Thursday, September 22, 2016

Crushing Force as a Change Agent (or The Bullshit Luxury of 10,000 Failed Attempts)

"I have not failed 10,000 times. I have successfully found 
10,000 ways that will not work." 
- (Thomas Edison)

I’m the founder of a failed cybersecurity startup. Or, to use Edison’s perspective, I’ve successfully found multiple ways for my startup not to make a profit. But Edison’s positive spin on failure is bullshit. Only a scientist or an tenured academic on a salary has the luxury of failing so many times. When you’re an entrepreneur over 50, like I am, the stakes are much higher. When you have others depending on you, the pressure doubles with every failed attempt to turn things around. Energy is sapped. Resources, already limited, are further drained. Pretty soon, exhausted, you may find yourself contemplating options that you can’t put words to.

I decided, instead, to put words to my experience of crushing force as a change agent in the hope that I can find a solution for myself, my company, and help others who may be in similar circumstances. In other words, I’d love to hear from you if anything in this article resonates.

(Read the full article at or Linkedin)

Monday, July 11, 2016

Faith-Based Attribution

"Faith-Based Attribution" is my latest article on the challenges of attributing attacks to the person or entity responsible. Check it out at

Sunday, June 19, 2016

The DNC Breach and the Hijacking of Common Sense

"When you need something to be true, you will look for patterns; you connect the dots like the stars of a constellation. Your brain abhors disorder. You see faces in clouds and demons in bonfires. Those who claim the powers of divination hijack these natural human tendencies. They know they can depend on you to use subjective validation in the moment and confirmation bias afterward."
Author: David McRaney
This article is about the DNC breach and its attribution to the Russian government. But first, imagine that the DNC breach wasn’t a network breach but a shooting (no one was injured). No one knows who the shooter was but he left behind his weapon, a Kalishnikov AKM made in Russia.

The unknown shooter used a Russian-made weapon. Does that mean that the shooter is Russian? Or that the shooter works for the company, Kalishnikov Concern? Or even more likely in the crazy world of cyber investigations, that the designer of the AKM is also the shooter?

Police would certainly explore the possibility that the shooter may have been Russian but they wouldn’t exclude other suspects. And no investigator in his right mind would arrest the CEO of Remington Arms, Sig Sauer, Kalishnikov Concern or any other arms manufacturer because a gun they made was used in a crime.

In the physical world of crime investigation, common sense dictates that the perpetrator of a crime may use any weapon and not just one made in the country of his birth, and that the developer or manufacturer of the weapon most likely isn’t the perpetrator of the crime.

And yet, those seemingly crazy assumptions are made every day by cybersecurity companies involved in incident response and threat intelligence. 

The malware was written in Russian? It was a Russian who attacked you. 

Chinese characters in the code? You've been hacked by the Peoples Liberation Army.

Wednesday, June 15, 2016

The DNC Hack: Dangers of Playing the Nation State Blame Game

UPDATE: Someone claiming to be responsible for the DNC breach has released the Trump opposition file to Gawker and mocked CrowdStrike according to the Salted Hash blog:

"The main part of the papers, thousands of files and mails, I gave to WikiLeaks. They will publish them soon. I guess CrowdStrike customers should think twice about company’s competence," they wrote."

CrowdStrike's response to Salted Hash included mention of a "Russian Intelligence Disinformation Campaign", and that they stand by their findings of Russian government involvement.

On June 14, the Washington Post reported that the Democratic National Committee had suffered a breach of their network by Russian hacker groups who stole the DNC's opposition research on Donald Trump. The Post's headline read "Russian Government Hackers penetrated DNC ..."

I trust CrowdStrike's judgment that the hackers were Russian-speaking, but were they employed by competing Russian intelligence services as CrowdStrike maintains? The truth is - no one knows for sure. CrowdStrike merely believes that they are. Here's the essential argument that Dmitri made in his blog post:

  1. Fancy Bear and Cozy Bear appeared to work separately from each other in the DNC network without being aware of the other's presence. 
  2. Russian intelligence services (GRU, SVR, FSB) compete with each other.
  3. The group Fancy Bear "may be affiliated" with the GRU.
  4. Therefore Cozy Bear must be affiliated with the FSB or SVR.
I'm embarrassed to say that that kind of logic is par for the course in the crazy world of cyber threat intelligence. When it comes from a company with the size and reputation of CrowdStrike, it isn't questioned in national policy circles. It's accepted as fact. Soon it will appear as a footnote in some academic's article about "nation state cyber war". The FBI's database will be updated without any critical examination of the data. 

And should a more serious cyber event occur at any point in the future that even smells like Fancy Bear or Cozy Bear, it'll be declared an attack by the Russian government and a diplomatic incident could occur, even though the Kremlin may have had nothing to do with it. 

