First Chinese-Built Passenger Jet Goes Into Service

On June 29, 2016, the Wall Street Journal's Chun Han Wong reported "First Chinese-Built Passenger

Jet Goes Into Service. China's first home-built passenger jet entered commercial service on Tuesday... the Jet, the ARJ21 developed by the Chinese State-owned Commercial Aircraft Corporation of China, Ltd (COMAC) was originally due out in 2006 but was delayed by over ten years because of repeated production setbacks... " 

Normally I'd look at the piece and think to myself... I'd never invest in a company that was 10 years behind the market, but at the same time, I'm forced to wonder if those setbacks paralleled the increase in the security posture of COMAC's suppliers. And I'd have to wonder if another speed bump was dropped in the production plan with the 2014 creation of the Aviation ISAC...  At which point I'm betting ARJ21 project managers crapped themselves while their airplane sat in the red zone, staring, dreaming of that first taxi out to the runway, while they awaited final tech to come in from Bombardier, Rockwell, GE, Sukhoi, Antonov and others. 

Did I forget to mention? According to the WSJ, The COMAC ARJ21 competes directly with these companies --in a very crowded market --Canada's Bombardier, Brazil's Embraer SA and Russia's Sukhoi Civil Aircraft Company and was heavily influenced by foreign technologies including the McDonnell Douglas MD-90, avionics from Rockwell Collins, engines from General Electric, and wing designs by Ukraine's Antonov State Co.  I know for a fact that Bombardier, Embraer, Rockwell, GE and others have been harvested systematically for aircraft (and other) technologies. I'd bet a dollar that the state sponsored Chinese intelligence apparatus fed directly the creation of the state owned aircraft manufacturer in China --COMAC, and the development of the ARJ21... and I'm betting we'll see more airframes out soon.

Certainly the thought isn't completely out of the realm of possibility. There've been hundreds, if not

thousands of news pieces and blogs written over the last fifteen years calling out China (government and private) attackers as being the culprits behind a ton of illegal technology transfer.  The picture to the right shows a Chinese J-31 stealth aircraft that's essentially a knockoff of the Lockheed Martin built F-35. From Buick knockoffs to drones to satellite communication systems to toaster ovens and consumer electronics.  The shortest path to production isn't through the lengthy process of R&D, it's to use someone else's... Heck ever wonder why you find a Burger King within a mile of every McDonalds? McDonalds has a better research department! And stealing technology is no different. 

I guess, and as you're probably wondering (like I am), exactly how much of the designs were purchased from each of those vendors and how much was stolen?  With the company entering a crowded market ten years late... with design features coming from so many other airplane OEM's, and knowing damn well that each of the companies mentioned have suffered enormous losses directly related to Chinese cyber exploitation --heck, Boeing built the Aviation Information Sharing and Analysis Center (A-ISAC) to protect the aircraft OEM and industry writ large from prying eyes of Chinese state sponsored cyber espionage that had been occurring in their industry for over a decade.  

I read the Wall Street Journal every morning. I have since I was an Ensign in 1996. I've never been so surprised by lack of attention to detail as I was in this piece. Why would the author not do the work to identify the deeper story. Was this a success story? A competition story, or simply empty intellectual calories? Why would they not explore the idea that the industry's been getting their clocks cleaned while technologies looking very much like competitive technologies (and not just US technologies) are coming out of China on a daily basis --from warships and drones to knock-off cars to commercial aircraft. 

Who cares if it's ten years late when R&D cost almost nothing... right?

BT

I've been writing about intelligence and APT for roughly the last five years --almost every weekend over my first coffee on Saturday morning, and while I'll admit, you get it a little rough, it's almost therapeutic. They say one of the best ways to relieve stress is to write a letter to yourself explaining the stressors that you're feeling --or write to a person who may have wronged you. In this case however, I've watched our space (the information security space) mature into a hodgepodge of technologies and vendors selling everything from snake oil to some amazing technologies, yet, I have to wonder why it is that when I ask a company how they ingest intelligence into their systems, they tell me they don't!

And when I look across the spectrum of governmental organizations, commercial companies (large and small), healthcare organizations, energy producers, and others --in every corner of the world, the realization is simply this.... we're losing this battle. Network defenders are getting CRUSHED by the sheer volume of attacks --successful and not --but those that are successful are costly in a big way. And as a result, we see folks like the banking CISO that I mentioned in my previous paragraph who are forced to simply rely on their managed security service to ensure their safety.

Why? Because CISOs still have a hard time talking to their management. Some simply haven't cracked the code on communicating the danger versus security versus ROI.  To help, we've added a couple of new offerings to our lineup, starting with the Executive Read Board.

The Executive Read Board is a low cost subscription offering that offers technical analysis stories converted to easy readers by our on-staff journalist. Nancy had been an Air Force Journalist, turned news paper columnist and now works for us turning our stories into something that your executives can understand in a quick read --and everything is based on technical or intelligence analysis written in the lab.

I'd encourage you to have a look. We just completed the transition over from an old proof of concept site, and because of it's popularity, we took it mainstream. You'll find short pieces suitable for pushing directly to your management. If you need indicators, pull them from our indicator database --ThreatRecon.co. Need more? Call us. We have a number of options from STIX/TAXII to an API to PDF reports. 

In the mean time, I'll be heading to the MD/DC area this week, home plating for a ton of travel over the next two weeks, but I can be found occasionally at Shelly's, smoking a cigar, drinking a great bourbon. If you'd like to join me and shoot the sh*t, drop me a note. If you'd like more information on Red Sky Alliance or the intel group, Wapack Labs, drop me a note. 

Until then, have a look at the Executive Read Board. There's a 14 day free trial, so please, have a read.  We'll be pushing more and more up there this week, but there are a couple of hundred articles already populating the new site.

Enjoy, and Have a great weekend!
Jeff

Training Day and Kicking off our Veteran Training program with the VA and SNHU!!

