new organizations, including a potential integration of another large information sharing group. This is a first for us, but Red Sky has doing well for nearly four years, and while we'd never considered bringing in another group, what the heck.. if it brings value and helps with the defensive mission. We love the idea.

On that, I'm bugging out of NH for MD today... meetings first thing Monday morning and we're expecting snow, so...

Until next week,
Have a great weekend!
Jeff

Iraq's new drone in action..

Iraq's new drone, the Chinese C-4 drew first blood against ISIS, according to an article in Popular Science. And this made me think back... for how many years did we chase Chinese espionage from networks where these things were built? And while I have no idea what the guts of these birds look like, they certainly look similar on the outside.

Iraq's new C4, Optics retracted to reduce drag during flight
http://www.popsci.com/

predator-firing-missile4_c0-90-1080-719_s885x516.jpg

The report discussed general trends, but relating to this morning's blog was the idea that UAVs were near the top of the targeting list... and they had been for five years. So based on that thinking, 2004-2009 were peak UAV harvesting years, at a time when only the US had them.   

In a previous post, I reported that a US bird (at the time) was selling for $3.2 mil, while the Chinese version was selling for ~$800,000 (USD). And now, just a few years later, we're seeing the results of that espionage activity in the air, flying against ISIS. Good for the Iraqi's! Bad for us. 

And then I think about the idea that it seems like only yesterday when UAVs (unmanned arial vehicles) were high in the target for Chinese acquisitions. In fact, in 2010, the Defense Security Service reported in an unclassified report:

"East Asia and the Pacific region were hosts to the highest number of intelligence collection attempts. “For the fifth year in a row, reporting with an East Asia and Pacific nexus far exceeded those from any other region suggesting a continuing, concerted, and growing effort to exploit contacts within United States industry for competitive, economic, and military advantage,” the report states."

We've experienced massive cyber thefts from our R&D EDUs, R&D centers, and OEMs. In the early days, the idea that new technology was obtained through cyber means was shocking. Today, not so much. The targeting of UASs (Unmanned Aerial Systems --the updated term for UAVs) today means stealing IP that allows for refined controls of the previously stolen systems --how can they be made better --navigation, targeting, optics. Regardless if for military or economic gain, the simple idea that these birds sell for a quarter of the price of our own and the skies will soon be full of them means jobs lost --and not just in the US, but also in the international supply chain. 

BT

As always, a busy week. Two new fusion reports were posted to the Red Sky portal. We've been using a new format with all of our new published reports. Members have had problems navigating the number of reports in our socially driven site. The engine isn't machine to machine, rather focusing on the human interaction. So to assist with some of the confusion, we've begun adding snapshot views to each of our products, as well as a cross reference of our previous reporting (links inside Red Sky - redacted for this post) and a link to our indicator database (open to all) where users can download indicators (https://www.threatrecon.co/search?keyword=FR16-011).

Our latest report focuses on Locky:

Executive Summary

In February 2016, the Dridex botnet was observed distributing a new ransomware variant named Locky. Since then, a number of Locky macros and downloaders have been leveraged to distribute the ransomware. This report describes recently observed Javascript Locky downloader that appeared in early March. Similar to Dridex, the delivery infrastructure consists of compromised bots, which send the malicious emails, as well as compromised websites that host the Locky payload.

This report includes technical details and mitigations on this Locky downloader variant and related infrastructure. Mitigations are offered at the end of this report.

Publication date: 24 March 2016; information cutoff date: 18 March 2016

Handling requirements: Traffic light protocol (TLP) AMBER. Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.

Attribution/Threat Actors: The Locky Javascript Downloader variant is a part of the Dridex/Locky botnet.

Actor Type: Adversary capabilities have been assessed as Tier II. Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).

Indicators: https://www.threatrecon.co/search?keyword=FR16-011

As well, this time of year is always busy for us. We've offered membership to one more organization, and have proposals out with three others. Interactions in the portal seemed to have slowed a bit this spring, but we continue to populate it with intelligence, reports, commentary/analysis and actionable data.  Even with the slowdown, we still see over 36% returns month over month, so I'm not complaining. 

