Sunday, December 13, 2015

Get An Insider's Perspective On The Commercial Airline Threat Landscape (Closed To The Press)

This is a unique opportunity to hear Jim Vasatka (Director of Aviation Security at Boeing) discuss the overall cybersecurity threat space as it pertains to commercial aircraft in a NO PRESS, Chatham House Rules environment. Attendees will also be invited to submit implementation ideas for AIAA's Cybersecurity Framework. 

For the first time in five years, Suits and Spooks DC is structured in half-day blocks of sessions - Aerospace, Critical Infrastructure, Finance, and Future Warfare. You now have the option of registering for a single or multiple blocks ($199 per block), or the full two days ($599). Lunch is included with either option.

Learn More

Saturday, December 12, 2015

Who Has The Chinese Government Arrested For Hacking OPM? Possibly No One.

On December 1st, Attorney General Loretta E. Lynch and Department of Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor Guo Shengkun, co-chaired the first U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues.

On December 2nd, China’s official news agency Xinhua reported on the meeting and dropped a bombshell: “Among the cases discussed included the one related to the alleged theft of data of the U.S. Office of Personnel Management by Chinese hackers. Through investigation, the case turned out to be a criminal case rather than a state-sponsored cyber attack as the U.S. side has previously suspected.”

The Washington Post’s Ellen Nakashima was the first to write an article about the Xinhua announcement and other news media quickly followed suit. The fact is that the Chinese government has not provided any details about the OPM hackers’ arrests. It’s hard to fathom why China’s Minister of Public Security State Councilor Guo Shengkun, who was part of the China delegation (depicted in the picture below), didn’t provide any details during the ministerial meetings. It certainly wasn’t mentioned in the U.S. Dept. of Justice’s press release.

It’s not that the Chinese government hasn’t been arresting hackers. The Ministry of Public Security (MPS) has been very busy doing just that for most of this year according to the Legal Daily, a State-owned newspaper that covers legal developments. According to the Legal Daily, China’s thirteenth five year plan (which hasn’t yet been formally released) emphasizes the following network security related issues:
  • Improved network security
  • Purify the Internet environment (gambling, pornography, drugs, etc.)
  • Strengthen multilateral and bilateral coordination
  • Participation in global network security initiatives

To combat criminal hackers, the MPS launched a six-month special action. As of November, the MPS opened 400 criminal cases against 900 individuals including cyber criminals and hackers. Those arrests occurred between May and November for crimes including gambling, extortion, hacking, drug sales, and pornography.

China has made commitments to the U.S. that it will not engage in acts of cyber espionage for commercial gain and it may have every intention to keep those commitments — partly because there are many other legal ways that it can acquire the information it wants, partly to avoid possible U.S. economic sanctions, and partly because it has made incredible technological progress over the past 20 years so stealing is less of a requirement than it used to be.

Arresting the OPM hackers and providing the details to the FBI would seem to be an easy way to gain credibility for its earlier promise. Perhaps the MPS will indeed provide the details that the Dept. of Justice is most likely asking for ever since the Xinhua article appeared on Dec 2nd. Otherwise, this entire affair will keep getting weirder and weirder.

Recommended Reading:

Graham Webster for The Diplomat: “Has U.S. Cyber Pressure Worked On China?
Peter Mattis for The Jamestown Foundation: “Three Scenarios for Understanding Changing PLA Activity in Cyberspace

This article is cross-posted from my article on Medium.

Wednesday, October 21, 2015

How “Hat-tribution” on China Has Harmed U.S. National Policymaking

Back in the early 2000’s, cybersecurity researchers blamed every financial services attack on Russian or Eastern European hackers and every non-financial services attack on China. Every attack literally fell into one of those two buckets. U.S. Air Force officers in the 90’s were convinced that only the Chinese government was interested in stealing non-financial data like intellectual property. They were so positive that they gave China a code name — Advanced Persistent Threat (APT). Some of those Air Force officers later founded Mandiant and commercialized the name APT in a white paper that they released in 2010. In those years, APT was a “who”, not a “what”.

After the Office of the National Counterintelligence Executive issued its report in 2011 which named at least four nations that were responsible for intellectual property theft: China, Russia, France, and Israel; Mandiant began losing the battle for keeping APT as a code name for China and it quickly evolved into a generic description for how hackers attack a network.

Mandiant made a fortune from its long-standing policy of blaming every network breach on Chinese hackers; a fact that didn’t go un-noticed by almost every other cybersecurity company. Between 2010 and 2015, any report that named China as the culprit caught the attention of corporate CEOs as well as major news outlets. In 2013, Mandiant issued its APT1 report. By the end of the year, it was acquired by FireEye for $1B.

In 2014, Crowdstrike issued its own PLA report which identified by name an alleged PLA hacker based in large part upon a photo that showed a PLA officer’s hat. CrowdStrike executives called it “hat-tribution” and the PLA hacker group was named “Putter Panda”.

