Voter manipulation no big deal? Hey Cowboy, you may want to read this...

SOURCE: thehill.com

"Department of Homeland Security (DHS) Secretary Jeh Johnson on Thursday downplayed concerns about malicious hackers influencing U.S. elections amid rising fears about foreign actors trying to wreak havoc on Election Day." (thehill.com)

I'd like to comment... Just because DHS can't see it, doesn't make it true. That's not a knock on DHS but neither the US-CERT nor the NCCIC are equipped to handle the multi-disciplinary analysis required to see and read all of the tea leaves. 

Let me explain... here are a few things you may not have known. We tracked in near real time, the manipulation of the Ukrainian Presidential Election by hackers, military, and commandos. This multi-facted, asynchronous information operation followed what we believe to be an updated version of the Ivanov Doctrine --Putin's asynchronous warfare plan taken from lessons learned by watching the US operate against Iraq. We published reporting on this in 2014 and into 2015. Since the Crimean conflict, Wapack Labs has actively tracked cyber activities between Russia and their neighbors -but most specifically Ukraine.  The ability of DHS's NCCIC to have known about this would have meant they would have had more intelligence than just cyber coming into the center. I'm not sure if they do. 

The high level story goes like this:

(Russian) hackers trojaned the Ukrainian Central Election Computer systems.  When the Ukrainians find out, they take it offline. Telephony denials of service, computer attacks, and manipulation of election reporting on Russian State-owed Television station on the eastern border of Ukraine reported false outputs through the night of the election. The full report tells the full story, properly sourced, but the last time we mentioned this, it was reported by the Christian Science Monitor. We preferred to stay low-key in the article, but this story was originally tipped off by my original blog post. I remember having a discussion with Mark Clayton (the journalist) as he was pulling the piece together. He was aghast that the story of a Presidential Election manipulation hadn't received more attention here in the US.  My only thinking is, my team is small and nimble.. we operate very much in a multi-disciplinary fusion center approach.  I'm guessing that gathering lessons learned wasn't the priority at the time, and neither the press, nor our IC apparently connected the dots... or maybe Jeh just hadn't been made privy??  I don't know. I can't speculate on that, but I can make our original reporting available. 

If you wish to purchase the report, I've priced the short form Priority Intelligence Report at $1.  The 25 page document is priced slightly higher. Both are available for purchase at our digital storefront. 

BT

I'm preparing for my trip to Orlando tomorrow. I've never been to an ISC2 Annual Summit, and the fact that it's being hosted with ASIS makes this attractive to my cashflow operated marketing budget. I've got a great little announcement that'll be hitting the press while I'm there, and if you see me, ask me! I'm planning on having my laptop, running demos to anyone that'll want to see them. We'd built an early version that I demo'd all over RSA, gathering a great crowd, running demos on my phone until the battery finally died. I can't wait to show off the upgrade! 

On Wednesday we're presenting at the FS Consortium in NYC, and next week? Cigars with Red Sky Alliance members on Monday night with Threat Day at the Global NOC of one of the major telecom companies on Tuesday. We've got a great lineup. I'm running hard. It's awesome! Didn't get the invite? Shoot a note to Pam, our marketing guru. She'll hook you up!

So, until next time, 
Have a GREAT weekend. Maybe I'll see you in Orlando!
Jeff

Ending summer. Kicking off Fall with a Bang (and a cigar!).

I'm not going to spend a lot of time on my post this morning. It's the last official weekend of summer and after I go to the dump, we're heading for our last outing to the beach for the season, and then driving to MD tomorrow preparing for three weeks of hard travel and the official kickoff of the fall surge. We always get busy in the fall. Founded on 8/29/2011, we just passed Red Sky Alliance's 5th birthday, and every year is pretty much the same. In fact, we built Wapack Labs to start pushing intelligence into the Red Sky portal after our first summer, hoping, making sure, that after summer, our members would come back. It got so slow doing the first year that I thought we'd been abandon... we needed to find a way to add value to make sure they came back --and they did.

We kicked off operations in Feb '12 with two guys, three members, and a monster American Express bill, waiting, waiting, waiting, for that first check so that we could pay the Amex... and when it finally came in, we both (Jim and I) sighed a huge sigh of relief.

Since then, the Red Sky group has grown to roughly 35 companies participating, and even today, we maintain about 40% of our members checking in at least monthly. We've lost four companies in five years, and although we've shifted our stance just a bit --some companies still prefer to share privately --and do, others just don't care. The portal remains fully attributional.