The truth is that there's no way using digital forensics to differentiate between a skillful and well-paid Russian-speaking mercenary hacker group working on their own, and equally skilled Russian hackers employed by the FSB. And something as simple as responsible attribution would go a long way towards avoiding unnecessary diplomatic tensions between governments.

Monday, June 6, 2016

The Next Evolution of Suits and Spooks: Entertainment

Farnborough International Airshow 2014
I founded Suits and Spooks in 2011 in an effort to make it easier for startup technology companies to engage with the Intelligence Community; a problem based largely back then on an antiquated acquisition system. A lot has changed in five years, and so has Suits and Spooks.

Today, I'm pleased to announce the next evolution of this event. Delivering security training to executives by combining it with a hugely entertaining event like the world's largest military airshow in Farnborough, U.K.

Espionage @ Farnborough International Airshow will give our guests VIP treatment, hands-on time with the world's most advanced aircraft, space, and unmanned aerial systems while former British Intelligence officers and Special Operations Forces operators act as their guides with information on how espionage is conducted at shows like Farnborough and how to counter same.

Later that evening, back in London, former and current British Intelligence officers will review the tradecraft and the counterespionage techniques that our guests should know to keep their IP and R&D safe from bad actors (both in the cyber and physical domains).

While we are making this trip available to individuals, we can customize it for a company as a team-building, security-training, client entertainment, or client acquisition event. Please contact me if you'd like to discuss this further.

In the meantime, please check out and follow our brand new @SuitsandSpooks Instagram account for some incredible pictures related to our upcoming Farnborough / London trip, and to stay current about our future trips. You can also follow us on Twitter, or just visit the website.

Monday, May 30, 2016

How Common Is It To Underestimate Customer Acquisition Costs?

I'm not a marketing guy. I always figured that if you build a solution that solves a hard problem, the customers will come. Right now, every marketing guy reading this is falling down laughing, but I really did believe that.

In 2011 and 2012, after participating in dozens of post-breach consultations with multi-nationals, I learned about a problem with no viable solution (how can a company with millions of files determine which are most valuable to a potential adversary).

From 2013-2015, I devised a solution, recruited a team to build it, and found angel investors to finance it. The solution was so simple, so based in common sense, and so easy to implement, that I was certain that our customers would embrace it the moment that we presented it to them. Boy, was I wrong.

I underestimated customer acquisition, and I overestimated product adoption. As I speak with some peers in the industry about it, I'm learning that I'm not alone in making this mistake. I'm working on some ways to remedy that problem for my company, and in the process I've put together a plan to help other startups avoid that same mistake. I'm kicking that plan off today with this post.

Our sixth annual Suits and Spooks DC event (Jan 11-12, 2017) will be all about cyber espionage, APT actors, and the cybersecurity companies and startups that can help companies and government agencies defend against it.

Day one will explore and identify the high value technologies that are being targeted, and by whom.

Day two will give 12 cyber security startups fifteen minutes to demo their product or service to our attendees; at least 50% of whom will be decision-makers from our startups' list of target customers. They'll be attending free of charge.

Sound good? Sign your startup or company up as a sponsor today and we'll spend the next six months working with you to identify, connect with, and invite as many executives at the director level or higher at your target companies that we can - free of charge. By letting my team help you win new customers, you'll help us generate income for our own marketing efforts. I think it's a win-win. If you agree, please connect with me on LinkedIn and ask for a sponsorship package.

Tuesday, May 17, 2016

Cyber Espionage's Three-Legged Stool Dilemma

Cyber espionage is a worldwide multi-billion dollar problem for every technologically advanced nation; even the ones that the U.S. traditionally considers its adversaries (Russia and China). 

Think of it as a stool with three legs: Targets (High Value Technologies), Actors (both State and non-State), and Defenses (ways that we can protect those HVTs). 

The reason why companies and government agencies continue to lose their expensive HVTs to their rivals and adversaries is that their three legged stool is missing one or more of its legs. It's really as simple as that.

At Suits and Spooks DC (January 11-12, 2017) we'll take a deep dive into how governments and corporations need to assess these three components by discovering answers to the following questions:

What are the most valuable technologies of 2017 and beyond?
Which threat actors are targeting those technologies, and how?
How can you best defend your technologies against those threat actors?

Day one will address the first two questions while day two will showcase about a dozen companies whose focus is defending against acts of cyber espionage.

Seats are limited to no more than 100 people. Register today and save 60%.

If you have a topic in mind that you think would be a good fit for our event, send over a title, abstract, and your bio. Our current speakers include Dr. David Bray (CIO at the FCC) and Lewis Shepherd (formerly with Microsoft and the Defense Intelligence Agency).

If you work for a cyber security company and would like to be considered for a 15 minute slot on day two to showcase your product for our government and corporate attendees, contact me at your earliest opportunity. We're only going to feature 12 companies.