That Crowdstrike considered a hat in a photo as evidence is a commentary on how badly private companies have handled intelligence collection and analysis. That, and a 10 year + history of mis-attributing every intellectual property attack that ever happened to the government of China has brought us to the inevitable end result — putting the White House in an uncomfortable diplomatic position with the Chinese government who may very well be keeping its word. Ironically, it’s Crowdstrike executive and co-founder Dmitri Alperovitch whose blog post brought this controversy about.
The very first intrusion conducted by China-affiliated actors after the joint Xi-Obama announcement at the White House took place the very next day — Saturday September 26th. We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted Cyber agreement.
We are releasing below the timeline of intrusions into these commercial entities that we detected over the course of the last 30 days. It is important to note that this is not an exhaustive list of all the intrusions from Chinese-government affiliated actors we have detected during this time period; it is limited only to commercial entities that fit squarely within the hacking prohibitions covered under the Cyber agreement. The intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures.
We assess with a high degree of confidence that these intrusions were undertaken by a variety of different Chinese actors, includingDEEP PANDA, which CrowdStrike has tracked for many years breaking into national-security targets of strategic importance to China, as well as commercial industries such as Agriculture, Chemical, Financial, Healthcare, Insurance, Legal, Technology and many others.

This company blog post combined Crowdstrike’s threat intelligence with a marketing pitch for its Falcon platform. The post speaks for itself, blaming China for ongoing cyber attacks after the Xi-Obama agreement. However, after AP, CBS, and the Washington Post picked up the story, Alperovitch attempted to walk back his post’s claims by saying “We are not stating anywhere that the Chinese are violating the agreement. It is not up to us to draw that conclusion.”

A White House spokesman who spoke with Foreign Policy wouldn’t comment on the Crowdstrike blog post except to say “As a general matter, malicious cyber actors from a variety of nations find U.S. networks and companies attractive targets, and seek access to sensitive or proprietary information for a variety of purposes.”

How many of those “malicious cyber actors from a variety of nations” use China to launch their attacks from?

How many independent, non-state-affiliated Chinese hackers launch their own attacks for fun and profit?

And how does Crowdstrike, Mandiant or any other company differentiate between those and actual Chinese government attacks?

I’ve been challenging security intelligence companies to answer that question for years and have yet to hear a responsible answer from any of them.

Tuesday, October 13, 2015

Win A Free Trip To Suits and Spooks Paris!

UPDATE: As of this morning (Oct 16th), we have only 2 tickets remaining for this promotion.  Act fast to secure your chance to win a free trip to Paris Suits and Spooks.

UPDATE: As of the 15th, we have only 5 tickets remaining. This promotion will end at close of business omorrow, Friday Oct 16th.

For the next 48 hours, we will make ten tickets for Suits and Spooks DC (Feb 11-12, 2016) available for purchase at a huge discount- only $324. Our normal rate for October is $399 and effective Nov 1 it will go up to $499.

Even better, by taking advantage of this promotion, you'll enter our drawing to win roundtrip airfare (economy class from JFK or IAD) and one night hotel accommodations to our very first Paris Suits and Spooks event next March! 

Your admission to Suits and Spooks DC is 100% refundable prior to December 31, 2015. It includes:

  • Our Aerospace block which will feature panels from two of the world's largest  aerospace and defense companies,
  • Our Future Warfare block which will feature a panel of experts debating international law as it relates to cyber warfare,
  • Our Critical Infrastructure block that will explore vulnerabilities in transportation, communication, and utilities,
  • Our Financial Services block that will look into international investments in cyber security as well as challenges to global bankers.
We'll pick the winner in a blind drawing on New Years Day. Airfare and hotel will be prepaid and may not be substituted for cash. If you have already registered for Suits and Spooks DC, your name will automatically be entered for the Paris drawing, but please share this email with any of your peers who you think would be interested.

Register now and save $75 on our already low rate, and earn a chance to win a trip to Paris Suits and Spooks in March 2016. 

Good luck everyone!

Friday, September 4, 2015

What Will The Cost of Chinese Sanctions Be For U.S. Companies?

According to major media outlets, the U.S. government will soon announce economic sanctions against the Chinese government for its acts of economic espionage; especially cyber espionage that benefits Chinese companies. This tactic clearly has political appeal but it will fail to stop the Chinese government (as well as any other government who had similar sanctions taken against it) from continuing its long-standing program of technology acquisition by any means available. It will also put U.S. businesses who do business in China in harm's way if the Chinese government chooses to retaliate.

Here's why it will fail to stem the tide of IP theft by China:
1. The Chinese government uses a wide variety of legal means to acquire foreign technology. Sanctions will have no effect on that.
2. China's Internet space is used by a wide variety of foreign hackers to launch attacks from against U.S. companies. China is the perfect patsy for every false flag operation in the world. Sanctions will have no effect on that.
3. At least one Chinese hacker group (written about in the FBI's indictment against Chinese businessman Su Bin) never launches its attacks from within China or receives electronic files within China. It only runs its operations from countries outside of China. Isn't that the minimum tradecraft that we would expect from the Ministry of State Security, the PLA, and every other foreign intelligence service that ever existed - EVER - in the history of the f__king world?

Now that you know why sanctions will fail to accomplish its stated goal of stemming China's acts of economic espionage, what will the cost of sanctions be to U.S. businesses?

In 1998, the U.S. International Trade Commission studied the effect of unilateral U.S. economic sanctions on U.S. businesses. At that time, the only countries who the U.S. government had issued sanctions for were tiny or economically insignificant with the exception of India and Pakistan in 1998. But even then, the U.S. energy sector was adversely effected. Imagine how they'll fare when the target of sanctions is China - a huge global energy consumer?