How do we build trust? One of the ways we do it is by hosting quarterly get togethers --cocktails first, followed by a day of meetings where we share ideas and threat information. Our next will be held in New Jersey... cocktails at JR's. If you're a geek and want to stop by for a few minutes, please, by all means.

Threat Day will be held the next morning at the conference center at the (ahem) Large Telecom in the area... with a tour of the Global Network Operations Center. For those of you who remember doing this a couple of years ago --this is our second visit, this is one of the coolest locations for a conference that I've ever been to... I'd even have to say this is cooler than the underground conference center at the Pentagon... that's cool, but this place? It's a Geek's dream!

So here's the logistics: If you'd like to attend, please RSVP to our event coordinator. Not a member? RSVP anyway. If we run out of space, we'll let you know!

Join Us For Cocktails, Conversation & Cigars The Evening Before Threat Day!

The Red Sky Alliance & The Wapack Labs team invite you for cocktails, appetizers, conversation and yes, a cigar [if you would like :)] the evening prior to Threat Day. Join us at the Montecristo Lounge September 19th at JR Cigar. We will be in the Churchill room! Listen for raucous laughter and tall tales. Check out the link below. Looking forward to seeing everyone!

JR Cigars - The Churchill Room

301 Route 10 East
Whippany, NJ 07981

*Dress Code -- Business Casual 
http://www.jrwhippany.com/index.php/gallery/new-cigar-lounge/#prettyPhoto[]/3/
BT
The summer's always slow but we try to use it to build something insanely cool for release after Labor Day, and this hear is no different. Look for one of the coolest new tools you've ever seen to hit the streets next week. We've been working hard, beta testing in the membership, and loading context all in preparation for one of the absolute coolest tools. I'm not going to say any more --you'll just have to wait for it... but trust me... it'll be worth the wait! 
I've got a dump run and a beach waiting... so until next time,
Have a great weekend!
Jeff

No cure for the common cold...

Props: pbs.com

Walk through the cold and flu isle at Walmart, and you'll find hundreds of products that all tout their abilities to sooth even the most savage of symptoms -some snake oil, others not bad, but all missing one key attribute --none solve the common cold.

This analogy was told today in a conference call when a "friend of Wapack Labs" explained how we differ to a prospective customer. The friend --Bill Vajda, explained that while nobody has yet to cure the common cold, the new API is very helpful in getting raw, highly useful information into the hands of those who can actually do something with it.

He's referring to our new Cyberwatch(R) API.  We've been working hard to get it rolling. We found that we're not very good UX guys, but wanted to find a way to push intelligence --really useful intelligence, into more hands. It's in beta testing right now with a couple dozen Red Sky Alliance members. The feedback so far has been pretty consistent --typos, a bit more context, and a feature request or two, but every piece of feedback proclaimed how much they like the product.

I talked about this two(?) weeks ago. We're experimenting with different ways of selling without selling. I told my team today that I'd read a book --the Accidental Salesperson. I wasn't born able to sell. Sometimes I still wonder if I can --maybe it was simply market forces, or maybe it's just because I'm so good looking! Either way, I'd never learned a formal process for selling, and as a result have found myself reading things like "Question Based Selling", the "Accidental Salesperson", "The Challenger Sale", and just about anything I can get my hands on that'll teach me the best way to attract new customers. And here's what I found... give a customer what they want, in a way that makes it really easy to use or integrate, without the need to add extra staff (or better, make money with, or reduce current operating expenses), and it'll sell itself.

This is what we're attempting. Red Sky Alliance is a great place for those who need questions answered. Prioritization is a major issue with security folks --pushing all of those rules, signatures, behavioral patterns, and context into one HUGE box just is not going to happen.  Reading 50 page technical intelligence documents that require massive translation from techie speak to English (or, pick your language), also isn't going to work. Heck, even for those of us who like reading that stuff (like me), at some point, they all sound the same. However, everyone knows how to use a mouse, enter a domain, and read the results. There are over a hundred intelligence vendors, and over 1600 security vendors, and in every case, each one does something different, with various levels of quality... yet, nobody has yet to find a cure for humanity's most basic problem... the common cold --and delivering the right information, at the right time, to the right person, in a way in which they can take action on it, in the easiest possible way.

Stand by folks. You're in for a surprise.