OPINTEL is the term used by the Navy to refer to tailored, all-source intelligence provided directly to operating forces. It focuses on a potential adversary's capabilities, his immediate intentions, and the environment. 

In the last few weeks we've been writing a ton of OPINTEL.  85(+/-) intelligence reports in the last month.  In one case, we're helping the CLE PD understand threats forming as they ready for the RNC. 

So yesterday was pizza, beer and training --early communism, exploring the formation of protest groups in the US, the Kent State shooting, and then bringing it forward to current day, comparing TTPs used by activism groups and how they form and operate.

I blogged recently about training returning veterans.  The group that we've formed (Team Jaegar --the hunt team) has been doing OPINTEL as the first step into cyber intelligence --what a great way for a company or customer to help the cause --by sponsoring the training of a returning vet who'll be dropped into an analytic seat on day one, shown the priority intelligence requirements, taught to operate safely in cyber space, and turned loose under the supervision of a retired CGIS Supervisory Special Agent who tutors them on writing actionable reports in a way that's understood by the most people and gets the message across quickly.  For those who need OPINTEL, every vet knows a threat when they see one... we just have to teach them what to do with it. The results? Absolutely amazing.  More on this in a moment.

While listening to the talk, as I looked around the room, I noted that the guys had taken a panel that we'd had printed for a booth at a conference in NYC from a couple of years ago --the intelligence cycle, and papered it up with sticky notes showing due times and battle rhythms.  I preach the intelligence cycle, battle rhythms, publishing deadlines and analytic rigor.  I taught intelligence cycle processes as part of our Threat Intelligence University at a customer location just last week... I thought my guys were getting sick of hearing about it, so and to see this team with sticky notes on the board showing due times, routines, etc... for this new, high producing, insanely focused team, makes me happy as hell.

And more? I'm happy to announce that our partnership with the Manchester, NH VA Medical Center (VAMC) and Southern New Hampshire University is underway. We've hired four vets on referrals from the VAMC, and our first SNHU veteran students (14 of them) start in the lab on August 8th and we can't wait. 

What're they going to get? We've taken our two day Threat Intelligence University firehose training program and converted it into university level modules, starting with Intelligence 101 (Threat Intelligence Cycle) and Intel 102 (Operating Covertly in Cyberspace) --all the way through scripting, malware analysis, detecting lateral movement, and advanced mitigation strategies. The interns will be receiving a number of these lessons and at the same be tasked with providing real analytics on real problems --OPINTEL first, then TCP/IP training, and then heading into full cyber. The students who are SNHU students get three credits for every 10 weeks they spend with us --some of the best OJT out there with the idea that if they make it through, we'll be introducing them into the Red Sky Alliance members for jobs... We've already had requests.

And last? We were visited by Frank Edelblut --Republican entrepreneur turned Angel investor and politician, running for NH Governor.  I'm not going to tell you that I don't straddle the political lines but I'm a fan of folks who've also walked the walk, so it was a pleasure to have Frank in to talk about his days as an entrepreneur, and his thoughts on moving into the governor's seat.

Enough for now. As we kick off this Fourth of July weekend, and I prepare to head to the beach with my family, I wish you all a great weekend. Be safe with the fireworks, eat as many burgers or lobsters as you can choke down, and take a moment to remember the birth of our independence!

Until next time,
Have a great holiday weekend!
Jeff

...In a market full of rehashed data and carbon copy analysis

Over the past several weeks, and more slowly over the course of every year, we spend a ton of face-to-face time with our customers. And while some come and some go, we still, since day one, maintain more than 90% of the customers that we started with, and those who've left, left because of transfers or they prefer machine-to-machine interactions, some like that --especially those who prefer big data solutions, but...

• Who do you call when you found a piece of malware and the sandbox doesn't give you enough information?
• Who do you call when you want more than a list of IP addresses in a blacklist?
• Or who do you call when you ask your vendor for help, and they only want to sell you a box?

Our customers call us... they have our cell phones. They drop a request in the Red Sky portal, or they send us email... even late at night.

Nearly every intelligence product written comes from a request, sample, or a hint (sometimes subtle and sometimes a club over the head) for something one of our readers needs... now.

This week we had a new company sign up --a large financial. You'd know the name if I told you. They replaced a current service because they needed intel (indicators) from a new piece of malcode and the vendor refused to give them the information --they tried selling them a box... good for us, bad for that vendor.

Another receives daily updates from us --eight different categories of watch lists, monitored by our guys, and fused into one, daily product. They called us at 10PM and asked if we could monitor one of our watch lists for potential fallout from a business issue. We've been monitoring for the last two days.  We love the interaction. And these guys will be customers for life. 

Every customer should feel like an individual. Sometimes it works, sometimes not, but we try our best.

As we head into the week, we've got a great lineup for our Threat Day on Tuesday. This one will be held virtually, but we've had a great turnout for signups. As well, we held a Cyber Symposium in Huntsville last week. Between our Huntsville Partner (H2L) and our contacts We invited 100 people. 93 showed. I'd call that a success.

I had to leave early to catch a flight for my talk in Philly but the word was, the best talk (besides mine of course ;) --the one with most conversation (I think mine just scared the hell out of them) was about the DFAR assessments and requirements to report all cyber activity to the government.

That said, we enjoyed the day.

So it's a beautiful Father's Day weekend Saturday here in NH. I'm not going to waist it.

To all of you other fathers... Happy Fathers Day.  I hope you have as much fun with yours as I plan to have with mine!

Until next time,
Have a great weekend!
Jeff

Just a Common Soldier

Please take a moment to reflect this weekend on what you do, and for those of us that served or are still serving in the military, honor those that did not come home so we could live in this great country of ours. 