The questions that the report authors posed for U.S. companies 17 years ago are still relevant today and include:
  1. the business losses experienced, compared to the returns expected if sanctions had not been in place;
  2. the effects of delayed entrance into a market because of sanctions;
  3. the business losses incurred because sanctions may cause U.S. firms to be perceived as unreliable suppliers, due to the threat of future U.S. unilateral economic sanctions.
Most of the Fortune 1000 are either doing business in China or want to do business in China. The larger they are, the more this applies. Each one of those companies should contact the White House and find out what the President is planning, then determine how it will effect them because one thing is for sure - they won't see any upside. It's only going to bring them pain.

Tuesday, September 1, 2015

The Legal Rationale For Killing An Enemy Hacker (or Could You Be The Next Junaid Hussain)?

The Pentagon has confirmed [1] that a British hacker named Junaid Hussain was targeted and killed in a military air strike on August 24, 2015. Pentagon spokesman Air Force Col. Pat Ryder (USCENTCOM) gave the following rationale for targeting Hussain:
  • He was involved in actively recruiting ISIL sympathizers in the West to carry out lone wolf attacks
  • He was responsible for releasing personally identifying information of approximately 1,300 U.S. military government employees
  • He specifically sought to direct violence against U.S. service members and government employees
According to the Wall Street Journal [2], he was a Chief in the Islamic States' electronic army. The U.S. government has been conducting military operations against the Islamic State (ISIL), a group responsible for atrocious war crimes and human rights abuses.

Legal Status (Combatant or Civilian)

When looking at the rationale for the lethal targeting of a hacker, it might help to picture a decision tree. Assuming that there is an armed conflict underway at the time (a requirement for the targeting of a civilian to occur), the first question to ask pertains to the target's legal status. According to Rule 34 of the Tallinn Manual (TM) [3], the following persons may be lawful objects of attack:
  1. members of the armed forces
  2. members of organized armed groups
  3. civilians taking a direct part in hostilities, and
  4. in an international armed conflict, participants in a levee en masse (a military draft or conscription)
In the case of Hussain, his affiliation with ISIL makes him a member of an organized armed group, which makes him a legitimate target regardless of what types of cyber attacks he engaged in. But what if his legal status wasn't so clear cut?

Civilian Status: DPH or IPH

If the target is not a member of the armed forces or of an organized armed group, then the next step is to ascertain whether he was a Direct Participant in Hostilities (DPH) or an Indirect Participant in Hostilities (IPH). Only the former may be attacked.

According to the International Council of the Red Cross (ICRC) [4]:
Persons participate directly in hostilities when they carry out acts, which aim to support one party to the conflict by directly causing harm to another party, either directly inflicting death, injury or destruction, or by directly harming the enemy's military operations or capacity. If and for as long as civilians carry out such acts, they are directly participating in hostilities and lose their protection against attack.
When it comes to cyber attacks, the definition of "causing harm" becomes more fuzzy, which could be problematic for civilian hackers who engage in cyber attacks for reasons of their own. The ICRC specifically calls out interfering with military computer networks and transmitting tactical targeting intelligence for specific attacks as examples of DPH. Hussain took credit for hacking the Twitter account of U.S. Central Command and publishing personally identifiable information for 1,300 government military employees along with inciting personal attacks against those employees from his Twitter account.

Taken in isolation, hacking a social media account is child's play when two-factor authentication hasn't been activated (which it hadn't been in CENTCOM's case). The only result emanating from that hack and others like it is temporary embarrassment of the victim. However, in the Hussain case, it's being used as part of the justification of the attack by the Pentagon [5]. As mentioned above, it isn't the primary justification - that would be Hussain's membership status with an organized armed group (ISIL).

Rule 30 of the TM defines what a cyber attack is for purposes of warfare: 
"A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."
Rule 35 of the TM explicitly states that "civilians enjoy protection against attack unless and for such time as they directly participate in hostilities". The supporting text goes on to state that this rule's application is limited to individuals who engage in hostilities and are not affiliated with a militia or who are affiliated with an "ad hoc group" that lacks the requisite degree of organization. 

Three Conditions Must Be Met

The ICRC has set three conditions that must be met for a civilian to be classified as a DPH[6]:
  1. Threshold of Harm. The act must have the intended or actual effect of negatively affecting the adversary's military operations or capabilities, or inflicting death, physical harm, or material destruction on person' or objects protected against direct attack (threshold of harm).
  2. Causal Link. A direct causal link between the act in question and the harm intended or inflicted must exist.
  3. Belligerent Nexus. The act must be directly related to the hostilities.
If any one of these isn't met, the person cannot be targeted. 


What would it take for a hacker to land on the Pentagon's Disposition Matrix [7] like Junaid Hussain did? If you're a hacker who is conducting any kind of network attack against foreign government entities, especially the United States or its key allies, here are three important tips to keep in mind:
  1. Be careful about who you affiliate with. If you align yourself with a group that the U.S. government eventually considers an organized armed group, you may lose the protection of your civilian status and become a target by virtue of your affiliation alone. The fact that you also have mad hacker skills will just be the icing on the Pentagon's cake.
  2. Don't think that low-level, unsophisticated network and social media attacks will make you less of a target than attacks that actually cause harm to an object or person. Hussain hacked a Twitter feed and posted names and email addresses for government employees, among other things. 
  3. If you decide to support another nation's or group's activities that are deemed hostile to a foreign government, such as a color revolution or something equivalent to the Arab Spring, that government may deem you a legitimate target under these same legal principles. 
Remember that your online activities, no matter how minor you believe them to be, may under the right combination of circumstances, result in a lethal outcome. The Hussain killing should be taken seriously by everyone in information security who's involved in hacking as a profession or a hobby.