In the mean time, please follow wapacklabs.blogspot.com. We're announcing every product that we author on the blog. If you really need a place to call and ask questions, we're here. Need more? Check Red Sky Alliance. Machine readable data? ThreatRecon.co offers finished indicators in a JSON output.

Until next time,
Have a great weekend!
Jeff

By the numbers

What's the graphic? VirusTotal detections over a 24 hour period, ranked by the number of times each engine detected a submission.

Why should you care?

I read the Wall Street Journal every morning. Most mornings (depending on time) I also read USA  Today and a bunch of security news.  USA Today isn't as much on my required reading as the WSJ, primarily because much of USA Today's news comes from the Associated Press, and that many of the other papers available use the same news services. The WSJ also uses some of them, but as well, provides their own reporting. There is a small overlap in reporting but I've got to read two papers, plus my security reading to feel like I have enough information.

The same holds true with cyber intelligence.

We're partnered with Anomoli, and we like them --for the most part, but one thing struck me yesterday as we were looking at their marketplace.  We were dropped in the middle of the app marketplace pack, our logo sat next very close to one antivirus vendor that we'd recently tested our indicators against, and I thought it odd.

Why? Because when tested, they detected only 14% of our indicators of compromise! You read that right... 14%!

You see, we've been testing our finished intel against some of the AV and endpoint companies, and here's what we found.. Their words not ours:

• We tested 3000 lines with a global AV vendor over two weeks during the holidays last year. They detected only 18% of our feed.
• In June, we tested a sample of data that was almost two years old with another company --a California based AV and Endpoint company.. In this two year old sample, they detected only 7% of what we'd provided them.
• And when they didn't believe our stuff was real, we pulled fresh information, straight off the wire and tried it again. They detected 14%.

In previous tests, we were compared to two network security companies using our network based indicators (snort rules, IP's, etc.) with the same results.

Why? Many 'intelligence' companies buy data from aggregation companies --who dump a bunch data together in a blob in EC2 and resell it over and over and over --and many of the companies that you buy from today use the same data.  Most of it comes directly from open sources on the internet --rarely tailored for the actual customer who's buying in.  For many of the lower detection products shown in the graphic, they SHARE the same indicator information.  It's a cheap way to make a product --great for revenues, bad for the buyer.  You might as well go buy your security tools at Bob's Discount Furniture. You'll have better luck with a hardwood door on your datacenter than you would by relying on those old reused indicators!

We're a bit different. We have an information sharing group who, for the most part can do the analysis on their own.. They just want our raw data.  But for others, we take  their security requirements, go find sources of information that would give us the answers, collect the data, answer the questions in the form of intelligence (futures thinking) or analysis (post-incident), and feed it back in a useful way --human readable, delimited, JSON, STIX/TAXII. It's called the intelligence cycle, and it's targeted by the company.

In all three tests, the companies were given information that we directly observed or pulled from our own collections/analysis.  The results were provided by them, to us, in a decision process to figure out of they should OEM our indicators in their reputation lists.  In both cases, the companies didn't purchase our stuff because they had such a low detection rate! HELLO?!

If you're receiving our Cyber Indications and Warning Reporting in the Red Sky portal, you'll never see the companies at the bottom of the list show up in the top five.  And now you know why... they aggregate data instead of hunting for it smartly and analyzing it before sending it out... and I don't mean data science. I mean good old fashion QA.

The upside?  You can be protected from the other 84% that they didn't see.  If you don't want to buy it from us (starts at $40/month), there are several companies use our intel to protect their customers.. Wapack Labs is built-into Solutionary, AT&T's MSSP, Arbor, FlowTraq, E&Y, and Morphick. We're also available for purchase through Anomali, ThreatQuotient and ThreatConnect. 

Look, friends don't let friends by junk. Give us a shout. Let me show you how we're different.

Want to get a feel for what we write about? Have a look at the Wapack Labs blog. Every technical report shown in the blog has indicators that were derived by us for a customer. We share them out so others may benefit. 

OK folks. I've got a Sleep Number bed to return. My back is killing me.
It's not going to take itself apart!
Have a great weekend!
Jeff

1.47 seconds

A friend of mine -- a retired CIA covert guy, who now lectures, drives race cars, sits on a few boards,

and has dinner with me occasionally, does a two hour lecture that he calls "1.47 seconds". 1.47 seconds is the amount of time between the Boston bomb blast and when people in the ally behind were hit with schrapnel from the blast.