Take a moment to reflect and view this very touching tribute over this Memorial Weekend.

http://www.justacommonsoldier.com/


Thanks all,
Have a great Memorial Day weekend.
Jeff

Have I discovered Area 51 East?

Once a month or so, the boys and I meet up at Cancun Cantina for beer and cigars.  We've been

meeting under their imported palm trees for years, and although the people have changed (we miss you Alvin!), the stories continue.

We normally get together on a Friday afternoon, but this week, because of my travel schedule, I kicked out a note asking if we could do it Monday... only to realize when I arrived that my guys are standing in the empty parking lot of a closed Cancun Cantina. No cigars tonight --but will have those beers elsewhere.

Back to the point... as I'm driving, I passed the observatory at the end of the runway at BWI.  I've driven past here hundreds of times over the years, and on sunny days, theres one thing in common.. a crew of folks under the trees --some standing, some sitting, with cameras with monster telescoping lenses... and I had always wondered why.

I'd made the mistake of turning right coming out of Cancun Cantina to head for the agreed-upon watering hole where my friends would undoubtedly be waiting for me (because I took the long way), and as I passed the observatory, I again, noticed the gathering of folks with really big cameras --and I had to take a picture. I don't know why, but it struck me. I needed a picture.

So... I turn into the observatory, pull out my phone, step between the cars and snap a quick shot. Of course, they spot me. I didn't try to hide, and as I snap off my second shot (I only took two), they began setting off car alarms around me. One of them (the guy in blue) turns his telescoping lens on me.

I have to wonder --are these guys just plane geeks, or is Northrop keeping something fun in the hangar that someone here's waiting to get a glimpse of??? My tinfoil hat is glowing red. Have I stumbled upon Area 51 East?  Or.. do these guys just really LUV Southwest Air?!

On sunny days, they're here all the time. I wonder if I'm the only guy who scratched his head and asked why. On occasion, there are some pretty cool planes that go in an out of here --I see them from the balcony at my apartment --I'm right in the flight path (I'm cheap).  But do all airports offer access like this? Are there really plane geeks that just for the love of it, snap pictures of every Southwest Air flight? Why?

My friends tell me I'm paranoid --but that's what I get paid to be. I want to know when someone is standing at the end of the runway waiting for something cool to come out --and if it does, and they get that series of shots with that really big lens, who's buying those pictures? And will they soon be sending more big camera guys for more? Or will we begin seeing intrusions into computer aided drafting systems and manufacturing and targeting of engineers? This isn't rocket science. There's a correlation between humans snapping pictures of airplanes and computer intrusions into those companies (and people) that build them... I could go on but for now, I'm taking the tinfoil hat off as my thinking begins to drift more toward Captain America and Iron Man this afternoon with my kids.

BT

We moved into bigger space yesterday, set up that fusion center where the new crop of returning vets will be trained, and we're beginning to kick out new offerings from the work they're producing.  We're having a hell of a lot of fun, making enough money to make a living, teaching people how to do the things we're doing, and helping companies figure out what to protect today, and what to worry about tomorrow.

So, if you need indicators, try ThreatRecon.co. It's free to 1000 indicators per month. Sign in, get an API key, and off you go. Anything marked 90% confidence was directly analyzed and derived by us --very low false positives.

Need more? Try our low cost "Executive Readboard" subscription service --TLP White information written for your executives in a newspaper format... in fact, we hired a journalist to write these things.

Need even more? Drop me a note. We're here to help.

As a reminder, we're doing a Cyber Symposium in Huntsville on the 7th of June at the Johnson Conference Center. It's limited to 100 people and we're filling up fast. If you'd like to attend, please contact our marketing person (Pamela) for information.

OK folks...
Have a great weekend!
Jeff

Training Wounded Warriors

Did you know that when a wounded warrior transitions through the VA, they sweep floors and plant flowers for minimum wage? You see, they're considered patients, and therefore can't be associated with patient care.  I'm happy they're getting help, but I figure there's maybe a better way --so we've started our own training program. We call it Team Jaeger, and it's headed by our newest Director, Bill Schenkelberg.

Bill retired as the Supervisory Special Agent at Coast Guard Investigation Service (CGIS) Boston. As well as retiring as an 1811 after a full Federal stint, ran the Cleveland, OH Fusion Center, and was teaching active shooter classes when I caught up with him.

cio.com

You see, since starting the company, we've had a strong veteran friendly culture. Much of our leadership are vets, and those who aren't learn quickly --we're a bit different. We share values, culture, language, and know what it means to get the job done.

Some of you remember our first guy --an AFG vet --a Marine E5 who came to us about two years ago and I'm happy to say, he just got accepted to college full time.  He started by being taught to dissect email headers and load databases. In the end he was doing all of our pushes into external facing systems. He wasn't much of an IT guy, but he helped out a lot.. he's going to school for Psychology.

Two months ago we hired another --a former Army MP.  He's a young guy that'd been sweeping floors in that VA Transition Program. Turns out he's a pretty skilled guy, running systems, chasing bad guys.  This kid's a rock star in the making. He needs some training and discipline --and we'll help with that, but the skills are all there.

Last week we hired another from that Transition Program --a Marine mechanic of 16 years. This guy had a collateral duty as IT,  and now we've got him running social media and basic forensic analysis processes searching for threats. In my early days I had coworkers grepping for hints child porn in user logs. He is this guy --only not searching for porn, and yesterday he had his first good hit.

Yesterday interviewed another --our last for now. A former Army CI guy who'd been heading for a
'walking security' job in a mall or something. I asked Bill to interview him (which, as a guy who used to do background checks for the CG will now do ALL of our interviews), and we'll likely bring him on as well.

So why do I bring this up?

We've formed this new team. We call it "Team Jaeger" --the Hunt Team.