[3] Tallinn Manual on the Internal Law Applicable to Cyber Warfare, Cambridge University Press, 2013
[6] The Tallinn Manual, p. 119, footnote 63

Sunday, August 16, 2015

DSS Reports Foreign Governments Increasing Espionage Activities Against U.S. Defense Industrial Base Companies

The Defense Security Service just issued its 2014 report "Targeting U.S. Technologies: Trend Analysis of Cleared Industry Reporting" (.pdf). DSS's mission is, in part, to secure the nation's technological base against acts of industrial espionage. These annual reports highlight specific technologies that have been targeted by foreign actors as reported to DSS. In FY13, the agency received and reviewed over 30,000 reports.

Each year DSS highlights a technological sector. In 2014, it was "Inertial Navigation Systems" used in commercial and military aircraft, spacecraft, and naval vessels.

Based on information received from cleared defense sector companies, DSS analysts were able to identify five distinct methods of operation when targeting INS technologies:
  1. an attempt to purchase (usually by finding a corrupt company in an allied State to act as the middleman)
  2. academic solicitation
  3. solicitation or marketing services
  4. sending a Request For Information (RFI)
  5. foreign visit (such as attending a conference in a foreign State)
DSS analysts also break down collector affiliations into five categories: commercial, government, government-affiliated, individual, and unknown.


 This is easier to do with tangible collection activities as described above than with cyber attacks, which DSS (to its credit) acknowledges in the conclusion of its report (p.71). With an RFI or an invitation to attend a conference, you know who sent the invitation. With a cyber intrusion or what DSS calls "Suspicious Network Activity (SNA), it could be anyone.

However, cyber espionage is simply a new way to conduct industrial espionage so it's reasonable to assume that governments and corporations who are attempting to acquire a specific technology in any of the five ways detailed by DSS will also use a network attack if it will produce a successful end result. See our white paper on espionage-as-a-service, for example.

What the DSS Report Won't Tell You

The Defense Security Service produces one of the very best analytic reports available today, both in terms of sound intelligence collection and analysis methodologies (missing from 90% of cyber intelligence reports) as well as actionable content. However, it doesn't tell you who is doing the collecting. It also doesn't provide the entirety of any nation's technology acquisition interests. If your company doesn't produce any of the INS-related technologies mentioned in this report, does that mean that you're safe from foreign collection efforts? Absolutely not.

That's why we built the Redact™ knowledge base and the OverWatch™ intelligence feed. Used in conjunction with the DSS report, you can identify which Chinese and Russian government institutes, universities, state key labs, and state-owned enterprises have received funding for high priority technology R&D projects, and which of those have been reconnoitering your company's website for product information. We are also mining South Korean and French institutes and will be adding more nations over the next few months.

Compatible with Maltego and other Threat Intelligence Platforms

Our OverWatch™ intelligence feed is written in Common Event Format (.CEF) and is compatible with many SIEM products including ArcSight ESM, Splunk, and ThreatStream. We are also about to launch our Maltego transform.

OverWatch™ will alert in real-time when one of the foreign government research institutes that we track is visiting your website while Redact™ will provide you with the details on their government funded R&D projects. We are currently scheduling demos for new corporate customers as well as federal agencies who are approaching the end of the federal fiscal year.

Redact™ is the only commercial database of its kind outside of a classified environment. Read our current product brief and contact us today for an online demonstration.

NOTE: This is cross-posted from the original article at the Taia Global website's blog.

Thursday, August 6, 2015

Why Retaliation Against China for the OPM Hack is a Bad Idea

I've written an OpEd on why the White House needs to look at deterrence in cyberspace differently based upon their announcement via David Sanger at the New York Times that they're looking at taking action against China for the OPM hack.

You can read it at the Christian Science Monitor or at The Diplomat. Comments are always welcome.

Thursday, July 16, 2015

Suits and Spooks at the Wingtip Club - Oct 6th - By Invitation Only

The Wingtip Club in San Francisco is a renovated 13,000 square foot duplex penthouse decorated in the old Gold Coast style atop the historic 1908 Bank of Italy building in downtown San Francisco. On Oct 6, 2015 it will be the venue for the most unique and luxurious Suits and Spooks event that we've ever held.

Taia Global and our event sponsors including Norse Corporation are picking up the tab for this full day of security talks and networking with intelligence veterans and executives from entertainment, banking, security, and technology companies.

Our speakers include:
  • David Fichtner: David Fichtner served 27 years at the CIA working on Soviet Military Forces, Nuclear Weapons Security, Proliferation issues, and information operations. While at CIA, Mr. Fichtner was selected for the Congressional Fellows Program serving on Senator John McCain’s staff. He is also a graduate of the Navy Fighter Weapons School (Topgun) and a designated Air Combat Tactics Instructor. Since retiring, Mr. Fichtner has worked as a consultant on Russian Intelligence services IO for Taia Global.
  • Christopher Burgess: Served 30+ years with the Central Intelligence Agency, serving in South Asia, Southeast Asia, the Middle East, Central Europe and Latin America. Currently the co-founder, President and CEO of Prevendra
  • Anna Vassilieva: Expert in contemporary Russian politics; Professor of Russian Studies at Monterey Institute of International Studies.
  • Simon Baker: Formerly Bloomberg's Head of Information Security and CISO in New York. Currently  advises a number of early security startups as well as the World Economic Forum.
  • Niloofar Razi Howe: Currently Chief Strategy Officer at Endgame and an Operating Partner at Paladin Capital Group.
  • Kurt Stammberger: Founder of the RSA Conference, expert in cryptography, threat intelligence, and security business strategy. Currently Senior VP of Marketing at Norse Corporation.
  • Jeffrey Carr: Founder, Taia Global and the Suits and Spooks conference; author and consultant to U.S. and foreign multinational corporations and government agencies.