The questions he postulates is, what, or how, could people outside of direct contact of the bomb have been warned in that 1.47 seconds to make them take cover?

It's an interesting question, and one I think about often when I write a blog, publish a report, or, send a victim notification.  In fact, one question I consider often is even if I tell them, will they listen? Will they know what to do with the information I'm providing them?  For the customers we're used to serving, the answer is yes, but for many (probably 90% of the market) the answer is a resounding no.

So why does "1.47 seconds" stick with me? Because I watch the market churn --and the same companies targeted over and over by noisy marketers hawking some of the best, and some of the worst products, and I wonder to myself, what in 1.47 seconds could we do to cut through all that marketing b*ll sh*t, to get a real message out with real impact? What could we do to get the word out in such a way that it's easily understood, easily consumed, and actually used?

So we've been experimenting with a couple of non-marketing techniques --yes, I realize my blog has a bit of a slant --we're a cash flow company --no investors. We can't hire mountains of marketing people and sales people in every city, so, my blog becomes a bit slanted. It's literally the only marketing we do (except maybe sponsor an occasional high school robotics).

Our latest experiment is fairly simple.

• We've been posting the executive summary and product meta-data in the Wapack Labs blog. It was time to move readership from my personal blog to the company blog. 
• We've focused much of our analysis on being proactive. Instead of simply analyzing past events, we look for indicators of coming events --and yes, we've been quite successful.
• We're focusing our intelligence team on 'desired objectives by select bad guys' before the event occurs. That way, companies know what's coming, and we sometimes know who and how before it happens.
• And we've been working intelligence as a team sport --converged with the needs of physical and industrial security personnel. 

Every time a new product gets published, the executive summary gets posted to wapacklabs.blogspot.com.  Every product that has indicators, has a link to our indicator database (Threat Recon) or our Soltra Edge instance (redsky.soltra.com). 

We've offered up our raw collections (key loggers, sinkholes, etc.) to others who'd like to use them in their own analysis --that API should be up shortly, but today, roughly a hundred people have run queries against our backend.  

So, 1.47 seconds? Stand by. More to follow... That's where we're heading. 

In the mean time, please follow wapacklabs.blogspot.com. We publish almost daily. The reporting is a mix if cyber, physical executed via cyber, or intelligence collected via cyber.  

If we can help, call us. We're busy as hell, but that keeps us going!

Until next time,

Have a great weekend!

Jeff

Published: The Never Ending Campaign

This week we published one of the most contraversial papers that I believe has come out of Wapack Labs since we started. We called it the Never Ending Campaign paper because we examined the cyber threats to funding and the election during this VERY long Presidential election.

The paper details ideas of the complexity of American political landscape, and profiled the attack surfaces for any federal political operation. We discussed the difficulty of the assessment as campaigns adopt new marketing, social media, and fundraising methods. There are also different motivations for each cyber actor that may overlap.

We discussed exposures to the US financial services including the targeting of Personal Identifiable Information (PII), information of donors to the candidates, PACs, and national political committees. This is possible through the vendors hired by each campaign to managed and report donations. Exposure also includes the organizations involved in targeting the banks servicing the transactions for all of these organizations via business email compromise as well as those who have worked with the business or political assets belonging to each candidate.

Why controversial? This paper, even inside the team, created some of the most heated discussions, between authors, peer reviewers and editors. The paper early on started as a pile of information, but ended as a cohesive, no-kidding paper on practical items that companies can key in on to protect themselves from fraud schemes designed to leverage campaign fund raising. 

The paper is positioned free from political bias. My team performed well. The paper was published to the Red Sky Alliance and through the FS-ISAC on the 19th.

++++++++++++++++++++++++++++++++++

Other notes?

• We introduced four new potential members to Red Sky Alliance this week. One financial, two maritimes, and a Defense Contractor.
• We wrapped up our support to the Cleveland Police Department with over 85 intelligence reports written, and at least one preemptive action taken as a result of our reporting.  
• I had the opportunity to speak at the Maritime Cyber conference at Johns Hopkins APL this week. Of course, I told the story of the key loggers in the Maritime space, and the idea that we're well over a million accounts in thousands and thousands of unique organizations around the world. 

More? There's tons but I'll hold for now. I'm preparing to have a great weekend --my 20th OCS reunion is tomorrow in VA Beach, and then off the grid in Maine for a couple of weeks. The timing is good.. I'm getting ready to cut the arms off my team like my daughter used to do with her Barbie dolls when she was having fits.

