Thursday, May 14, 2015

How To Attend Suits and Spooks NYC or DC For Free

Suits and Spooks isn't like any other security conference, which anyone who has attended will tell you. One of the ways that it's different is that you can become a member and receive many of the speaker presentations from events that you can't attend (speakers have the option to share their decks or not).

Benefits include:

  • Free access to a live webcast (if offered) 
  • A 15% discount on all Suits and Spooks events
  • A copy of all speaker decks (with speaker approval) from every Suits and Spooks event so that you don't miss content when you can't attend.
  • A distinctive and incredibly cool metal membership card/event name tag with the Suits and Spooks logo and your name imprinted on it.

If you sign up in the next 24 hours, you'll also receive free admission to our New York City All Stars event on June 19-20 OR our Washington DC event in early 2016. Either one of those events is worth more than the price of your membership ($425) so take advantage of this very limited time offer and join today.

Monday, May 11, 2015

Dan Geer: What Will Cyber Offense and Defense in 2020 Look Like?

I've commissioned Dr. Daniel Geer, the CISO of In-Q-Tel, to give a one hour talk at Suits and Spooks NYC on June 19 on what cyber offensive and defensive operations of the future might look like in 2020. Some of the questions that he'll be examining are:

  1. How will the disparity of the world's wealth be impacted by even the world's poor having an online presence?
  2. How will nations'  defense budgets be impacted when offensive resources become ubiquitous and attacks can be routed and re-routed from everywhere?
  3. What effect will biomedicine have in bringing the world closer to digital Singularity and what would the security implications of that be?

If you heard Dan's keynote at Blackhat last year, you know what a brilliant speaker he is. Unlike Blackhat, at Suits and Spooks New York, you'll actually have the opportunity to speak with Dan and have a conversation about this provocative look at the future.

PLUS - you'll have the same opportunity to hear and interact with almost a dozen other great speakers including:

  • Joe FitzPatrick - an internationally-known firmware hacker
  • David Kilcullen - a leading global conflict strategist
  • Zach Tumin - a Deputy Commissioner of the NYPD
  • Carmen Medina - a former Deputy Director of Intelligence at CIA
  • Stewart Baker - former General Counsel at NSA
  • Christofer Hoff - VP and Security CTO at Juniper Networks
  • Niloo Howe - Paladin Partners and Endgame
  • Janina Gavankar - Internationally-known musician, actress and geek
  • a soon-to-be announced blackhat hacker who knows Anonymous from the inside out.
Join us as we kick off the Summer Solstice weekend at the ultra-cool Soho House in NYC and spend two days listening to and speaking with these incredible speakers and more.

72 Hour Registration Special

Register before Thursday May 14 and save $100 off the Early Bird rate ($495)! We are capping attendance at 60 people so act today to reserve your spot. We also offer a very low government/military rate of $399 for full-time employees only.

Friday, April 24, 2015

Signature-based Intelligence Resulted In Tragedy: A Lesson For Cyber Intel Consumers

The New York Times reported yesterday that a drone strike mean't to kill four Al Qaeda terrorists also killed two hostages that no one knew were there. This tragedy also revealed that drone operators rely upon signatures to form a "guesstimate" of the target.
In Pakistan, unlike elsewhere in the world, the White House permits the C.I.A. to carry out drone strikes without knowing the identities of the people the agency is trying to kill. These “signature strikes,” based on patterns of behavior rather than intelligence about specific people, have been criticized in the past as generating a higher number of civilian deaths.
I've written before about the problems that stem from our over-reliance on signals intelligence versus human intelligence in the world of cyber security. The commercial cyber security intelligence sector relies almost exclusively upon technical indicators, and those that claim they don't usually confuse collecting data from forum postings in public hacker forums with actually building relationships with blackhat hackers (the latter is human intelligence, the former isn't).

Fortunately, the worst that can happen to consumers of bad cyber intelligence is that they'll mis-allocate resources and/or develop terrible foreign policy initiatives. It's unlikely that any lives will be lost, thank goodness.

However this news story by the New York Times serves as an apt and timely reminder that cyber threat intelligence based upon "signatures" alone must be subjected to vetting by other sources and always treated with a high degree of skepticism. Bad things happen when your intelligence is unreliable, and for many of today's cyber intelligence purveyors - it frequently is.