Speakers and attendees will enjoy the Wingtip's new "Wine Cave" as their venue for this all-day event starting with a continental breakfast at 9am, lunch at 1pm, and a Whiskey tasting at 5pm.

Unlike other Suits and Spooks events, this will be limited to 30 invited attendees at the Director-level or above from industries including technology, aerospace, entertainment, banking, and biomedicine.

If you'd like to receive an invitation or discuss sponsorship options, please contact Taia Global. Both the number of sponsors and the number of attendees are limited so act soon. 

Sunday, July 12, 2015

Call For Papers: Suits and Spooks DC Feb 11-12, 2016

The National Press Club Washington DC
I'm thrilled to announced that our Suits and Spooks DC event for Feb 11-12, 2016 will be held at the National Press Club. We're going to be doing a lot of things differently including offering live streaming tickets for those who can't attend in person thanks to the National Press Club's wonderful in-house AV system.

Our event will be broken down into four 4-hour blocks, each with a designated theme:

  1. Aerospace
  2. Critical Infrastructure
  3. Finance
  4. Warfare
The Aerospace block will feature threats against commercial aviation, unmanned aerial systems, GPS, satellites and space travel, and airborne weapons systems.

The Critical Infrastructure block will feature threats against the power grid, water supply, transportation, shipping, and telecommunication sectors.

The Finance block will feature talks on cryptocurrencies, the cyber security investment boom, ransomware, and the global stock and commodity exchanges.

The Warfare block will feature talks on cyber attacks and international law, the Wassennar Arrangement, export controls on offensive and dual use tools, Second Amendment issues, and more.

Attendees will have the option of buying tickets for only one block, multiple blocks, or a full conference pass. All talks will be single-track. 


If you'd like to submit a talk for one of these four blocks or propose a panel, please submit it by November 1st. 

If you'd like to learn more about sponsorship options, please contact us.

Super early bird tickets will go on sale later this month.

Thursday, July 9, 2015

OPM Provides Insight Into Why It Was Hacked

The Office of Personnel Management just released the steps that it has taken to protect over 21 million federal employees whose data was stolen in what may be the worst cyber security breach in history. Now keep in mind that these steps were selected during a time of high criticism against the agency and its director Katherine Archuleta. So I think that it's safe to say that it represents the best effort of Director Archuleta and presumably the new cyber security advisors that she brought onboard post-breach.

Here are the steps:
  1. Providing a comprehensive suite of monitoring and protection services for background investigation applicants and non-applicants whose Social Security Numbers, and in many cases other sensitive information, were stolen.
  2. Helping other individuals who had other information included on background investigation forms.
  3. Establishing an online cybersecurity incident resource center.
  4. Establishing a call center to respond to questions.
  5. Developing a proposal for the types of credit and identity theft monitoring services that should be provided to all Federal employees in the future.
This reminded me of the letter that I received from Premera when they got breached (my wife and I were Premera customers), and had my USCG Top Secret security clearance still been active, I would have received an almost identical letter from OPM. 

Then the realization hit me. 

In crafting the above 5 steps, OPM revealed why it had been hacked so easily. It's because they didn't know (and still don't know) the intelligence value of what they had been trusted to protect - the SF-86 data. SF-86 forms are 120+ page monsters that consume your entire personal history along with all of your affiliations and points of contact in your personal, educational, and professional life. Clearance holders are interviewed every year so the information is kept current including foreign travel and foreigners that you've interacted with. 

Now imagine that you work for a foreign intelligence service and I was a hacker who was offering you a chance to buy the SF-86 forms for every soldier serving in the Special Operations component commands of the Navy, Army, Air Force and Marines. These are the individuals who are responsible for direct action, counter-terrorism, snatch and grab, counter-narcotics, reconnaissance and who knows how many other secret operations. 

Perhaps you work for a large South American drug cartel. How much would you be willing to pay for the SF-86 on every Drug Enforcement Agency employee who holds a clearance? If you had OPM's files and access to a data-mining tool like i2, Maltego, or Palantir, you could construct models that would reveal who was working a counter-narcotics operation in MedellĂ­n last year based upon their SF-86 foreign travel updates. 

Imagine that you were looking to convince a U.S. government employee to work for you under threat of blackmail. The OPM database would provide you with a way to filter for those with backgrounds that make them highly vulnerable to extortion demands because the background investigators who conduct the interviews are looking for precisely that kind of information!


When we speak with clients at Taia Global, the very first thing we do is show them how valuable their IP (intellectual property) is to foreign governments. We call that Target Asset Value™.  Once the client understands his company's TAV, the client can properly evaluate what measures to put into place to protect the company's assets. 

OPM clearly did not understand the concept of Target Asset Value as it relates to the government employees whose data they were responsible for. If they did, they wouldn't have proposed credit monitoring protection as a solution when the threats are so much greater than simple identify theft or an Amazon shopping spree. OPM's current solution is wholly inadequate and will continue to be so until Director Archuleta and her staff come to grips with the true value of the data that they were entrusted with, and lost.