So I'm publishing this in absentia.. normally I'm up at 4AM writing my Saturday blog. Today however, it's Friday afternoon. My last meetings are in 20 minutes and again an hour after that, then.. off to Cancun Cantina for beer and cigars with buddy's and VA Beach tomorrow. My plan is to take next weekend off.

So, until the 12th of August? Have a great two weeks!
Jeff

Target and Home Depot - No Contractual Obligation?

According to the Wall Street Journal (June 27, 2016 - Technology section), in a peace entitled "Injury  Key Issue in Data Breaches", Target and Home Depot, while settling with customers over data breaches two years ago both fought the case claiming in court filings that stores owed no legal or contractual obligations to consumers to safeguard their data."

Source: Forbes.com

Apparently there've been an onslaught of law suits resulting from the massive number of data breaches, and while I have no issue whatsoever with a company looking for actual damage --injury to a customer --meaning a customer can show that a loss of their privacy data actually cost them money, reputation, etc...  I do have a problem with lawyers looking for the simple out by claiming that the stores owed legal or contractual obligations to protect a customers data.

So my question is this... is this legal wrangling or they really believe and practice this?

If this legal tract is real (I've not read the transcripts), this sets bad precedent. In this case both companies settled but still paid. Unfortunately there are many more breaches that I'm sure will end up in court with leagues of smart(er?) lawyers who'll figure out how to make effectively utilize this defense.

At the same time, at the other end of the legal spectrum, there's a movement afoot in the UK to hold CEOs legally responsible for ensuring that baseline controls are in place to ensure the security of computer-based data --which of course, is just about everything.

BT

I'm keeping this short today. Heading out to WV to fly fish the Potomac with a friend. It's 5:30AM, so please forgive any typos. I attempted to get this written earlier in the week but...

Also, please have a look at the Wapack Labs blog. We've been posting analytic executive summaries. If we have indicators for the stories, we'll give you the link to either our own indicator database, Threat Recon, or our Soltra Edge location where you can pull indicators. It's a new form of publish for us. I'd love to hear your feedback.

So, until next time, I'm "Gone fish'n!"
Have a great weekend!
Jeff

First Chinese-Built Passenger Jet Goes Into Service

On June 29, 2016, the Wall Street Journal's Chun Han Wong reported "First Chinese-Built Passenger

Jet Goes Into Service. China's first home-built passenger jet entered commercial service on Tuesday... the Jet, the ARJ21 developed by the Chinese State-owned Commercial Aircraft Corporation of China, Ltd (COMAC) was originally due out in 2006 but was delayed by over ten years because of repeated production setbacks... " 

Normally I'd look at the piece and think to myself... I'd never invest in a company that was 10 years behind the market, but at the same time, I'm forced to wonder if those setbacks paralleled the increase in the security posture of COMAC's suppliers. And I'd have to wonder if another speed bump was dropped in the production plan with the 2014 creation of the Aviation ISAC...  At which point I'm betting ARJ21 project managers crapped themselves while their airplane sat in the red zone, staring, dreaming of that first taxi out to the runway, while they awaited final tech to come in from Bombardier, Rockwell, GE, Sukhoi, Antonov and others. 

Did I forget to mention? According to the WSJ, The COMAC ARJ21 competes directly with these companies --in a very crowded market --Canada's Bombardier, Brazil's Embraer SA and Russia's Sukhoi Civil Aircraft Company and was heavily influenced by foreign technologies including the McDonnell Douglas MD-90, avionics from Rockwell Collins, engines from General Electric, and wing designs by Ukraine's Antonov State Co.  I know for a fact that Bombardier, Embraer, Rockwell, GE and others have been harvested systematically for aircraft (and other) technologies. I'd bet a dollar that the state sponsored Chinese intelligence apparatus fed directly the creation of the state owned aircraft manufacturer in China --COMAC, and the development of the ARJ21... and I'm betting we'll see more airframes out soon.

Certainly the thought isn't completely out of the realm of possibility. There've been hundreds, if not

thousands of news pieces and blogs written over the last fifteen years calling out China (government and private) attackers as being the culprits behind a ton of illegal technology transfer.  The picture to the right shows a Chinese J-31 stealth aircraft that's essentially a knockoff of the Lockheed Martin built F-35. From Buick knockoffs to drones to satellite communication systems to toaster ovens and consumer electronics.  The shortest path to production isn't through the lengthy process of R&D, it's to use someone else's... Heck ever wonder why you find a Burger King within a mile of every McDonalds? McDonalds has a better research department! And stealing technology is no different. 

