Friday, April 24, 2015

Signature-based Intelligence Resulted In Tragedy: A Lesson For Cyber Intel Consumers

The New York Times reported yesterday that a drone strike mean't to kill four Al Qaeda terrorists also killed two hostages that no one knew were there. This tragedy also revealed that drone operators rely upon signatures to form a "guesstimate" of the target.
In Pakistan, unlike elsewhere in the world, the White House permits the C.I.A. to carry out drone strikes without knowing the identities of the people the agency is trying to kill. These “signature strikes,” based on patterns of behavior rather than intelligence about specific people, have been criticized in the past as generating a higher number of civilian deaths.
I've written before about the problems that stem from our over-reliance on signals intelligence versus human intelligence in the world of cyber security. The commercial cyber security intelligence sector relies almost exclusively upon technical indicators, and those that claim they don't usually confuse collecting data from forum postings in public hacker forums with actually building relationships with blackhat hackers (the latter is human intelligence, the former isn't).

Fortunately, the worst that can happen to consumers of bad cyber intelligence is that they'll mis-allocate resources and/or develop terrible foreign policy initiatives. It's unlikely that any lives will be lost, thank goodness.

However this news story by the New York Times serves as an apt and timely reminder that cyber threat intelligence based upon "signatures" alone must be subjected to vetting by other sources and always treated with a high degree of skepticism. Bad things happen when your intelligence is unreliable, and for many of today's cyber intelligence purveyors - it frequently is.

Friday, April 17, 2015

AEI - Norse: Subverting Cyber Security Research For Political Fear-Mongering

"I was recently invited to participate in a cyber security dinner discussion by a few members of a well-known Washington D.C. think tank. The idea was that we could enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about this “cyber warfare stuff.” It seems that the new threatscape emerging in cyberspace has caught them unprepared and they were hoping we could help them grasp some of the essentials in a couple of hours. By the time we had finished dinner and two bottles of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his hands, and it wasn’t because of the wine." - Jeffrey Carr from the Preface of "Inside Cyber Warfare" (2009)
The think tank that I wrote about in 2009 was none other than the American Enterprise Institute (AEI). They were ill-equipped to provide insight into this domain back then and nothing has changed in the 5 years since.

Fred Kagan and his father Donald Kagan published a book in 2000 "While America Sleeps" which advocated for a strong military in the face of U.S. complacency about threats - especially Iraq's WMDs which, of course, never existed. Today's release of "The Growing Cyberthreat From Iran", authored by Fred Kagan (AEI) and Tommy Stiansen (Norse Corp) promotes the same fear-mongering, slanted analysis that Fred is known for. AEI has simply moved from Iraq's WMDs to Iran's cyberweapons. Unfortunately, he found a cyber security company (Norse) willing to partner with him and provide the technical data which AEI is incapable of generating on its own.

The Growing Cyber Threat From Iran: Project Pistachio Harvest

Un-abashed Confirmation Bias
AEI approached Norse Corp to co-author a report about Iran as a growing cyber threat actor. It's important to note that the genesis of this report was to start with an assumption and then find proof that supported the assumption, which is the worst type of analytic methodology and the very definition of confirmation bias. The authors even acknowledge that normal standards of proof shouldn't apply when it comes to Iran:
"We assert, therefore, that the typical standards of proof for attributing malicious traffic to a specific source are unnecessarily high when we examine traffic from Iranian IP addresses." (p. 12)
Furthering a Political Agenda
AEI's political agenda for this report was clearly the current multilateral agreement with Iran to curb its nuclear weapons program. AEI has published 14 articles critical of that agreement since April 3, 2015. That's more than one per day. And the first paragraph of the Introduction in the Pistachio Harvest report reads:
"The framework for an agreement on Iran’s nuclear program announced April 2, 2015, may significantly increase the cyberthreat the Islamic Republic poses to the US and the West." (p. 1)
The report's conclusion reiterates that sanctions against Iran must not be lifted as part of the nuclear framework agreement because of Iran's role as a cyber threat actor. Bottom line - this report is all about politics, not cyber security.