Monday, June 22, 2015

OPM Breaches Go Back to 2012 and 2013

The Office of Personnel Management's troubles extend even further back than the current reported 2014-2015 timeline according to a 2013 Office of the Inspector General audit report on OPM's use of Serena Business Management software. The system was hacked in May, 2012 and March 2013 and sensitive data was lost (p.ii of the Executive Summary).

Appendix II of the above-referenced 2013 report contains a copy of the FLASH Audit Alert to the OPM, which states:
"In May 2012, a malicious hacker successfully breached OPM's Serena Business Manager system (Serena, formerly known as TeamTrack). The system was briefly taken down by OPM's Office of the Chief Information Officer (OCIO), but was quickly restored and made available on the public Internet." 
"Over the past year. the a CID 's Network Security Branch has conducted vulnerability scans that detected security flaws in the Serena system. However. it appears that no action was taken by the system administrators to address these issues, as another application on the Serena platform was hacked in March 2013. 
After both security breaches. the hackers boasted on the Internet about compromising a government computer system. leading to embarrassing publicity for OPM."
According to the company, Serena Business Software has been used by OPM for automating process solutions for background checks, FOIA requests, health and compliance issues, etc.

Friday, June 12, 2015

Tianjin University Use Case For R&D As A Way To Predict Breaches Targeting IP

On May 19, 2015, The FBI announced that it had charged six individuals (including two Chinese professors) with economic espionage and theft of trade secrets "for their roles in a long-running effort to obtain U.S. trade secrets for the benefit of universities and companies controlled by the PRC government(1)."

Here are the details from the FBI's press release:
"According to the indictment, PRC nationals Wei Pang and Hao Zhang met at a U.S. university in Southern California during their doctoral studies in electrical engineering. While there, Pang and Zhang conducted research and development on thin-film bulk acoustic resonator (FBAR) technology under funding from U.S. Defense Advanced Research Projects Agency (DARPA). After earning their doctorate in approximately 2005, Pang accepted employment as an FBAR engineer with Avago Technologies (Avago) in Colorado and Zhang accepted employment as an FBAR engineer with Skyworks Solutions Inc. (Skyworks) in Massachusetts. The stolen trade secrets alleged in the indictment belong to Avago or Skyworks."
"Avago is a designer, developer and global supplier of FBAR technology, which is a specific type of radio frequency (RF) filter. Throughout Zhang’s employment, Skyworks was also a designer and developer of FBAR technology. FBAR technology is primarily used in mobile devices like cellular telephones, tablets and GPS devices. FBAR technology filters incoming and outgoing wireless signals so that a user only receives and transmits the specific communications intended by the user. Apart from consumer applications, FBAR technology has numerous applications for a variety of military and defense communications technologies."
"According to the indictment, in 2006 and 2007, Pang, Zhang and other co-conspirators prepared a business plan and began soliciting PRC universities and others, seeking opportunities to start manufacturing FBAR technology in China. Through efforts outlined in the superseding indictment, Pang, Zhang and others established relationships with officials from Tianjin University. Tianjin University is a leading PRC Ministry of Education University located in the PRC and one of the oldest universities in China." 
"As set forth in the indictment, in 2008, officials from Tianjin University flew to San Jose, California, to meet with Pang, Zhang and other co-conspirators. Shortly thereafter, Tianjin University agreed to support Pang, Zhang and others in establishing an FBAR fabrication facility in the PRC. Pang and Zhang continued to work for Avago and Skyworks in close coordination with Tianjin University. In mid-2009, both Pang and Zhang simultaneously resigned from the U.S. companies and accepted positions as full professors at Tianjin University. Tianjin University later formed a joint venture with Pang, Zhang and others under the company name ROFS Microsystem intending to mass produce FBARs."
"According to the indictment, the stolen trade secrets enabled Tianjin University to construct and equip a state-of-the-art FBAR fabrication facility, to open ROFS Microsystems, a joint venture located in PRC state-sponsored Tianjin Economic Development Area (TEDA), and to obtain contracts for providing FBARs to commercial and military entities."
While this case is an example of industrial espionage, identical cases involving cyber espionage and other forms of IP theft happen frequently against companies who engage in research and development that's of interest to rival governments, state-owned enterprises and for-profit corporations world-wide.

Taia Global's REDACT™ is the only commercial product outside of a classified environment that is entirely focused on collecting, aggregating, and mining foreign government funding of R&D at the project level. Had Avago and Skyworks been REDACT™ customers, they would have been able to identify which government-funded research universities and state key labs were working on FBAR and other precision acoustic technologies and then assess how valuable their technology was to rival governments, thus establishing their Target Asset Value™.

Wednesday, June 10, 2015

BREAKING: SCANEX Reported Greenpeace Vessel Arctic Sunrise to FSB, Then Sought To Cover It Up

On September 18, 2013 Greenpeace protestors left the Arctic Sunrise on inflatable motor boats and headed towards Gazprom's oil platform, the Prirazlomnaya, to protest drillings' which threaten the pristine Arctic environment. The Russian Coast Guard was informed of the attempted protest action and sent commandos to intercept them. They rammed the Greenpeace inflatables, fired shots across the bow of the Arctic Sunrise and arrested two activists.