I guess, and as you're probably wondering (like I am), exactly how much of the designs were purchased from each of those vendors and how much was stolen?  With the company entering a crowded market ten years late... with design features coming from so many other airplane OEM's, and knowing damn well that each of the companies mentioned have suffered enormous losses directly related to Chinese cyber exploitation --heck, Boeing built the Aviation Information Sharing and Analysis Center (A-ISAC) to protect the aircraft OEM and industry writ large from prying eyes of Chinese state sponsored cyber espionage that had been occurring in their industry for over a decade.  

I read the Wall Street Journal every morning. I have since I was an Ensign in 1996. I've never been so surprised by lack of attention to detail as I was in this piece. Why would the author not do the work to identify the deeper story. Was this a success story? A competition story, or simply empty intellectual calories? Why would they not explore the idea that the industry's been getting their clocks cleaned while technologies looking very much like competitive technologies (and not just US technologies) are coming out of China on a daily basis --from warships and drones to knock-off cars to commercial aircraft. 

Who cares if it's ten years late when R&D cost almost nothing... right?

BT

I've been writing about intelligence and APT for roughly the last five years --almost every weekend over my first coffee on Saturday morning, and while I'll admit, you get it a little rough, it's almost therapeutic. They say one of the best ways to relieve stress is to write a letter to yourself explaining the stressors that you're feeling --or write to a person who may have wronged you. In this case however, I've watched our space (the information security space) mature into a hodgepodge of technologies and vendors selling everything from snake oil to some amazing technologies, yet, I have to wonder why it is that when I ask a company how they ingest intelligence into their systems, they tell me they don't!

And when I look across the spectrum of governmental organizations, commercial companies (large and small), healthcare organizations, energy producers, and others --in every corner of the world, the realization is simply this.... we're losing this battle. Network defenders are getting CRUSHED by the sheer volume of attacks --successful and not --but those that are successful are costly in a big way. And as a result, we see folks like the banking CISO that I mentioned in my previous paragraph who are forced to simply rely on their managed security service to ensure their safety.

Why? Because CISOs still have a hard time talking to their management. Some simply haven't cracked the code on communicating the danger versus security versus ROI.  To help, we've added a couple of new offerings to our lineup, starting with the Executive Read Board.

The Executive Read Board is a low cost subscription offering that offers technical analysis stories converted to easy readers by our on-staff journalist. Nancy had been an Air Force Journalist, turned news paper columnist and now works for us turning our stories into something that your executives can understand in a quick read --and everything is based on technical or intelligence analysis written in the lab.

I'd encourage you to have a look. We just completed the transition over from an old proof of concept site, and because of it's popularity, we took it mainstream. You'll find short pieces suitable for pushing directly to your management. If you need indicators, pull them from our indicator database --ThreatRecon.co. Need more? Call us. We have a number of options from STIX/TAXII to an API to PDF reports. 

In the mean time, I'll be heading to the MD/DC area this week, home plating for a ton of travel over the next two weeks, but I can be found occasionally at Shelly's, smoking a cigar, drinking a great bourbon. If you'd like to join me and shoot the sh*t, drop me a note. If you'd like more information on Red Sky Alliance or the intel group, Wapack Labs, drop me a note. 

Until then, have a look at the Executive Read Board. There's a 14 day free trial, so please, have a read.  We'll be pushing more and more up there this week, but there are a couple of hundred articles already populating the new site.

Enjoy, and Have a great weekend!
Jeff

Training Day and Kicking off our Veteran Training program with the VA and SNHU!!

OPINTEL is the term used by the Navy to refer to tailored, all-source intelligence provided directly to operating forces. It focuses on a potential adversary's capabilities, his immediate intentions, and the environment. 

In the last few weeks we've been writing a ton of OPINTEL.  85(+/-) intelligence reports in the last month.  In one case, we're helping the CLE PD understand threats forming as they ready for the RNC. 

So yesterday was pizza, beer and training --early communism, exploring the formation of protest groups in the US, the Kent State shooting, and then bringing it forward to current day, comparing TTPs used by activism groups and how they form and operate.