Friday, April 17, 2015

AEI - Norse: Subverting Cyber Security Research For Political Fear-Mongering

"I was recently invited to participate in a cyber security dinner discussion by a few members of a well-known Washington D.C. think tank. The idea was that we could enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about this “cyber warfare stuff.” It seems that the new threatscape emerging in cyberspace has caught them unprepared and they were hoping we could help them grasp some of the essentials in a couple of hours. By the time we had finished dinner and two bottles of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his hands, and it wasn’t because of the wine." - Jeffrey Carr from the Preface of "Inside Cyber Warfare" (2009)
The think tank that I wrote about in 2009 was none other than the American Enterprise Institute (AEI). They were ill-equipped to provide insight into this domain back then and nothing has changed in the 5 years since.

Fred Kagan and his father Donald Kagan published a book in 2000 "While America Sleeps" which advocated for a strong military in the face of U.S. complacency about threats - especially Iraq's WMDs which, of course, never existed. Today's release of "The Growing Cyberthreat From Iran", authored by Fred Kagan (AEI) and Tommy Stiansen (Norse Corp) promotes the same fear-mongering, slanted analysis that Fred is known for. AEI has simply moved from Iraq's WMDs to Iran's cyberweapons. Unfortunately, he found a cyber security company (Norse) willing to partner with him and provide the technical data which AEI is incapable of generating on its own.

The Growing Cyber Threat From Iran: Project Pistachio Harvest

Un-abashed Confirmation Bias
AEI approached Norse Corp to co-author a report about Iran as a growing cyber threat actor. It's important to note that the genesis of this report was to start with an assumption and then find proof that supported the assumption, which is the worst type of analytic methodology and the very definition of confirmation bias. The authors even acknowledge that normal standards of proof shouldn't apply when it comes to Iran:
"We assert, therefore, that the typical standards of proof for attributing malicious traffic to a specific source are unnecessarily high when we examine traffic from Iranian IP addresses." (p. 12)
Furthering a Political Agenda
AEI's political agenda for this report was clearly the current multilateral agreement with Iran to curb its nuclear weapons program. AEI has published 14 articles critical of that agreement since April 3, 2015. That's more than one per day. And the first paragraph of the Introduction in the Pistachio Harvest report reads:
"The framework for an agreement on Iran’s nuclear program announced April 2, 2015, may significantly increase the cyberthreat the Islamic Republic poses to the US and the West." (p. 1)
The report's conclusion reiterates that sanctions against Iran must not be lifted as part of the nuclear framework agreement because of Iran's role as a cyber threat actor. Bottom line - this report is all about politics, not cyber security.

Blaming AEI for having a political agenda is like blaming the scorpion for stinging the frog - it's the nature of the beast. However, for security research to be valuable it must be objective and verifiable. Norse Corporation's decision to team up with AEI and supply them with their data for use in a politically motivated report was a terrible decision that taints both the research and the company. Imagine if Kaspersky Lab, who was recently lambasted in the media for merely being a Russian company with Russian government contracts, co-authored a report with Gleb Pavlovsky's Foundation for Effective Politics. It would kill the credibility of Kaspersky Lab forever.

Questionable Attribution
The Introduction lists three examples of "malicious Iranian cyber activity". None of the three have been positively attributed to the Iranian government. All represent guess-work on the part of investigators (including myself) and at least one (Saudi Armco) has been completely mis-represented in terms of the malware's "complexity". In reality, Shamoon was a half-assed, reverse-engineered piece of malware that was only 50% functional.

Even worse is this paragraph allegedly "proving" Iran's targeting of critical infrastructure:
"Telvent was the victim of a significant attack attributed to Chinese hackers in September 2012.105 This attack breached Telvent’s “internal firewall and security systems . . . and stole project files related to” OASyS SCADA."