I really wanted a team who could hunt for threats to our customers (hunt, not hack) --proactively --and know what a threat looks like when they see it; when one of our customers is talked about in a bad way or some knucklehead in the dark web takes conversation a bit to far. Or maybe when our tripwire indicators start throwing flags suggesting a physical event is about to take place using cyber as the catalyst. I wanted a team that could communicate, and when needed, act as one. The team lead by a strong leader who understands what transitioning vets need, and could work both the personalities and the desire to learn something new --and something both valuable and very cool.

Bill is shaping this team of new folks that we're training up, and then introduce to the Red Sky membership for long term jobs. Our first interns (those who survived) did amazingly well.. Now we're (re)training hungry returning warriors in NH who understand the (cyber)warrior, (cyber)hunter mentality, and who can tell a threat when they see it, and, know how to write a SITREP.

Some of you know Jesse.  I dropped him into the cell as the Advanced Cyber Analyst --the senior techie to help teach these wounded warriors. Jesse wears his tinfoil hat like a badge of honor, and knows the space better than anyone. He's a master in the underground and can help these guys navigate. He's the perfect guy for that job.

Results? Within the first couple of weeks we've completely reshaped some of our proactive reporting --reading tea leaves, and following footprints; blending traditional hunter techniques with cyber tipping and queuing and traditional all-source fusion processes. We tipped off a local (Oklahoma local) PD to a possible movie theatre shooting, and one of our banking customers to some negative activity by a guy that we researched a while back. We're tracking from early noise and coordination through the attack, and if need be, after the attack --And we're training wounded warriors to be the tip of the spear. Are we moving from cyber? No. But if we see something, we now have the manpower to say something --and we should --and we will.

Returning Warriors can be funded by a company or organization. We'll train them to hunt on your behalf, and when they're ready --if you choose, we'll roll them over to as an employee, keep them on in our SOC, or get them interview with companies in the Red Sky membership.

We're a cash flow company and we've hired as many of these folks as we can afford right now. We are looking for funding sources to fill our new spaces --we rented a handicapped accessible bunker for the new operations center, and we've partnered with a local NH company (FlowTraq) for the two principals --two Dartmouth PhDs to help teach these guys the ins and outs of monitoring flow.

Some props: Thank You to Richard and Audrey at Manchester, NHs VA Medical Center's Vocational Transition Program for supporting this program. The VA gets a lot of bad press, but these guys are rock stars.  

Interested in participating?  Funding a student? A training provider? Have a great product? Drop me a note. Or better yet, drop Bill Schenkelberg (the Jaeger Miester?) a note! Our guys need training on great products. If you're interested in partnering, we'd love to hear from you.

BT

This week:

• We posted an update on Gh0stRAT, with full technical details and mitigation strategies.
• We pushed information related to SWIFT
• We pushed "new format" tailored cyber threat intelligence to subscribers
• We're preparing for our next round of Threat Intelligence University and...

As a reminder, we're co-hosting a Cyber Symposium in Huntsville, AL on June 7th. The agenda looks great with speakers from Red Sky/Wapack Labs (me and Chris), Lockheed Martin, Morphick Security and i3. Space is limited and we're filling up. If you're interested, drop our marketing person (Pamela) a note to get your name on the list.

Last, Threat Day in Stamford is coming up fast. The agenda there is also pretty full. This is a members only event, so if you've not RSVP'd to Pamela, please do so quickly.

OK folks.. that grass isn't going to mow itself!
Have a great weekend!
Jeff

Don't believe everything you read (or your indicator aggregator tells you!)

If you've been monitoring the story of 270+ million stolen Mail.ru, Google, Yahoo, and Hotmail accounts, you'll know there's still a bit of controversy, but this story is one from the other side of the pond --I'm leaving it in my Analysts's good but still slightly broken English. The point? Don't believe everything thats aggregated and dumped into your defenses. We're still verifying too.

This is a couple of days old and is making its way through the groups, but for the rest, this is yet another great lesson on sourcing quality when it comes to intelligence. What would your company have done if they'd received 270 million personal email accounts? Many of you allow personal accounts to be used --or at a minimum, allow their use from work, or through social networks.

Mistakes and miscommunications sometimes happen, and there's no telling if this was Mail.ru doing damage control, or if it really was a bad source. Either way, the lessons are these... the data is suspect. Know your sources. Know your intel provider. If they're giving you junk, ask for more information.

------------------------------------------------------------

Initially it was reported that Alex Holden's Hold Security got a database with 1.17 billion records with 272.3 million stolen accounts including Mail Ru, GMail, Yahoo and Hotmail users (1). According to Holden, the cache contained nearly 57 million unique Mail.ru accounts - a big chunk of their 64 million monthly active email users (2). While Yahoo and Google are still investigating, Mail Ru, which allegedly was hit the worst, requested the accounts and reported the result of investigation (3):

Mail Ru says that Holden just grabbed different databases together to attract attention to his business (3). They say 99.982% of Mail Ru accounts they got from Holden were not valid.

While 0.018% were possibly working, – and now notified for password change.

In more detailed breakdown of the numbers Mail Ru says:

• 22.56% of the Holden's accounts have e-mail addresses that never existed in the first place
• 64.27% - wrong password
• also 0.74% had no password at all
• 12.42% accounts were already blocked as hacked or automatically created (3)

They also believe that some passwords in the database were automatically created during/for brut-forcing attempts (3).

In another breakdown of the data The Inquirer reports that only 15.4% (42/272M) of the accounts are seen leaked for the first time (2) – which means most of the accounts were seen leaked before and possibly were just copied from previous breaches (2).

(1) http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6

(2) http://www.theinquirer.net/inquirer/news/2456948/huge-data-breach-sees-millions-of-gmail-hotmail-and-yahoo-mail-account-details-stolen

(3) tass[.]ru/obschestvo/3263688 [in Russian]

and corp.mail[.]ru/en/press/releases/9613

BT

Keeping it short this weekend. Feeling a bit under the weather.