I blogged recently about training returning veterans.  The group that we've formed (Team Jaegar --the hunt team) has been doing OPINTEL as the first step into cyber intelligence --what a great way for a company or customer to help the cause --by sponsoring the training of a returning vet who'll be dropped into an analytic seat on day one, shown the priority intelligence requirements, taught to operate safely in cyber space, and turned loose under the supervision of a retired CGIS Supervisory Special Agent who tutors them on writing actionable reports in a way that's understood by the most people and gets the message across quickly.  For those who need OPINTEL, every vet knows a threat when they see one... we just have to teach them what to do with it. The results? Absolutely amazing.  More on this in a moment.

While listening to the talk, as I looked around the room, I noted that the guys had taken a panel that we'd had printed for a booth at a conference in NYC from a couple of years ago --the intelligence cycle, and papered it up with sticky notes showing due times and battle rhythms.  I preach the intelligence cycle, battle rhythms, publishing deadlines and analytic rigor.  I taught intelligence cycle processes as part of our Threat Intelligence University at a customer location just last week... I thought my guys were getting sick of hearing about it, so and to see this team with sticky notes on the board showing due times, routines, etc... for this new, high producing, insanely focused team, makes me happy as hell.

And more? I'm happy to announce that our partnership with the Manchester, NH VA Medical Center (VAMC) and Southern New Hampshire University is underway. We've hired four vets on referrals from the VAMC, and our first SNHU veteran students (14 of them) start in the lab on August 8th and we can't wait. 

What're they going to get? We've taken our two day Threat Intelligence University firehose training program and converted it into university level modules, starting with Intelligence 101 (Threat Intelligence Cycle) and Intel 102 (Operating Covertly in Cyberspace) --all the way through scripting, malware analysis, detecting lateral movement, and advanced mitigation strategies. The interns will be receiving a number of these lessons and at the same be tasked with providing real analytics on real problems --OPINTEL first, then TCP/IP training, and then heading into full cyber. The students who are SNHU students get three credits for every 10 weeks they spend with us --some of the best OJT out there with the idea that if they make it through, we'll be introducing them into the Red Sky Alliance members for jobs... We've already had requests.

And last? We were visited by Frank Edelblut --Republican entrepreneur turned Angel investor and politician, running for NH Governor.  I'm not going to tell you that I don't straddle the political lines but I'm a fan of folks who've also walked the walk, so it was a pleasure to have Frank in to talk about his days as an entrepreneur, and his thoughts on moving into the governor's seat.

Enough for now. As we kick off this Fourth of July weekend, and I prepare to head to the beach with my family, I wish you all a great weekend. Be safe with the fireworks, eat as many burgers or lobsters as you can choke down, and take a moment to remember the birth of our independence!

Until next time,
Have a great holiday weekend!
Jeff

...In a market full of rehashed data and carbon copy analysis

Over the past several weeks, and more slowly over the course of every year, we spend a ton of face-to-face time with our customers. And while some come and some go, we still, since day one, maintain more than 90% of the customers that we started with, and those who've left, left because of transfers or they prefer machine-to-machine interactions, some like that --especially those who prefer big data solutions, but...

• Who do you call when you found a piece of malware and the sandbox doesn't give you enough information?
• Who do you call when you want more than a list of IP addresses in a blacklist?
• Or who do you call when you ask your vendor for help, and they only want to sell you a box?

Our customers call us... they have our cell phones. They drop a request in the Red Sky portal, or they send us email... even late at night.

Nearly every intelligence product written comes from a request, sample, or a hint (sometimes subtle and sometimes a club over the head) for something one of our readers needs... now.

This week we had a new company sign up --a large financial. You'd know the name if I told you. They replaced a current service because they needed intel (indicators) from a new piece of malcode and the vendor refused to give them the information --they tried selling them a box... good for us, bad for that vendor.

Another receives daily updates from us --eight different categories of watch lists, monitored by our guys, and fused into one, daily product. They called us at 10PM and asked if we could monitor one of our watch lists for potential fallout from a business issue. We've been monitoring for the last two days.  We love the interaction. And these guys will be customers for life. 

Every customer should feel like an individual. Sometimes it works, sometimes not, but we try our best.

As we head into the week, we've got a great lineup for our Threat Day on Tuesday. This one will be held virtually, but we've had a great turnout for signups. As well, we held a Cyber Symposium in Huntsville last week. Between our Huntsville Partner (H2L) and our contacts We invited 100 people. 93 showed. I'd call that a success.