Blaming AEI for having a political agenda is like blaming the scorpion for stinging the frog - it's the nature of the beast. However, for security research to be valuable it must be objective and verifiable. Norse Corporation's decision to team up with AEI and supply them with their data for use in a politically motivated report was a terrible decision that taints both the research and the company. Imagine if Kaspersky Lab, who was recently lambasted in the media for merely being a Russian company with Russian government contracts, co-authored a report with Gleb Pavlovsky's Foundation for Effective Politics. It would kill the credibility of Kaspersky Lab forever.

Questionable Attribution
The Introduction lists three examples of "malicious Iranian cyber activity". None of the three have been positively attributed to the Iranian government. All represent guess-work on the part of investigators (including myself) and at least one (Saudi Armco) has been completely mis-represented in terms of the malware's "complexity". In reality, Shamoon was a half-assed, reverse-engineered piece of malware that was only 50% functional.

Even worse is this paragraph allegedly "proving" Iran's targeting of critical infrastructure:
"Telvent was the victim of a significant attack attributed to Chinese hackers in September 2012.105 This attack breached Telvent’s “internal firewall and security systems . . . and stole project files related to” OASyS SCADA."

"It is possible that the Chinese were at it again two years later using compromised Iranian systems, but it is unlikely. The Iranian IP hosts no visible infrastruc- ture and is apparently owned directly by the Telecom- munications Company of Iran, running on AS12880. There has never been any public system identified with this IP, or with any of the IPs on this subnetwork, so there has not been any visible server to try to hack. Nor have the Chinese changed their methods from operating openly from their own infrastructure to using that of third parties."
In other words, it must have been Iran because the Chinese government only sends out attacks from its own IP blocks.  This is a great example of the idiocy that's prevalent in what passes for attribution today. No government is stupid enough to engage in cyber attacks which can be easily traced back to them. That kind of stupidity only resides with security researchers who have a vested interest - often a monetary interest - in placing the blame for an attack on a given nation state.

A Reprehensible Decision by Norse
As a cyber security professional and the founder and CEO of a cyber security company, I'm offended and disgusted that the CEO and CTO of Norse Corporation supported this type of heinous fear-mongering by getting into bed with Fred Kagan and the American Enterprise Institute. I've never seen this type of collaboration before and I hope that I'll never see it again.

RELATED

"Four Fatal Flaws in Cyber Threat Intelligence Reports"

Monday, March 30, 2015

Cyber Threat Intelligence: More Threat Than Intelligence?


This article proposes that commercial cyber intelligence products have multiple flaws which make it unreliable for use by the U.S. government, and that it falls upon the government to address those flaws in the following ways:

  1. Examine cyber threat intelligence for indicators of deception. 
  2. Differentiate between bad actors in an attack. 
  3. Invest in developing human assets who are in a position to corroborate or deny what the technical indicators present as possibilities. 
  4. Exclude other possibilities until one remains. 



“Hit anything that doesn’t look like a knife until it does.”(1)

The U.S. government has relied heavily upon the private sector for cyber threat intelligence since 2005 when a team at Northrup Grumman was giving classified briefings to the Air Force about a group of Chinese PLA hackers known by a variety of names like Comment Crew, APT1, and a classified moniker that has since been made public (2).

Back then and continuing through at least 2011, the conventional wisdom was that cyber threats fell into two buckets: Financial crime was attributed to Russian hackers and intellectual property theft was attributed to the Chinese government. There was no allowance made for mercenary hacker groups who we now know were active during that time frame (3), or from Russian criminals (Russian Business Network) operating from Chinese IP space in 2007, or for cyber espionage operations run by France or Israel (4). Threat intelligence generated during the “two buckets” era was shared with the FBI and other agencies, and the FBI at least didn’t (and still doesn’t) have the time or resources to vet the source of the intelligence.