In the mean time, we've reworked some of our reporting processes for a more holistic look at cyber threat --getting to the left of Kill Chain continues to be our mantra. Interested? Drop us a note or give us a call.

Until next time,
Have a great weekend.
Jeff

US Steel, Solar, and SpaceX --what do they have in common?

I live in the woods, so my daily Wall Street Journal comes via post office.  I could read it on my

June 7th, Huntsville, AL

iPad, but I still prefer turning the pages and over morning coffee, so I deal with it.

Yesterday one of the guys in my office (who gets his paper on time), and who'd worked for the Steel Industry Association for many years dropped the business and tech section on my desk (a spoiler alert?) with a headline below the fold "U.S. Steel Accuses China of Hacking"... hacking and stealing intellectual property "enabling [China] to manufacture light weight steels the complete with U.S. Steel's products. The lightweight steel is used for manufacturing lighter cars --for better gas mileage.

U.S. Steel (and others) the victims named in the indictment of five Chinese hackers in 2014. 

The indictment was issued because, as it states "An indictment is merely an accusation and a defendant is presumed innocent until proven guilty in a court of law."

So let's look at the bigger picture...

From 2006 through 2012 five guys (I'd bet a Yuan there were more and just one!) hacked into various US companies -- Alcoa, Westinghouse Electric, US subsidiaries of SolarWorld AG, U.S. Steel, Allegheny Technologies (ATI), and the United Steel, Paper, Forestry, Rubber, Manufacturing, Energy, and Allied Industrial and Services Workers Union (USW).

In my own words, these five guys (and their friends) mapped networks, planted access, grew access, made themselves at home. They prepared the networks for future exploitation... and that's exactly what happened.  And I'd bet another Yuan that they've exploited these companies ever since. 

So now you know the cause. What about the effect? Theft of lightweight steel manufacturing alone is going to have ripple effects across the board from the manufacture of knockoff cars that compete directly with US (and other) cars to those lightweight steel 2x4's that are now used as studs in the construction business. 

contractortalk.com

And what about the others? In the solar business? The world, especially China, needs more energy, and solar processes are needed to offset the limited supplies of future oil and natural gas... but turning solar into energy --especially in a massive scale requires specialized process.

What's next? On page B3 of my (yesterday's) Wall Street Journal is a picture of Elon Musks SpaceX with the caption "Air Force will pay SpaceX $83 million to put a satellite into orbit." Watch out Elon, you, and the other companies mentioned in the article just become the next top target --Space Exploration Technologies (SpaceX), United Launch Alliance, Boeing, Lockheed Martin, and any company in the supply chain building these new, lower cost commercial rockets will have crosshairs on their cyber foreheads just like the steel industry did.  Space technologies has been declared high on the Chinese priority list for several year. 

BT

We had an interesting week. On Monday we kicked off a new effort to train transitioning vets. We've hired two in the last month and expect to hire several more in the coming weeks. And because many of them are not (yet) cyber experts (we're training them), we have them do other things --like reading social media, translating pages, and in general, watching for physical threats via cyber means.  Over time we'll transition these guys up to reading packets, malware analysis, and other critical skills needed in our space. Some will choose to stay with us, but others will have the opportunity to be introduced into Red Sky member companies for longer term, higher paying jobs.  In fact, we hired the former Supervisory Special Agent from the Coast Guard First District's (Boston) CGIS unit--Bill Shenkleberg to run this new team. Bill was involved in the NH Fusion Center, Cleveland and now sits on the board of the National Fusion Center Association. We're looking forward to having him join us!

As a reminder, we're preparing for our joint H2L Solutions | Wapack Labs Cyber Symposium in Huntsville on June 7th. We'll be joined by folks from H2L, Lockheed, Morphick Security, and so far about a dozen of our closest friends at the Jackson Center in Huntsville. 

Care to join us? Drop our marketing person a note. Her name is Pamela, and she'd be happy to help.

OK. That grass isn't going to mow itself. 
Until next time,
Have a great weekend!
Jeff

Beware of Female (or Male) Spies!

 I

http://news.sky.com

I have a poster in my office in New Hampshire. Remember the "Beware of Female Spies" poster? I have one framed and hanging in my office.

This morning when I scanned my morning RSS feeds, I found a story about the Chinese warning its young girls not to fall for handsome strangers that might be looking to steal state secrets, and it immediately made me think of the old poster hanging in my office.

The Chinese version of the story starts out with two young girls, followed by what appears to be a dinner date with wine, and ends up showing the girl in handcuffs after both she and David are arrested, and a police officer telling her that she has a shallow understanding of the need to protect state secrets.  The caption shown with the comic above reads "David, the red-headed man, should not be trusted."

The comic not only reminded me of the need for OPSEC, but also that intelligence is very personal. David is obviously attempting to collect from a young girl, plying her with compliments, wine, affections and probably a bit of money. He's doing this because he needs information on something specific, from someone specific. And while it's good to know that there are big things that people want to steal from each other, it's more important to the company to know what someone wants to steal from them...

And so we've begun a bit of an overhaul in the way we author our own reports. I talked about Cyberwatch last week, and that's one output --one way that we individualize our reporting to the specific customer. We write daily reports --it includes some open source material, but it starts out with the what's coming for you? and then leads into the broader now here's what's happening around the world... I've challenged my team to write to the individual --make every one of our readers feel like the product was written for them specifically, and to that we've started pushing products to every customer, tailored to them. What kinds of things can you expect from us? Here are a few use cases:

For the enterprise --intelligence for network defense --this is the stuff we write every day. But what about the bigger picture? Here are a few examples of intelligence work we've been doing...

• Counter branding
• Anti-counterfeit
• M&A and Supply Chain assessments
• Log analysis
• Strategic intelligence --what do you have that someone will want to steal next week?