On September 19, agents from the Russian Security Service (FSB) fast-roped onto the deck of the Arctic Sunrise from a helicopter overhead and took the entire ship into custody even though it was in international waters and outside the 500 meter protection zone around the drilling platform.

Taia Global analysts have discovered that RDC SCANEX, a privately owned Russian company, alerted the Coast Guard. In an email thread dated 20 September 2013, Georgy Potapov, a project manager at SCANEX at the time, wrote:
"If you, like me, received a letter from Greenpeace today about the campaign near the Gazprom rig in the Perchora Sea (also known as the Prilazlomnaya Platform) – then you’re aware that their ship was boarded by border guards. They have even been charged with violating a foreign ship within the limits of territorial waters, the so-called three-mile zone.""When charting them on the OSM map with the boundaries of water, adding the three-mile buffer zone and looking at the dates - we can see that on September 16th, Arctic Sunrise ship arrives, then moves in a circle, but does not cross any border zones or any limits of territorial waters."

Arctic Sunrise Location

Alexey Kucheiko, Deputy Director of SCANEX, responded:
"For your information (in order to cool the excitement of the findings), we have provided direction for the border guards twice to intercept the ship with Greenpeacers, passing the AIS remarks to the Coast Guard of the FSB frontier: in the Kara and Pechora Sea.""And if prompted, we will ensure the seizure of the crazy civilians again. I am sure that if they got on Statoil or Shell’s platform in Alaska, they would have received even more serious consequences for the Greenpeace cash bank.""Please be very carefully in sharing your "findings" which can expose and bring a blow to our people.""For possible objections about the need to protect nature - we are conducting 2 commercial contracts, one with the wildlife sanctuary and the other - with the WWF on the basis of AIS."
Deputy Director Kucheiko not only clarified that SCANEX was responsible for reporting the position of the Arctic Sun to the Russian Coast Guard, which is part of the Border Guard of the FSB, but that he knew they'd suffer repercussions from their customers and planned to offset the blowback by providing AIS support to two environmental organizations. This is the equivalent of an oil company who, after creating an environmental disaster, announces how environmentally friendly they are.

Olga Gershenzon, SCANEX's VP of Engineering, asked Kucheiko:
"And at whose request have we imposed the Border Guards on Greenpeace?", 
to which Kucheiko replied:
"At the personal request of the regional border guard officer of Coast Guard Border Service of FSB. Information is being reported to Moscow. His leaders are planning to come to our conference."
RDC SCANEX has numerous foreign partners including the U.S. Geological Survey, VMWare, HP, IBM, and Google. This could be a supply chain nightmare for western companies who have no idea what type of work SCANEX may be doing for the FSB.

On September 30, Greenpeace Russia released a statement refuting the Russian government's declaration of illegal activities by Greenpeace.
(machine translation) "Greenpeace icebreaker Arctic Sunrise did not cross the established international and Russian legislation a security zone around the platform." 
"International law, in particular Article 60 (5) of the UN Convention on the Law of the Sea allows you to declare a security zone no more than 500 meters around the offshore installation. Arctic Sunrise has never approached "Prirazlomnaya" closer than 500 meters. It can be seen on the web map , which displays the location of the ship. Location data were obtained through a geo-portal "Kosmosnimki" integrated with the Canadian AIS (Automatic Identification System) " Exactais " in real time." 
"Inflatable boats used for carrying out a peaceful protest, approached closer than 500 meters to the platform. However, they do not pose a security risk to "Prirazlomnaya", which is on the high pedestal of steel and concrete to protect from the effects of huge ice floes." 
"Actions activists present no hazard to the platform. All the Greenpeace activists undergo special training to non-violent action. They endangered the lives of the platform with him they did not have anything except banners and ropes. This is a peaceful protest was held at the "Prirazlomnaya" last year and took place without incident."
Taia Global asked Greenpeace Russia to comment on this report. They informed us that there was no need for SCANEX to contact the Coast Guard since they were already in regular radio contact with the Coast Guard starting two days before the protest action took place. Daniel Simons, Chief Legal Counsel at Greenpeace International said:
"When the protest began, the ship radioed to the Prirazlomnaya to explain the peaceful intentions of the Greenpeace activists. This is standard practice at any Greenpeace protest and since this incident Greenpeace has continued to protest Arctic oil drilling peacefully and safely, most recently on Shell’s Arctic rig Polar Pioneer, which plans to drill off Alaska this summer." 
"If the FSB received further information from Scanex on the ship's positions, it merely reinforces that official claims that the Coast Guard intervened forcefully because it feared a terrorist attack were bogus."
Almost one year ago, on June 6, 2014, the Russian government released the Arctic Sunrise vessel, having held it for almost 9 months. The crew members had been released after a little over three months. Greenpeace has vowed to continue campaigning peacefully against oil drilling in the Arctic.

NOTE: The emails quoted in this thread were delivered to Taia Global by a Ukrainian hacker who cracked the email archives of Alexey Beseda, one of the board members of RDC Scanex as a protest action against Russia's incursion into Ukraine. All emails were translated into English from the original Russian language.

In July, 2014, the Ukrainian Security Service (SBU) opened a criminal case against the head of the Russian Coast Guard for financing insurgents and smuggling weapons into Eastern Ukraine.

This article has been cross-posted from the Taia Global website.