What's coming? 

• We're planning our first Cyber Symposium with a partner in Huntsville, AL.  Wapack Labs and H2L Solutions -a DFAR assessment company performing NIST 800-171 assessments in the area will be hosting a Cyber Symposium for local companies on June 7th. 
• Two weeks later, we're doing our pre-summer quarterly Red Sky Alliance Threat Day at a member location in Stamford, CT.

It's busy. We like it this way.

The blog is getting long, so I'm going to take advantage of the sun up here in New England. 

Until next time,

Have a great weekend!

Jeff

A Case Study in Stock Price Movement and Cyber Risk?

We've been doing a bit of R&D. Last week I announced a new tool (Cyberwatch(R))that we've fielded in it's minimally viable form, looking to get feedback.  The thinking was, we wanted to see if there were correlations between the number of times we saw a company show up in our intelligence sources and their stock price.

The example we'd toyed with was a bit ambitious but it made for a great test case.

Last summer, Amazon was reported by the NY Times as pushing its employees to the point where they'd breakdown at their desk. The story broke on August 15th.  We wanted to know if there would be a corresponding action in the underground cyber chatter as a result of the report that broke in the NY Times, and all of the follow-on circular reporting from the other news outlets.

Figure 1: Amazon's Stock Price compared to Wapack Labs' Cyber Threat Index measures

Here's what we did. We have approximately four years of back data. Every day we counted the number of times we saw "amazon.com" or any subdomain or IP addresses in our daily queries. We figured if we kept the model simple, anyone could understand it... I don't like complex algorithms --the only people who understand them are the people who write them. I wanted math that anyone could look at quickly and know what it meant.

Wapack Labs watched the intelligence space (dark web, chatter, etc.) during this time,  and counted the number of times we saw anything associated with Amazon --and we plotted it on a moving timeline against the stock price in a chart resembling a stock chart.  The result? We showed movement in both the cyber threat activity, and movement of the stock price (we recognize that there are many variables that make a company's stock price move, and Amazon's stock takes a lot to market influencers to make it move). There was a spike on August 4th, followed a short period when we lost eyes, and then an increase in underground 'chatter' shortly after as we watched circular reporting by other reporting outlets. The public reaction to the bad press was evidenced by the downward movement in the stock price.  The underground activity? Was this targeting of Amazon because of the bad news? Not sure, but our chart clearly shows something.

So the question is, can increased cyber activity in the underground affect a company's stock price? Probably not directly, but what if the chatter that we monitor turns to action? Absolutely.  Cyber isn't the only indicator that can be used to help predict stock movement, but certainly it's one that should be considered. And our experiment in identifying a new means of monitoring cyber intelligence as a leading indicator to potential damage to a company in the form of stock price movement, is proving very cool. Amazon's stock is affected by millions of variables, not just cyber, but what about the company who's price isn't as resilient to changes in a singular variable --like cyber activities focused on them?

On November 9th we saw a massive spike in activity as we slide our viewing window to the right. Why? We believe this was a lead-up to Black Friday, when folks were planning, talking about, exchanging tools and credentials that could potentially exploit retailers during the holiday season. Are we sure? No. Intelligence never is, but clearly, there's a massive spike and then a drop-off to nearly zero on the actual day --why? Bad guys need time off too, and they've already planted their tools. Now they simply sit back and collect the loot.

Figure 2: Amazon - spike in Cyber Threat Index (Intelligence activity) leading up to Black Friday

Activity remained fairly consistent throughout until after the holiday, then spiked again during return season, including a massive dump of credentials (AKA Pony Dump) that affected just about every large company --not targeted, but massive. We had to change the scale to show the massive number of times that we saw Amazon in our intelligence sources... from hundreds to thousands. The good news for Amazon? It wasn't just them. It affected everyone out there. A quick comparison of the average Cyber Threat Index(R) for the companies in the Dow Jones and S&P 500 (both shown on our website -cyberwatch.wapacklabs.com) show that the average large enterprise company was mentioned over 5000 times. Amazon actually faired better than most.  