This is hard stuff folks. There are a ton of intel companies out there, and most collect from the same sources, and you can't swing a dead cat without someone else standing up an EC2 instance with a fancy front end and calling themselves cyber intelligence. But if you really want individualized attention, to whom to you call?  You call Wapack Labs.  Someone told me two weeks ago "23 people does not an intelligence company make" --but when you're 25 people and you service only a small number of high quality companies, 23 (we'll be 26 by May 1st) is the perfect size.

BT

Need easy to read material for your boss? Check out our TLP WHITE Executive Read Board --now set up on our main website.  We put up a simple Wordpress site last year on a whim and it caught on,  but we'd heard more and more that there were log-in issues, and my poor old version of Wordfence was taking a beating, so finally, today, we went live on a new TLP WHITE Executive Read Board. Why do we call it the Executive Read Board? My my early days as a shipboard Radioman, we packaged up a daily 'read board' for the old man. Every day, we took the read board up to his cabin and asked that he chop off (initial) every document that he reads. So enjoy. It's priced right --even with a couple of no cost reads per month, and for every story there are indicators in our Threat Recon indicator database. And if you need more, for every indicator there's a report in Red Sky...
Context, depth, indicators. Have a look:

http://www.wapacklabs.com/subscribe/

Last, we're preparing for some upcoming events:

• We'r hosting a Cyber Symposium in Huntsville with H2L Solutions on June 7th (yes, Steve, I know --DIB ISAC is doing something too!). 
• On the 8th, I'll be in Philadelphia for a talk with insurance lawyers, and on the 8th, 
• Chuck Nettleship (our inbound Lab Director) will be speaking in Toronto. 
• And on the 21st, our second Threat Day of the year, hosted at a member location in Connecticut. It's busy.

Need information? Drop us a note. 

Interested in sponsoring or speaking at one of our events? Drop us (Pamela --our marketing person) a note!

Until next time,
Have a great weekend!
Jeff

We need to think smarter not harder about cyber - Cyberwatch.

I'm a bit late in posting this week. I know many of you read it on the treadmill on Saturday morning, but it's been a crazy (good) week, and I've just arrived back home from MD. I spent some time with my youngest this morning at a charity yard sale at her HS and then got a workout in... my body's sore.

We've been absolutely slammed this week. From publishing new North Korean cyber TTPs to the end of the week, to getting new features added into Cyberwatch.

That said, here's the happenings...

Cyberwatch? We pushed a new feature last night --monitor up to five companies in a portfolio view...

pretty cool stuff. While the site still lacks documentation (we do have a FAQ page), the idea that a CISO can monitor up to five companies (themself plus four others) to baseline relative levels of threat between them is, in my opinion, a tool that every CISO --and anyone who invests their own money or invests someone else's money, should want.

In fact, in the graphic above, I'm monitoring 10 Aerospace companies --from really big to very small, just to see the comparison of cyber threats looking at them. It gives me great baseline --and tells me there are maybe one or two that I should call and give them a heads-up! And in the near future, we'll be looking at portfolios of up to 1000 companies (at least that's what I'm requiring of my CTO!). So imagine, sitting in your comfy leather chair, worried about hackers because Krebs broke yet another "oh shit" blog post. You simply log into Cyberwatch, check the graphic for your portfolio of companies, and either relax into your single bourbon for the night or put away half the bottle. 

Why do we care? Until recently there's been no really good way to monitor situational awareness in the intelligence space writ large --and because of that, many companies have a hard time articulating the need for security --or worse, know they need it but ignore it.

So this week we showed a security guy how to monitor cyber threat in his supply chain. His reaction? He wanted to buy a single user license on the spot to help predict which stocks he should buy. We didn't really expect that reaction, but it's the second time it's happened.

Then we we told him we'd purchased a equity stake in an investment tool, and our (patent pending) process for monitoring the cyber threat landscape is to be built into the analytic tool designed to help institutional investors make decisions on their portfolio.

He loved it. He still wants a single user license, but he loved it.

So imagine this... you sign into your [you name the broker/dealer's website], and you start combing through the endless amount of financial data -- revenue, costs, liquidity, margins, turns, etc... pretty cool stuff right? Now add in the idea that you can look at a new, fresh variable in your decision making process --cyber threats looking at that company. 

Given the ability to choose between two investments --one with little cyber threat and one with much cyber threat, what would you do? If you're institutional buyer doing an M&A, you'll build it into the deal. If you're not institutional, you might consider choosing the company with the lower risk of being hacked.

BT

We're heading into May, and preparing for our June 7th Cyber Symposium in Huntsville. And yes, I know Steve Lines is going to comment on my blog that he too is running a cyber program for the DIB ISAC in May, so let me just get it out of the way right now for him.  I'm sure it'll be a good show. Steve's a great guy.

And in June? We've got some amazing talent showing up --folks who monitor networks, have built amazing security teams, and my guys --intelligence.  If you have any interest at all in how to deal with APT, the impending DFAR 800-171 or the new insider threat requirements, there'll be people there who can help.

If you want to know how DCISE works, what happens when you report, and the requirement for reporting your cyber activity to the government, it's been a while since I left the government I had a hand in writing some of those documents and built the early operational capability that is now DCISE.  So go enjoy DIB ISAC, and then stop in over for the June 7th Cyber Symposium. The agenda is looking pretty good... Red Sky/Wapack Labs, Lockheed, Morphick and Huntsville's own small company focused rock star, H2L Solutions. If you'd like more information, please reach out to our partner in this, Jonathan Hard, CEO at H2L. Jonathan will give you the gouge on the Symposium and set up a time to talk about doing your 800-171 assessment/attestation and go-forward plan.

Also, we're hosting our second Red Sky Threat Day in Stamford, CT on June 21st, and have some great talks lined up. If you're interested in presenting, shoot me a note. We try and bring in one outsider per quarter to give a talk. Interested? Shoot me a note.