"It is possible that the Chinese were at it again two years later using compromised Iranian systems, but it is unlikely. The Iranian IP hosts no visible infrastruc- ture and is apparently owned directly by the Telecom- munications Company of Iran, running on AS12880. There has never been any public system identified with this IP, or with any of the IPs on this subnetwork, so there has not been any visible server to try to hack. Nor have the Chinese changed their methods from operating openly from their own infrastructure to using that of third parties."
In other words, it must have been Iran because the Chinese government only sends out attacks from its own IP blocks.  This is a great example of the idiocy that's prevalent in what passes for attribution today. No government is stupid enough to engage in cyber attacks which can be easily traced back to them. That kind of stupidity only resides with security researchers who have a vested interest - often a monetary interest - in placing the blame for an attack on a given nation state.

A Reprehensible Decision by Norse
As a cyber security professional and the founder and CEO of a cyber security company, I'm offended and disgusted that the CEO and CTO of Norse Corporation supported this type of heinous fear-mongering by getting into bed with Fred Kagan and the American Enterprise Institute. I've never seen this type of collaboration before and I hope that I'll never see it again.

RELATED

"Four Fatal Flaws in Cyber Threat Intelligence Reports"

Monday, March 30, 2015

Cyber Threat Intelligence: More Threat Than Intelligence?


This article proposes that commercial cyber intelligence products have multiple flaws which make it unreliable for use by the U.S. government, and that it falls upon the government to address those flaws in the following ways:

  1. Examine cyber threat intelligence for indicators of deception. 
  2. Differentiate between bad actors in an attack. 
  3. Invest in developing human assets who are in a position to corroborate or deny what the technical indicators present as possibilities. 
  4. Exclude other possibilities until one remains. 



“Hit anything that doesn’t look like a knife until it does.”(1)

The U.S. government has relied heavily upon the private sector for cyber threat intelligence since 2005 when a team at Northrup Grumman was giving classified briefings to the Air Force about a group of Chinese PLA hackers known by a variety of names like Comment Crew, APT1, and a classified moniker that has since been made public (2).

Back then and continuing through at least 2011, the conventional wisdom was that cyber threats fell into two buckets: Financial crime was attributed to Russian hackers and intellectual property theft was attributed to the Chinese government. There was no allowance made for mercenary hacker groups who we now know were active during that time frame (3), or from Russian criminals (Russian Business Network) operating from Chinese IP space in 2007, or for cyber espionage operations run by France or Israel (4). Threat intelligence generated during the “two buckets” era was shared with the FBI and other agencies, and the FBI at least didn’t (and still doesn’t) have the time or resources to vet the source of the intelligence.

To put it simply, there are four things missing from the overwhelming majority of cyber threat intelligence generated from the private sector; things which are fundamental to generating a reliable analytic product:

  • Deception
  • Differentiation
  • Corroboration
  • Exclusion

Deception

Conducting Military Deception (MILDEC) operations in cyberspace is already a priority for Russia’s FSB according to Taia Global contacts in the Russian blackhat community. The FSB regularly recruits blackhats for contract work, and one of the standing orders is to leave evidence pointing to an entirely different government as the perpetrator of the attack (5). This is relatively easy to do since 95% of threat intelligence is based upon technical indicators (6) such as:

  • Keyboard Layout
  • Malware Metadata
  • Embedded Fonts
  • DNS Registration
  • Language
  • Remote Administration Tool Configuration
  • Behavior

All seven of these indicators can be easily spoofed by a savvy attacker, which the FireEye report properly notes in the Introduction. Take the Keyboard Layout, for example:
“FireEye researchers have found that many aspects of malware campaigns have the earmarks of being typed on a Mandarin (GB2312) keyboard used in China. In a similar vein, North Korea’s KPS 9566 character set can help identify the campaigns that emanate from that region. This method of tracing the origins of an attack is not foolproof. In theory, a Russian national could employ a North Korean keyboard to disguise his or her identity and whereabouts, for example. (7)”
The problem with focusing solely on technical indicators is that the attacker controls all of them; therefore you see what the attacker wants you to see. Unfortunately there is little investment in recruiting human assets to corroborate signals intelligence when it comes to cyber attacks, so investigating agencies and the private sector are in the highly vulnerable position of letting the attacker control all of the evidence that they have to go on.