Figure 3: Amazon's Cyber Threat Index on the day of the "Pony" dump of credentials

We launched Cyberwatch(R) this week in bare bones format. There's a place to submit feature requests and bugs, but the idea is, subscribers will be able to monitor portfolios of companies in addition to their own. I'd encourage you to log in with your company domain and a stock ticker if you have one. Viewing the graphics and looking at industry or geographic trends won't cost you anything, but pulling the actual intelligence behind the graphics will.

Our thinking in this is simple... Boards, CEOs and CFOs want to know how all that money they're spending on security affects the profitable operation of the business, the stock price, and value to the shareholders.  CIOs, CISOs, and techies want to know how to fix the problems that their CEO's are aware of (hopefully before he or she asks). Because we monitor non-public sources, the graphics are often times leading indicators of potential threats. Is it actionable? You bet. If you see five threats (shown in Figure 2) on that particular morning when you're monitoring the Cyber Threat Index(R) for that day, according to our sources, you have five things to monitor for or block before you finish your first coffee in the morning. 

Your money guys know you've seen the problems and fixed them.  They also know they can monitor their threat activity levels for spikes and have awareness of how it might affect the company. And investors and portfolio managers now have (admittedly early maturity) a tool that can be used to measure risk before they invest.

While not a perfect science, predicting the stock market never is, we clearly show intelligence (primary sourced --not circular reporting or social media) activity increasing shortly after the the NY Times called out Amazon as a harsh place to work. Is it related? Not sure. But certainly there's a corresponding movement in Amazon's stock price during the timeframe. And one sample isn't nearly enough to be able to show a 1-to-1 correlation, but for any investor considering the purchase of a large block of stock, or an M&A, monitoring a portfolio deal, or supply chain, I'd think that the idea that price of that new investment can be influenced by movement in what we're calling (and trademarked and now patent pending) Cyber Threat Index(R), is actually pretty cool. If this works --and I suspect it will, there's now a cyber means of identifying trends that *could* move stock prices, and for any executive or board wanting to understand the value of the security required (and funded), they can monitor that activity by simply watching the trend line. 

This is a bit unusual, but it's one of the reasons we did't take external investments. We want to be able to experiment and find new ways to transcend things like the language barrier, and how CISOs show the value of their spend and efforts, and how companies translate security posture wording into something their investors understand. Is it perfect? Not by a long shot. Is it promising? You bet. 

Want to know more? Sign on and try it yourself --https://cyberwatch.wapacklabs.com

Need intel? Call me (844-4-WAPACK) or drop me a note. I'd be happy to schedule a demo or send material. 

Jeff

Wapack Labs' Threat Recon Indicator Database

Wapack Labs has been populating this database for about a year. It's essentially the indicators taken from our own analysis, and then grown.

Every day we get asked "Why buy another feed?"  This is a bit different. If I'm a bad guy and I have one domain registered for a C2 node, there's a good chance my other domains are also used for C2 nodes. We try and find all of them, starting from the one we know, and then provide them all to our subscribers... and they're in Threat Recon.

Sign up for your free API key. Every user gets 20 queries and 1000 free indicators per month. Plug in your search and off you go. Threat Recon runs from the web interface, or machine to machine.

Enjoy.
Jeff

BZ! Wildfire!

When I was young, my great grandmother used to have a saying "self praise stinks", and for that reason I never authored my own military medal recommendations, and for years struggled with writing my own inputs for my annual fitness reports. But this week my team had a nice success, and I thought I'd share the story.

Earlier in the week one of our 'tripwires' fired off suggesting that one of our Red Sky members might be the target of in impending attack. After checking the facts, it turned out that we were right.

We authored a situation report and a warning, called the member, and fired off the written warning --complete with names of actors believed involved, tools expected to be used, the expected target, and the time of the attack. I authored the initial report, and sadly, the old man mistakenly offset for the wrong timezone and called the attack time for 12 hours earlier than it really was. We corrected the timezone, informed the member, and when the time came, stood by them in an online bridge throughout the process.