To put it simply, there are four things missing from the overwhelming majority of cyber threat intelligence generated from the private sector; things which are fundamental to generating a reliable analytic product:

  • Deception
  • Differentiation
  • Corroboration
  • Exclusion

Deception

Conducting Military Deception (MILDEC) operations in cyberspace is already a priority for Russia’s FSB according to Taia Global contacts in the Russian blackhat community. The FSB regularly recruits blackhats for contract work, and one of the standing orders is to leave evidence pointing to an entirely different government as the perpetrator of the attack (5). This is relatively easy to do since 95% of threat intelligence is based upon technical indicators (6) such as:

  • Keyboard Layout
  • Malware Metadata
  • Embedded Fonts
  • DNS Registration
  • Language
  • Remote Administration Tool Configuration
  • Behavior

All seven of these indicators can be easily spoofed by a savvy attacker, which the FireEye report properly notes in the Introduction. Take the Keyboard Layout, for example:
“FireEye researchers have found that many aspects of malware campaigns have the earmarks of being typed on a Mandarin (GB2312) keyboard used in China. In a similar vein, North Korea’s KPS 9566 character set can help identify the campaigns that emanate from that region. This method of tracing the origins of an attack is not foolproof. In theory, a Russian national could employ a North Korean keyboard to disguise his or her identity and whereabouts, for example. (7)”
The problem with focusing solely on technical indicators is that the attacker controls all of them; therefore you see what the attacker wants you to see. Unfortunately there is little investment in recruiting human assets to corroborate signals intelligence when it comes to cyber attacks, so investigating agencies and the private sector are in the highly vulnerable position of letting the attacker control all of the evidence that they have to go on.

Differentiation

The responsibility for the Sony breach of November 2014 has been assigned to North Korea by the U.S. government. However, Taia Global researchers found that the native language of the attackers was most likely Russian, not Korean; that Russian hackers had breached Sony’s network, and still had access 60 days after the destruction of 80% of Sony Pictures Entertainment’s network (8).

Technical analysis of a network will fail to differentiate between multiple bad actors operating simultaneously. No one mentioned Russian hackers until Taia Global published its findings. That’s because the White House with input from the intelligence community decided within days of the attack that the responsible party was North Korea (9), and then went about finding ways to prove it, which is the antithesis of sound intelligence analysis. Differentiation cannot be done when the analytic process doesn’t allow for it. The fact is that none of the publicly available evidence provided by the FBI rules out other perpetrators as being responsible. The NSA’s classified evidence can’t be vetted however whatever that evidence is, it failed to disclose that Russian hackers were in the network at the same time as the North Koreans.

Corroboration

Cyber threat intelligence is primarily signals intelligence, however there are multiple examples of Signals Intelligence getting it wrong, such as the second Gulf of Tonkin attack, the lack of WMDs in Iraq, and the Yom Kippur war to name a few. There must be more of an effort made to acquire human assets such as blackhat hackers who can corroborate the evidence provided by technical indicators. Minus such corroboration, the degree of trustworthiness of intelligence gained through signals intelligence alone is highly suspect.

Exclusion

How does an investigating agency rule out other suspects in a computer network attack? It must have the ability to differentiate between hacker groups and/or nation states, which is extremely difficult without consulting human assets who were either involved themselves or know someone who was. Yet, the ability to exclude other parties from a finding of responsibility is a necessary part of generating reliable threat intelligence. More resources should be provided to the Central Intelligence Agency to fulfill this part of their mission even if that means cutting the NSA’s share of the budget to make that happen.

The Private Sector

“Must be nice to be a Threat Intelligence company.”
“Can anyone disprove this?”
“No”
“Run with it. (10)”

Cyber threat data and cyber intelligence reports are generated by the private sector and provided to the FBI and other government agencies on a frequent basis. This wouldn’t be a problem if the FBI has the resources and the manpower to vet the intelligence before adding it to their database however they don’t have those resources. They rely heavily on the private sector’s cooperation precisely because their own resources are limited.

The private sector isn’t trained to do intelligence collection and analysis, nor do they have any oversight or suffer any consequences for bad practices or mis-attribution.