I had to leave early to catch a flight for my talk in Philly but the word was, the best talk (besides mine of course ;) --the one with most conversation (I think mine just scared the hell out of them) was about the DFAR assessments and requirements to report all cyber activity to the government.

That said, we enjoyed the day.

So it's a beautiful Father's Day weekend Saturday here in NH. I'm not going to waist it.

To all of you other fathers... Happy Fathers Day.  I hope you have as much fun with yours as I plan to have with mine!

Until next time,
Have a great weekend!
Jeff

Just a Common Soldier

Please take a moment to reflect this weekend on what you do, and for those of us that served or are still serving in the military, honor those that did not come home so we could live in this great country of ours. 

Take a moment to reflect and view this very touching tribute over this Memorial Weekend.

http://www.justacommonsoldier.com/


Thanks all,
Have a great Memorial Day weekend.
Jeff

Have I discovered Area 51 East?

Once a month or so, the boys and I meet up at Cancun Cantina for beer and cigars.  We've been

meeting under their imported palm trees for years, and although the people have changed (we miss you Alvin!), the stories continue.

We normally get together on a Friday afternoon, but this week, because of my travel schedule, I kicked out a note asking if we could do it Monday... only to realize when I arrived that my guys are standing in the empty parking lot of a closed Cancun Cantina. No cigars tonight --but will have those beers elsewhere.

Back to the point... as I'm driving, I passed the observatory at the end of the runway at BWI.  I've driven past here hundreds of times over the years, and on sunny days, theres one thing in common.. a crew of folks under the trees --some standing, some sitting, with cameras with monster telescoping lenses... and I had always wondered why.

I'd made the mistake of turning right coming out of Cancun Cantina to head for the agreed-upon watering hole where my friends would undoubtedly be waiting for me (because I took the long way), and as I passed the observatory, I again, noticed the gathering of folks with really big cameras --and I had to take a picture. I don't know why, but it struck me. I needed a picture.

So... I turn into the observatory, pull out my phone, step between the cars and snap a quick shot. Of course, they spot me. I didn't try to hide, and as I snap off my second shot (I only took two), they began setting off car alarms around me. One of them (the guy in blue) turns his telescoping lens on me.

I have to wonder --are these guys just plane geeks, or is Northrop keeping something fun in the hangar that someone here's waiting to get a glimpse of??? My tinfoil hat is glowing red. Have I stumbled upon Area 51 East?  Or.. do these guys just really LUV Southwest Air?!

On sunny days, they're here all the time. I wonder if I'm the only guy who scratched his head and asked why. On occasion, there are some pretty cool planes that go in an out of here --I see them from the balcony at my apartment --I'm right in the flight path (I'm cheap).  But do all airports offer access like this? Are there really plane geeks that just for the love of it, snap pictures of every Southwest Air flight? Why?

My friends tell me I'm paranoid --but that's what I get paid to be. I want to know when someone is standing at the end of the runway waiting for something cool to come out --and if it does, and they get that series of shots with that really big lens, who's buying those pictures? And will they soon be sending more big camera guys for more? Or will we begin seeing intrusions into computer aided drafting systems and manufacturing and targeting of engineers? This isn't rocket science. There's a correlation between humans snapping pictures of airplanes and computer intrusions into those companies (and people) that build them... I could go on but for now, I'm taking the tinfoil hat off as my thinking begins to drift more toward Captain America and Iron Man this afternoon with my kids.

BT

We moved into bigger space yesterday, set up that fusion center where the new crop of returning vets will be trained, and we're beginning to kick out new offerings from the work they're producing.  We're having a hell of a lot of fun, making enough money to make a living, teaching people how to do the things we're doing, and helping companies figure out what to protect today, and what to worry about tomorrow.

So, if you need indicators, try ThreatRecon.co. It's free to 1000 indicators per month. Sign in, get an API key, and off you go. Anything marked 90% confidence was directly analyzed and derived by us --very low false positives.

Need more? Try our low cost "Executive Readboard" subscription service --TLP White information written for your executives in a newspaper format... in fact, we hired a journalist to write these things.

Need even more? Drop me a note. We're here to help.

As a reminder, we're doing a Cyber Symposium in Huntsville on the 7th of June at the Johnson Conference Center. It's limited to 100 people and we're filling up fast. If you'd like to attend, please contact our marketing person (Pamela) for information.

OK folks...
Have a great weekend!
Jeff