For over two hours on the bridge, we assisted with the online cyber ruckus, eventually pointing the member to exact file that we believed would be exploited. Once the file was deleted from the host, the attack stopped.

Shortly after, we pulled the team together and authored the after action. I realize that many companies fight these fights on a regular basis, but in this case, my guys aren't incident responders, they're intelligence pros, and in this case, they called it dead on... and for that, I'd like to take a moment and offer my team a very strongly worded BRAVO ZULU. Nice job!

BT

On nearly every sales call lately, someone says to me, "Why do I need another feed?"

My answer? A feed tells you about everything. Intelligence tells you about you.  I've used this analogy may times --If I walk into a bar and end up in a bar fight, I'll hit the guy standing in front of me first, then deal with his friends, and probably won't worry to much about all of the fights in all of the other bars around the world --at least not tonight. Feeds tell you about the bar fights happening around the world, but not how to deal with the guy standing in front of you.  We run an indicator database that you can use inexpensively --ThreatRecon.co starts at free, then increases slightly based on volume. Cyberwatch(R), our newest offering is also free --it creates a Cyber Threat Index(R) based on the number of times that we see you in our intelligence sources and plots the score daily --against your stock price. Again, no cost to log in and look --only to buy intelligence behind the graphics.

We send cyber early warning reports several times every day. I've written in previous posts about some of our 'get to the left of kill chain' processes. We have small successes every day, but this week we had a good one. And to have my guys sit on the bridge while a member was able to successfully defend themselves --at least this time. And we're happy to have been part of putting this one 'X' in the win column.

Until next time,
Have a great weekend!
Jeff

Post RSA thoughts

I returned from San Francisco late last night. What a week. 50,000 of my closest friends and I shared

parties like you wouldn't believe, and some great security talks. I wonder if it was a mistake that I mentioned the parties before the security talks? Not really, no. You see, this year (at least for me), the theme was all about analytics and threat. We've been hearing this for a couple of years now, but the tech and associated messaging are maturing, and now it's big data analytics, presenting the pretty picture and inching ever closer to the God Box.. you know, the one that can heal the rift in the universe, bet successfully 100% of the time on the stock market and predict every lottery number with complete accuracy weeks in advance.. that God Box.

I snapped pictures of dozens of analytic portals, desktops, and mobiles representations. And you know what? THEY ALL LOOK THE SAME!

And the data that they collect? IT LOOKS THE SAME TOO!

So my question is this.. are we happy knowing that SOOOO many intelligence providers out there are simply gobbling up as much open source crap as they can, pre-chewing the food and spitting it back out so some unsuspecting CISO with a board-endorsed checkbook can gobble up the now diluted food without thinking about it, or tasting how bad it really is. Is this where we're headed??

Not me.

I stayed at the Metropolitan Club this week. The Met is a private women's club outside of the Moscone area --across the street from the Marine Corps Club if you know where that is. Everything else was full up, and the Met offered reciprocity with the Harvard Club of Boston --my home club. When you check in, you're required to sign a "guarantee of privacy" that ensures no business will take place in the club, and that any conversations that happen in the club, stay in the club. The place was a safe haven for weary overstimulated guys like me who, by the end of the day, could take no more. And so every night, I'd retreat back to my private, woman's club, like crawling back to the safety of my mothers arms, and think.  What'd I think about? Better ways of doing things.

I think about the idea that a board doesn't care if we reverse engineer, what the threats are, or if spies are stealing stuff. They care that the stock price moves and if the CISO isn't doing the right things to keep the stock price up, they'll be held liable.

I think about the fact that the CEO's are measured on the profits, growth and goals, and report to the board; and beyond the scope of those factors, the CEO doesn't care what ports are left open and exposed.

...and I know that when I showed Cyberwatch(R) at a party on my last night there, I went from being a middle aged, balding overweight white guy to being the prettiest girl at the dance... and everyone wanted a demo. I gave them until my phone died.  One guy told the crowd that it was the best thing he'd seen all week. Another talked about the fact that such a simple idea solved a really hard problem --cutting across the language barrier between levels of management and enabling (finally) rudimentary predictive analysis.