There are numerous reasons why government agencies should question the quality and value of intelligence generated by the private sector.

It has no skin in the game.

If the private sector is wrong about attribution for any given attack, there are no consequences. They just move on to the next report.

They are profit-driven.

Private threat intelligence companies generate intelligence as a sellable product. For many years, blaming an attack on China was guaranteed to get them a mention in the New York Times or the Wall Street Journal, which in turn brought in new customers. Blaming an attack on Romania might merit an article in an industry blog like Dark Reading, which wasn’t nearly as desirable.

They’ll never have an “intelligence failure”.

The U.S. Intelligence Community has suffered many intelligence failures, and for the bigger ones it usually results in the forming of a commission and a subsequent report with recommendations on how to avoid another failure. While this is embarrassing for the agencies involved, it has the important benefit of improving their sources and methods for collection and analysis. The private sector will never have that experience, therefore they can run with whatever evidence they want in a way that will maximize profits for their stockholders.

Conclusion

The U.S. government is overly dependent upon the private sector for cyber intelligence and needs to make investments to off-set this dependence.

The U.S. government should receive attack data from the private sector solely as raw information that requires vetting and all-source analysis. It should never take private sector intelligence reports at face value without fully examining the evidence and watching for a plethora of cognitive biases including the all-too-prevalent confirmation bias.

NOTES:

1) Spijk Selby quoting Jacob Maheu, “Horseshoe Knives”, December 28, 2013: http://rockyhillforge.com/2013/12/28/horseshoe-knives/

2) Private correspondence between the author and a former Northrup Grumman employee whose team generated the intelligence and gave those briefings between 2005-2008.

3) Su Bin criminal complaint: http://online.wsj.com/public/resources/documents/chinahackcomplaint0711.pdf

4) “The Report to Congress on Foreign Economic Collection and Industrial Espionage”, p. B2: http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

5) Private IM chat between the author and Russian hacker Yama Tough.

6) “Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks”, A FireEye White Paper

7) Ibid., p.4

8) “New Evidence Shows Russian Hackers Have Access To Sony’s Network”, The Taia Global blog, February 4th, 2015: https://taia.global/2015/02/new-evidence-shows-russian-hackers-have-access-to-sonys-network/

9) “New Agency To Sniff Out Threats In Cyberspace” by Ellen Nakashima, The Washington Post, 10 Feb 2015: http://www.washingtonpost.com/world/national-security/white-house-to-create-national-center-to-counter-cyberspace-intrusions/2015/02/09/a312201e-afd0-11e4-827f-93f454140e2b_story.html

10) Tweet by Steve Tornio on Feb 10, 2015: https://twitter.com/steve_tornio/status/565158646628499458

Tuesday, March 24, 2015

Regarding FSB, Forget Kaspersky Lab. Check out Group-IB Instead.

Bloomberg's piece on Kaspersky Labs' ties with its own nation's security services is such a non-story that I'm surprised that journalists as good as Michael Riley even ran it. What do you expect from a Russian company, and as if they had any choice in the matter (they don't).

If you're looking for Russian companies with serious connections to the FSB, then look no further than Group-IB. Here's a small portion of the due diligence report that my company Taia Global produced for our paying clients on their government affiliations.
Group-IB is Russia's second largest private Information Technology (IT) security company after Kaspersky Labs. Group-IB's specialty is computer forensics and protection against cyber-crime with customers that include the 10 largest Russian banks and foreign companies. Group-IB has offices in New York. Group-IB, however, performs functions that under Russian law are assigned to the Federal Security Service (FSB), Russia's domestic security service. 
Group-IB maintains both English language (www.group-ib.com) and Cyrillic (www.group-ib.ru) web sites. The sites structure are similar although the information presented on web pages differs somewhat. For example, the Cyrillic About Us web page states that Group-IB has an FSB license to work with state secret information while the English About Us web page does not mention the FSB license.
 Both Group-IB web sites deviate from normal Russian commercial web site practice and provide no information on company management and no financial data such as Russian Federation tax identification (ID) numbers and corresponding bank information.
Group-IB states that company capabilities include “access to domestic and international filtering systems.” However, Russia's domestic and international filtering system is run by the Federal Security Service (FSB), Russia's domestic security service.
Group-IB General Director Ilya Sachkov discussed security service relations explicitly in Russian press interviews. In a Russian Forbes interview, Sachkov stated he started the company while a student after the Bureau of Special Technical Measures (BSTM) Ministry of Internal Affairs (MVD Directorate K) told him there were no job vacancies. Sachkov stated that Group- IB often worked for the MVD and FSB for free during the company's early years, presumably to generate future business. Sachkov stated that many Group-IB employees were former law enforcement. 
Group-IB's client list includes very large U.S. companies:


Again, trying to stigmatize any security company for having ties to its own government's security services is ludicrous. In some nations like Russia, companies have no choice but to comply when asked. In other nations like the U.S., companies do it for commercial reasons. The best one can hope for is that the company in question is transparent about who they do business with. That's actually easier to discover about Russian companies than it is about U.S. companies.

Cyber Security Startup? Pitch Our Attendees At Suits and Spooks NYC.

If you've got a cyber security startup and want ten minutes to pitch 80 influential decision makers in between speakers like Dan Geer, Christofer Hoff, Joe Fitzpatrick and David Kilcullen at our New York Suits and Spooks All Stars event, then I'd like to hear from you as soon as possible.

For the first time since our very first event in Palo Alto in 2011, I'm bringing back the lightning round for startups on a trial basis. This is part of a paid sponsorship which includes:

  • One ten minute speaking slot to pitch your product and give one use case
  • Distribution of company materials including white papers to all attendees and speakers
  • Banner placement at the event
  • Article placement at SecurityWeek.com or InfoSecIsland.com
  • Other benefits as included in the sponsorship prospectus for Silver, Gold, or Platinum sponsors
This is limited to six companies, and no more than 3 companies will present each day. Sponsorships are first-come, first-served and there are no constraints on company size or funding rounds. For more information, shoot me an email.


Sunday, March 22, 2015

Open Letter to Premera Blue Cross CEO Jeffrey Roe

22 March 2015

Dear Mr. Roe,

My wife and I were Premera Blue Cross customers during my tenure with Microsoft. During that time, we both had surgeries done and she has a long history of medical treatments. In other words, Premera Blue Cross holds a lot of very sensitive information on both of us, separate and apart from our social security numbers, dates of birth, and other personally identifiable information. I'm sure that many of your customers could say the same. This open letter serves to notify you of my intention to see that Premera Blue Cross is made an example of for the insurance industry, much like Target was for the retail industry for the following reasons:

You Knew About The Problems Beforehand And Didn't Fix Them

The U.S. Office of Personnel Management's Office of the Inspector General conducted an audit of Premera's controls regarding the protection of federal employees' personal information. Your predecessor Gubby Barlow received the results on April 18, 2014, three weeks before attackers gained access to your networks. Here are my top three:

SLOW TO PATCH
Primera failed to implement its own patch policy leaving its network exposed to hackers who monitor patch announcements and then look for targets who are slow to implement those patches.

USED OUT-DATED/UN-SUPPORTED SOFTWARE
Primera persisted in using un-supported and/or out-of-date software which is essentially an always-open door to attackers.

INSECURE SERVER CONFIGURATIONS
You had servers that standard vulnerability tests revealed were insecurely configured. Malicious hackers frequently use those same vulnerability testing tools to identify which servers on a network will be easiest to crack.

You claimed that your company suffered a "sophisticated attack". Considering the above issues, I highly doubt that. Any one of those would allow even a novice hacker (or script kiddie) to gain access to your network. To have all three means that your IT department has been negligent at best. To then respond to the IG's audit by saying that they'll be remediated in eight months instead of immediately tells me that the security of your customers most sensitive information is simply not a priority for you, your board, or your senior executives.