Differentiation

The responsibility for the Sony breach of November 2014 has been assigned to North Korea by the U.S. government. However, Taia Global researchers found that the native language of the attackers was most likely Russian, not Korean; that Russian hackers had breached Sony’s network, and still had access 60 days after the destruction of 80% of Sony Pictures Entertainment’s network (8).

Technical analysis of a network will fail to differentiate between multiple bad actors operating simultaneously. No one mentioned Russian hackers until Taia Global published its findings. That’s because the White House with input from the intelligence community decided within days of the attack that the responsible party was North Korea (9), and then went about finding ways to prove it, which is the antithesis of sound intelligence analysis. Differentiation cannot be done when the analytic process doesn’t allow for it. The fact is that none of the publicly available evidence provided by the FBI rules out other perpetrators as being responsible. The NSA’s classified evidence can’t be vetted however whatever that evidence is, it failed to disclose that Russian hackers were in the network at the same time as the North Koreans.

Corroboration

Cyber threat intelligence is primarily signals intelligence, however there are multiple examples of Signals Intelligence getting it wrong, such as the second Gulf of Tonkin attack, the lack of WMDs in Iraq, and the Yom Kippur war to name a few. There must be more of an effort made to acquire human assets such as blackhat hackers who can corroborate the evidence provided by technical indicators. Minus such corroboration, the degree of trustworthiness of intelligence gained through signals intelligence alone is highly suspect.

Exclusion

How does an investigating agency rule out other suspects in a computer network attack? It must have the ability to differentiate between hacker groups and/or nation states, which is extremely difficult without consulting human assets who were either involved themselves or know someone who was. Yet, the ability to exclude other parties from a finding of responsibility is a necessary part of generating reliable threat intelligence. More resources should be provided to the Central Intelligence Agency to fulfill this part of their mission even if that means cutting the NSA’s share of the budget to make that happen.

The Private Sector

“Must be nice to be a Threat Intelligence company.”
“Can anyone disprove this?”
“No”
“Run with it. (10)”

Cyber threat data and cyber intelligence reports are generated by the private sector and provided to the FBI and other government agencies on a frequent basis. This wouldn’t be a problem if the FBI has the resources and the manpower to vet the intelligence before adding it to their database however they don’t have those resources. They rely heavily on the private sector’s cooperation precisely because their own resources are limited.

The private sector isn’t trained to do intelligence collection and analysis, nor do they have any oversight or suffer any consequences for bad practices or mis-attribution.

There are numerous reasons why government agencies should question the quality and value of intelligence generated by the private sector.

It has no skin in the game.

If the private sector is wrong about attribution for any given attack, there are no consequences. They just move on to the next report.

They are profit-driven.

Private threat intelligence companies generate intelligence as a sellable product. For many years, blaming an attack on China was guaranteed to get them a mention in the New York Times or the Wall Street Journal, which in turn brought in new customers. Blaming an attack on Romania might merit an article in an industry blog like Dark Reading, which wasn’t nearly as desirable.

They’ll never have an “intelligence failure”.

The U.S. Intelligence Community has suffered many intelligence failures, and for the bigger ones it usually results in the forming of a commission and a subsequent report with recommendations on how to avoid another failure. While this is embarrassing for the agencies involved, it has the important benefit of improving their sources and methods for collection and analysis. The private sector will never have that experience, therefore they can run with whatever evidence they want in a way that will maximize profits for their stockholders.

Conclusion

The U.S. government is overly dependent upon the private sector for cyber intelligence and needs to make investments to off-set this dependence.

The U.S. government should receive attack data from the private sector solely as raw information that requires vetting and all-source analysis. It should never take private sector intelligence reports at face value without fully examining the evidence and watching for a plethora of cognitive biases including the all-too-prevalent confirmation bias.

NOTES:

1) Spijk Selby quoting Jacob Maheu, “Horseshoe Knives”, December 28, 2013: http://rockyhillforge.com/2013/12/28/horseshoe-knives/

2) Private correspondence between the author and a former Northrup Grumman employee whose team generated the intelligence and gave those briefings between 2005-2008.

3) Su Bin criminal complaint: http://online.wsj.com/public/resources/documents/chinahackcomplaint0711.pdf

4) “The Report to Congress on Foreign Economic Collection and Industrial Espionage”, p. B2: http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

5) Private IM chat between the author and Russian hacker Yama Tough.