OK folks... sorry for the late post. It's been a long week.

Have a great weekend!
Jeff

Information Overload? No Mas! Get help...

1980. Sugar Ray Leonard v Roberto Duran. I'd just graduated from High School. I remember the

boxrec.com

fight. Sugar Ray overpowering Roberto Duran at the end of the eighth round.  No mas! No more fight! This as Roberto Duran threw his hands in the air, only to take one more blow to the body, ending the fight. Duran was done. He'd been beaten down.

Why am I talking about boxing? Because so, I'm afraid, like Duran, are many of our network defenders are feeling beaten down.

I talked with two companies this week who both seemed to have been flat out exhausted. In both cases,  the sheer volume of data simply overwhelmed them. In both cases, they've resolved to the fact that intelligence (more intelligence) simply isn't going to help their situation --and in both cases, they've given in to the fact that they are being successfully breached on a regular basis. And more? They're being compromised multiple times per day.  Even more, the idea that the sheer flood of data has turned these otherwise really smart guys into folks who've thrown in the towel is turning into a story that I'm hearing more and more.

So what's the next step? More big data? More feeds? No. The companies are suffering from information overload with no real means of prioritizing their efforts. And with new supply chain regulations in effect, and insider threat regulations coming into reality quickly, the simple fact is this... CSOs and CISOs need better information, not more information.

Years ago I blogged about the work required to manage the supply of data from bugtraq. I realize I'm dating myself, and I'm sure I'm not the only one who remembers trying to figure out how to watch every single emerging bug that came out on from the listserv, and I'm certain I'm not the only one who combed through other sources --like USENET messaging and the FIRST emails on a daily basis, but even with that small dataset, on a daily basis, the idea was simply this... bugtraq sometimes cranked out 400+ pieces of vulnerability data daily.  An SOC guy would spend about an hour every day simply scanning ever piece of information. Add to that the idea that if a quarter of those were actionable, that SOC, network manager, or heck, even a swarm of techies couldn't keep with the needs of even a small network.

Now think about the amount of data being called 'intelligence' that comes in today.

With dozens of aggregators out there cranking millions of pieces of data, let's face it, there's no way in hell that even the most efficient security team could keep up.  One team told me that they collect over a million pieces of new information weekly --and I think that number is probably a little on the light side. Automation helps, but rarely prioritizes actions to be taken by the responsible CISO.

So what's the answer? Better information, not just more information.

Current practice looks like this... buy a vendor get a feed. Every vendor has backend intelligence (if they don't, don't buy it).  There are some excellent choices out there.  Cisco, Palo Alto, FireEye, Crowdstrike --all great choices. The process (optimized process) looks like this --collect intelligence, compare the intelligence to exposed systems, pathways, etc., and then patch those systems or close the pathways. As more intel comes in, more fixes need to be installed. When you're receiving a million pieces of intelligence per week, the question becomes this... what to fix first?

Sometimes you just know --that system is really important, or the owner of that system is really gonna be pissed if I don't get if fixed. You know from an internal perspective why the most important system may be the most important system, but what about from an external perspective?

The smarter question that intelligence should attempt to answer is not what's that vendor seeing? Rather, what is coming after you?

To answer this question, most companies establish an internal intelligence team. You need someone a bit more specialized in their view. Someone who can focus on prioritizing efforts for you.  You need analysis that can take that massive list of data that comes from the aggregation of other's lists or the intel that comes from those truly outstanding vendors, and turn it into a work process that you can actually manage.

This is where Wapack Labs comes in. While many receive general subscription information, Wapack Labs has processes in place to allow companies to understand what's coming after them. We've contracted with organizations to be, or assist internal intelligence teams to ensure that the tsunami of intelligence information is focused on your needs, not the rest of the world.

You've heard this from me before... In a bar fight? Fight the guy in front of you first. Then fight his friends. Don't, worry about all of the other bar fights going on in the world. Someone else is going to take care of them... until they come to your bar.

And when you need help? Compare notes? Red Sky(R) Alliance is the place you ask for help. Jump in, get questions answered from folks who've done it before.

BT

It's been another fantastic week --although a bit slower. Two guys on travel in Vegas --I hope you enjoyed meeting my partner, co-founder, and CFO, Jim McKee. Jim doesn't get out much, but when he does, he shakes hands with anyone who'll take it --and then tells our story.  I stayed back, working in the BWI/DC area for a few days. It was actually a nice break from travel. Back to NH next week.

And the team? We've been publishing explanations and mitigations for the rash of SSL activities that have been running around. We also published a report on Netsky (a customer request), an updated version of iRAT, and published Targeteer(R) (DOX) reports on three African guys that we believe to be planting code in networks. If you've ever been victimized by key loggers, you'll want to read that Targeteer(R) report.

Want to know more? Check out the new website or give us a call 844-4-WAPACK.

I'm waiting for the snow in MD --and fly fishing in VA tomorrow when it warms up!

So until next time,
Have a great weekend!
Jeff

Hack the Pentagon? I love it!

Several months ago I blogged about the idea that contractors with mature and information security operations are used as butts in seats in the Pentagon and DHS --only to be not allowed to bring best in breed solutions or out of the box thinking to those posts. The result? Long time government employees continue down the paths they've been on for years because (sigh), it's what they know --and what they believe will work based on their own experience.

So when I saw this in my inbox two days ago, I smiled from ear to ear. I doubt anyone read my blog and decided to do this --more likely some smart entrepreneur bent the right ear inside the Pentagon and pulled off a smart coup --BZ to them!. Regardless, on March 31st, DoD announced a "Hack the Pentagon" bug bounty program. Funny, I actually checked the date to make sure it wasn't an April Fools prank because the circular reporting had it on April 1st --I had to find the root article. It apparently is not.

And if this is true? I'm shocked, and elated, and yes, I'll urge my guys to participate. I love the out of the box thinking --a simple solution to a hard problem.