Why so much excitement? We represent security data like the market shows dollars. I talked about this a bit last week, but we filed patent paperwork on a process that shows the effects of security intelligence, peaks and valleys on a company's stock price.

So there's a 100% chance that we didn't get it right on the first try, but the model works --keeping it simple stupid and presenting intelligence in a meaning and actionable way.

The site is currently at it's "minimal viable product" form but it works... not much documentation up there yet, but enough information to get customer feedback.

Want a demo? Drop me a note. I'd be happy to set one up.

Until next week,
Have a great weekend!
Jeff

Got eyes on your supply chain?

In the past month I've had conversations with several supply chain companies in the Aerospace industry. In one case, I informed them of 400+ dynamically generated domains registered to one specific IP address in their externally facing cloud presence.

What's that mean? I'm betting that some of you are very familiar with DGA domains. The presence of DGA domains could mean that someone is attempting to perform command and control into the IP address. And it means that someones going to have to find out.

Why do you care? The companies we've been talking to are Aerospace supply chain companies between 50 and 1500 employees and they don't have the ability to defend themselves.  They make things for the US Government --DoD, NASA, probably others, and a new regulation requires them to report these incidents through their prime contractor and to the government. That's good right?

Here's the rub: Very small companies generally have a part timer, or at best, one person handling IT. Mid sized companies, well, some at least some mid sized companies have a problem making the jump from being a larger small company to a small enterprise, and rarely have dedicated security people. And even in bigger companies, full visibility on the network, protecting from those who really want access into these Aerospace suppliers is really really hard. The biggest companies --the primes, have invested millions in creating processes to fix themselves. The smaller companies simply haven't built that into prior cost models, and as a result suffer the fate of the hamster on a wheel. They can't build new security until revenue supports it. And if revenue supports it, the staff is busy fulfilling the contract.

So, in an attempt to help some of the really small guys (50-1500) we partnered with a couple of Managed Security Providers to be able to drop sensors/protections in the network --basically, outsourced security. But most companies look for the low cost options first. They won't go to an MSSP. They go to open source. So... we experimented with some of the open source stuff out there.

For the last few weeks I've been running one popular security package in an offsite office... pfSense is a great little suite of tools --very powerful, but even in our very simple environment, pfSense (I tested with Suricata and Snort packages), running default rule sets (like most new security folks will) killed off the ability to visit key locations because we research and talk about bad things happening on networks. The string matching automatically assumes the site to be bad, and the sessions are killed off.  So in these small companies (some are using Suricata and/or Snort), when they need customization of those rules because a CNC machine can't reach back to it's licensing library because the oddball port is blocked by a default rule. How long do you think that device will stay on the network when a machining operation is stopped because the CNC can't communicate over the network. Here's a hint... not long. And that IT guy that put it there? He just lost a whole bunch of credibility, and is going to have a heck of hard time convincing his boss to try it again next time.

But these suppliers MUST be able to detect bad things in their network. Many can not do it alone. Is there an answer? Of course. but some of these companies are asking for help in places that promise not to talk to their primes. Others are looking for DFAR assessments as an attestation that they're doing the right thing (the assessment is, at least a step in the right direction). Others are ignoring it, hoping it'll go away.

We have a solution. It's patent pending and being beta tested, but I'm doing demos at RSA next week. We've partnered with a cool little company called H2L to provide DFAR 800-171 and 800-53 assessments with companies in the Huntsville area.

As an output of this DFAR assessment, We recommend fixes as part of their get-well plan.  We're can show the prime what risks to supply chain actually look like --in near real time. Contract officials have the ability to monitor threats to their suppliers. Suppliers have the ability to know the threats they face, and the IT folks or MSSP has the ability to react to current threats before they occur.

Pretty cool huh? We're not deployed yet, but if you'd like a demo of the beta, or want to talk about the DRAR assessment, intelligence subscriptions, or those MSSPs that we've partnered with, stop me at RSA next week. I love talking about this stuff and I'm always up for demo, coffee or a beer!

Have a great weekend.
See you in San Francisco!
Jeff