6) “Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks”, A FireEye White Paper

7) Ibid., p.4

8) “New Evidence Shows Russian Hackers Have Access To Sony’s Network”, The Taia Global blog, February 4th, 2015: https://taia.global/2015/02/new-evidence-shows-russian-hackers-have-access-to-sonys-network/

9) “New Agency To Sniff Out Threats In Cyberspace” by Ellen Nakashima, The Washington Post, 10 Feb 2015: http://www.washingtonpost.com/world/national-security/white-house-to-create-national-center-to-counter-cyberspace-intrusions/2015/02/09/a312201e-afd0-11e4-827f-93f454140e2b_story.html

10) Tweet by Steve Tornio on Feb 10, 2015: https://twitter.com/steve_tornio/status/565158646628499458

Tuesday, March 24, 2015

Regarding FSB, Forget Kaspersky Lab. Check out Group-IB Instead.

Bloomberg's piece on Kaspersky Labs' ties with its own nation's security services is such a non-story that I'm surprised that journalists as good as Michael Riley even ran it. What do you expect from a Russian company, and as if they had any choice in the matter (they don't).

If you're looking for Russian companies with serious connections to the FSB, then look no further than Group-IB. Here's a small portion of the due diligence report that my company Taia Global produced for our paying clients on their government affiliations.
Group-IB is Russia's second largest private Information Technology (IT) security company after Kaspersky Labs. Group-IB's specialty is computer forensics and protection against cyber-crime with customers that include the 10 largest Russian banks and foreign companies. Group-IB has offices in New York. Group-IB, however, performs functions that under Russian law are assigned to the Federal Security Service (FSB), Russia's domestic security service. 
Group-IB maintains both English language (www.group-ib.com) and Cyrillic (www.group-ib.ru) web sites. The sites structure are similar although the information presented on web pages differs somewhat. For example, the Cyrillic About Us web page states that Group-IB has an FSB license to work with state secret information while the English About Us web page does not mention the FSB license.
 Both Group-IB web sites deviate from normal Russian commercial web site practice and provide no information on company management and no financial data such as Russian Federation tax identification (ID) numbers and corresponding bank information.
Group-IB states that company capabilities include “access to domestic and international filtering systems.” However, Russia's domestic and international filtering system is run by the Federal Security Service (FSB), Russia's domestic security service.
Group-IB General Director Ilya Sachkov discussed security service relations explicitly in Russian press interviews. In a Russian Forbes interview, Sachkov stated he started the company while a student after the Bureau of Special Technical Measures (BSTM) Ministry of Internal Affairs (MVD Directorate K) told him there were no job vacancies. Sachkov stated that Group- IB often worked for the MVD and FSB for free during the company's early years, presumably to generate future business. Sachkov stated that many Group-IB employees were former law enforcement. 
Group-IB's client list includes very large U.S. companies:


Again, trying to stigmatize any security company for having ties to its own government's security services is ludicrous. In some nations like Russia, companies have no choice but to comply when asked. In other nations like the U.S., companies do it for commercial reasons. The best one can hope for is that the company in question is transparent about who they do business with. That's actually easier to discover about Russian companies than it is about U.S. companies.

Cyber Security Startup? Pitch Our Attendees At Suits and Spooks NYC.

If you've got a cyber security startup and want ten minutes to pitch 80 influential decision makers in between speakers like Dan Geer, Christofer Hoff, Joe Fitzpatrick and David Kilcullen at our New York Suits and Spooks All Stars event, then I'd like to hear from you as soon as possible.

For the first time since our very first event in Palo Alto in 2011, I'm bringing back the lightning round for startups on a trial basis. This is part of a paid sponsorship which includes:

  • One ten minute speaking slot to pitch your product and give one use case
  • Distribution of company materials including white papers to all attendees and speakers
  • Banner placement at the event
  • Article placement at SecurityWeek.com or InfoSecIsland.com
  • Other benefits as included in the sponsorship prospectus for Silver, Gold, or Platinum sponsors
This is limited to six companies, and no more than 3 companies will present each day. Sponsorships are first-come, first-served and there are no constraints on company size or funding rounds. For more information, shoot me an email.