Two Years Of Free Credit Monitoring Is Laughably Inadequate

Your notification letter contains a paragraph entitled "What is Premera doing to protect you?". Let's start with the fact that the state of your network security pre-breach tells me that you didn't protect me before the breach, and your offer of free credit monitoring certainly won't protect me after the breach. That's because the risk for your customers goes WAY beyond simple identity protection. They become targets for new spear phishing attacks with the end result being the the customers' banking information and/or entree' to the next corporate network - probably an employer of one of Premera's customers such as Microsoft, Amazon and Starbucks to name a few. 

While companies like yours have frequently gotten away with giving customers whose information has been compromised while under your stewardship nothing more than free credit monitoring service, that time is coming to an end because it does not address the vast potential for harm that Premera's poor security practices have negligently permitted.

Inadequate Breach Response

Your customer notification letter didn't contain enough information to know the state of our sensitive data. It should specify what happened. Your job is to protect your customers by providing enough information for us to gauge the seriousness of the breach, not make it easier for your breach remediation company to gather information for their own purposes and benefit. 

Incident Responders Cannot "Clean" Your Network
If you believe that your network is now "clean" and will stay that way, you've been misinformed. Incident responders cannot give any company a "clean bill of health", because no one has sufficient visibility across a global network with tens of thousands of endpoints accessed by thousands of employees and vendors, any one of whom could have their network credentials used by malicious actors who are simply dormant during the investigation. The proper assumption for companies like yours to make about the state of their network is that it is either in a state of breach currently or it will be tomorrow. Your goal should not be to keep attackers out. It should be to keep your critical data, especially your customers' data, secure. 

Instead of wasting six to seven figures on incident response, you should spend at least some of that money finding and hiring an experienced Chief Information Security Officer who can properly manage the security of your network; something that Premera apparently has never seen fit to do. The rest of it should be spent on better securing your customers personal and clinical data so that even if an attacker has access to your network, they can't access the data that you should be protecting. 

Then you won't have to send me a breach notification letter with ambiguous language like "attackers may have gained access to your data". Instead, you'd be able to say "Mr. Carr, we had a breach but your data is safe." 

Unfortunately, you can't say that and I'm forced to do what I can to hold companies like yours responsible for more than just two years of credit monitoring.

Sincerely,

Jeffrey Carr
President and CEO, Taia Global, Inc.

Wednesday, March 18, 2015

Beauty, Brains, and Bad-Assery: Suits and Spooks All Stars NYC June 19-20

With 12 Suits and Spooks Collision events on the books, I decided it was time to do our very first All Stars event featuring the best of the best of the several hundred speakers that we've had in the past. 

Unlike our typical "collision" event, our All Stars will have at least 60 minutes each for their talks. And seating will be limited because we're going to hold it in one of our most popular venues - Soho House NYC - on Friday June 19 and Saturday June 20th. It'll be our last event there because they're converting the library to a member-only space starting July 1st. So think of this as your exclusive invitation to spend 8 to 16 hours talking security, multi-disciplinary problem-solving, and out-of-the-box thinking with some of our best bad-ass game-changers.

Dan Geer (In-Q-Tel - Suits and Spooks 2012, 2013)

Janina Gavankar (actress and geek - Suits and Spooks 2012)

Christofer Hoff (Security CTO, Juniper Networks - Suits and Spooks 2013)

Carmen Medina (Deloitte; Retired CIA - Suits and Spooks 2013, 2014)

David Kilcullen (Founder and Chairman, Caerus Strategic Solutions - Suits and Spooks 2013)

Joe FitzPatrick (Hardware Security Researcher - Suits and Spooks 2014)

Niloofar Howe (Endgame, Paladin - Suits and Spooks 2014)

More speaker announcements will be forthcoming over the next few weeks. Janina is confirmed pending her shooting schedule. 

Your ticket will include a continental breakfast and lunch on both days, plus all sessions. Seats are limited to 75. Of those, we are offering a special super early bird rate of only $515 to the first 25 people who enroll between March 19th and April 10th (that's a $310 savings from the standard rate of $825). Register today and secure your admission at the best price before we sell out. 

REGISTER NOW