On a second note, I just shared an article from he Register (UK) that talks about the US Marine Corps creating a 'hacker support unit'. Very happy. My first Information Warfare job was at the Navy's Fleet Information Warfare Center in 1997. And now, nearly 20 years later, it seems the stuff is finally filtering into mainstream routine operations as a daily part of what we do.

Well done.

BT

Red Sky and the Labs continue to be busy. We published a couple of new pieces of analysis this week.. two technical papers (Kiler RAT and Kibala), and one of my personal favorites, "Russian Cyber Capabilities: Lessons and Tendencies". This report discusses, in a readable short format,  written by a native speaking Russian analyst, the reasons why Russia as an APT actor (meaning state sponsored), and how we expect them to progress.

BLUF: Russia is one of the most active attackers in the cyber space. With the economy declining in Ukraine, Russia, and Belarus, financial cyber fraud originating in these countries may rise. Political tensions with the West have grown, especially over Ukraine and Syria. Russia is isolating its cyber space, and Russian APTs are getting stronger. These lead to systemic threats with the possibility of large-scale information attacks, and even disruption of the Internet and other critical infrastructure. 

In addition, we requested membership for five new organizations, including a potential integration of another large information sharing group. This is a first for us, but Red Sky has doing well for nearly four years, and while we'd never considered bringing in another group, what the heck.. if it brings value and helps with the defensive mission. We love the idea.

On that, I'm bugging out of NH for MD today... meetings first thing Monday morning and we're expecting snow, so...

Until next week,
Have a great weekend!
Jeff

Iraq's new drone in action..

Iraq's new drone, the Chinese C-4 drew first blood against ISIS, according to an article in Popular Science. And this made me think back... for how many years did we chase Chinese espionage from networks where these things were built? And while I have no idea what the guts of these birds look like, they certainly look similar on the outside.

Iraq's new C4, Optics retracted to reduce drag during flight
http://www.popsci.com/

predator-firing-missile4_c0-90-1080-719_s885x516.jpg

The report discussed general trends, but relating to this morning's blog was the idea that UAVs were near the top of the targeting list... and they had been for five years. So based on that thinking, 2004-2009 were peak UAV harvesting years, at a time when only the US had them.   

In a previous post, I reported that a US bird (at the time) was selling for $3.2 mil, while the Chinese version was selling for ~$800,000 (USD). And now, just a few years later, we're seeing the results of that espionage activity in the air, flying against ISIS. Good for the Iraqi's! Bad for us. 

And then I think about the idea that it seems like only yesterday when UAVs (unmanned arial vehicles) were high in the target for Chinese acquisitions. In fact, in 2010, the Defense Security Service reported in an unclassified report:

"East Asia and the Pacific region were hosts to the highest number of intelligence collection attempts. “For the fifth year in a row, reporting with an East Asia and Pacific nexus far exceeded those from any other region suggesting a continuing, concerted, and growing effort to exploit contacts within United States industry for competitive, economic, and military advantage,” the report states."

We've experienced massive cyber thefts from our R&D EDUs, R&D centers, and OEMs. In the early days, the idea that new technology was obtained through cyber means was shocking. Today, not so much. The targeting of UASs (Unmanned Aerial Systems --the updated term for UAVs) today means stealing IP that allows for refined controls of the previously stolen systems --how can they be made better --navigation, targeting, optics. Regardless if for military or economic gain, the simple idea that these birds sell for a quarter of the price of our own and the skies will soon be full of them means jobs lost --and not just in the US, but also in the international supply chain. 

BT

As always, a busy week. Two new fusion reports were posted to the Red Sky portal. We've been using a new format with all of our new published reports. Members have had problems navigating the number of reports in our socially driven site. The engine isn't machine to machine, rather focusing on the human interaction. So to assist with some of the confusion, we've begun adding snapshot views to each of our products, as well as a cross reference of our previous reporting (links inside Red Sky - redacted for this post) and a link to our indicator database (open to all) where users can download indicators (https://www.threatrecon.co/search?keyword=FR16-011).

Our latest report focuses on Locky:

Executive Summary

In February 2016, the Dridex botnet was observed distributing a new ransomware variant named Locky. Since then, a number of Locky macros and downloaders have been leveraged to distribute the ransomware. This report describes recently observed Javascript Locky downloader that appeared in early March. Similar to Dridex, the delivery infrastructure consists of compromised bots, which send the malicious emails, as well as compromised websites that host the Locky payload.

This report includes technical details and mitigations on this Locky downloader variant and related infrastructure. Mitigations are offered at the end of this report.

Publication date: 24 March 2016; information cutoff date: 18 March 2016

Handling requirements: Traffic light protocol (TLP) AMBER. Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.

Attribution/Threat Actors: The Locky Javascript Downloader variant is a part of the Dridex/Locky botnet.

Actor Type: Adversary capabilities have been assessed as Tier II. Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).

Indicators: https://www.threatrecon.co/search?keyword=FR16-011

As well, this time of year is always busy for us. We've offered membership to one more organization, and have proposals out with three others. Interactions in the portal seemed to have slowed a bit this spring, but we continue to populate it with intelligence, reports, commentary/analysis and actionable data.  Even with the slowdown, we still see over 36% returns month over month, so I'm not complaining. 

What's coming? 

• We're planning our first Cyber Symposium with a partner in Huntsville, AL.  Wapack Labs and H2L Solutions -a DFAR assessment company performing NIST 800-171 assessments in the area will be hosting a Cyber Symposium for local companies on June 7th. 
• Two weeks later, we're doing our pre-summer quarterly Red Sky Alliance Threat Day at a member location in Stamford, CT.

It's busy. We like it this way.

The blog is getting long, so I'm going to take advantage of the sun up here in New England. 

Until next time,

Have a great weekend!

Jeff