"Hacked Emails Reveal Russian Plans To Obtain Sensitive Western Tech"

Friday, June 5, 2015

Anonymous Operations and Techniques revealed by Former CabinCr3w and Anonymous Members

After the online uproar over my inviting Hector Monsegur (aka Sabu) to speak at Suits and Spooks NYC, I offered to provide a second panel to any Anonymous leaders (meaning individuals who actually planned and led an Op) who wanted to participate. I'm happy to announce that two really interesting folks came forward and took me up on my offer.
VizFoSho is a Database Analyst for a private company, and is a former member of Anonymous and CabinCr3w. After the arrest of two of CabinCr3w members and the end of the group, Viz helped launch the Rustle League as one of its core members. He worked on various Ops while with Anonymous, and led a few of his own. Viz is the creator of Op Equip, which is a registered nonprofit that puts computers with educational software into the hands of those residing in impoverished communities. One of his last acts as a member of Anonymous was an attempt to clean up the YourAnonNews twitter account, working with a small team of people who never got their YAN mugs. 
Flanvel is an independent internet and security researcher who is a former Anonymous member. During his time as a member, he helped create videos, media, and write press releases. From 2010 throughout 2013, he was an active member and worked on several worldwide operations. He was also a contributor to @Anon_Central. An account documented in GHCQ's program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. Since his disbandment with the group, Flanvel has worked identifying software vulnerabilities and creating exploits as well as creating several software products such as a crawler to identify, index, and crawl Tor network hidden services.
This has never been done before at any security conference. Anons are a secretive group, by necessity, but security conference organizers frequently shy away from controversy because it might offend their sponsors. RSA, for example, hired Hector to speak last year and then changed their mind due to fears about possible blowback. Sponsorship dollars are hard to get because there's over a thousand security events each year. For example, Suits and Spooks has seen a consistent drop in sponsorships over the past year or so because we're a very small, specialty event. In fact, we lost a media sponsor (CSFI) because of my invitation to Hector to speak. I've been warned by someone at another company that has supported our events in the past that the negative comments about my inviting Hector speak could be hurting the Suits and Spooks brand. That person clearly has no idea what our brand is.

My goal has always been to invite speakers from the IC, law enforcement, and the private sector who can shed light on hard challenges (especially first-hand experiences) and engage in discussion with our attendees to find answers. In order for that process to work, you have to include "bad actors" who are willing to share first-hand info. What most conferences offer instead are security researchers who have "studied" Anonymous. That's fine but it's not nearly as valuable as having an Anon operator speak.

The bottom line is that I have never and will never edit my choice of speakers for political correctness or to cater to my sponsors. I'll shutter this event first.

I hope that those of you who support my approach will either register and attend or encourage others to do so. I'm offering 50% off the normal registration fee of $598 (now only $299) until Monday June 8th. Registration includes all sessions plus two lunches and two breakfasts. Attendees will also receive an awesome t-shirt designed by Norse Corp., one of our sponsors.

Tuesday, June 2, 2015

Former Director, CIA's Center for the Study of Intelligence, on Improving Cyber Threat Analysis

Carmen Medina is an internationally known visionary and analytic thinker who served 32 years with the Central Intelligence Agency. During her time there, she served as Deputy Director, Intelligence and Director, Center for the Study of Intelligence (the CIA's internal think tank). She'll be speaking at Taia Global's Suits and Spooks All Stars event at Soho House in New York City on June 19-20, 2015.

You can see her Suits and Spooks 2014 talk on Vimeo:

Carmen is one of our most popular speakers and this event is limited to only 75 attendees so register today before we sell out.

Use discount code NYC2015 by June 7th and save 50% (only $299).

Suits and Spooks NYC Targeted By Anonymous For A Protest Operation

Yesterday I announced that Hector Monsegur (aka Sabu), the founder of LulzSec and a long time member of Anonymous who was responsible for hundreds of attacks, will be a speaker at Suits and Spooks NYC (June 19-20, 2015).

Today, Anonymous (@YourAnonNews) whose Twitter account has 1.4 million followers has announced a #NYC PROTEST SABU operation to take place at Soho House, our venue for the event, on June 20th at 2pm. This marks an unusual first for Suits and Spooks however I've always chosen to provide a platform for speakers with interesting skill sets that aren't typically invited to security conferences. I've found that it's always better sort out disagreements in person in a safe environment than simply engage in online trolling.

So if you'd like to hear what Sabu has to say about his time with Anonymous and what actually happened when he was arrested and began working for the FBI, register and attend. You'll not only get to speak with Sabu but you'll also enjoy hearing some of the best security minds on the planet.

Monday, June 1, 2015

Meet LulzSec Founder "Sabu" at Suits and Spooks NYC

Hector Monsegur (aka Sabu) was responsible for many of the highest profile hacks conducted by LulzSec and Anonymous between 2009 and 2011. His arrest and subsequent assistance to the FBI helped prevent hundreds of attacks in 2012 and 2013. Now that his probationary period with the Dept of Justice has ended, I've asked him to speak at Suits and Spooks NYC this month to talk about his time in Anonymous and its rise and fall. He's also willing to do a Q&A with our attendees. This is the first event that Hector has agreed to speak at since his arrest and you won't want to miss it.

In fact, we have the best lineup of speakers for any security event this year. These folks usually give the keynote at events around the world but they'll all be at Suits and Spooks All Stars at Soho House NYC on June 19-20. Here are just a few:

Dan Geer (In-Q-Tel)
Carmen Medina (Retired CIA Deputy Director of Intelligence)
David Kilcullen (Former Special Advisor on Counter Insurgency, State Dept.)
Other speakers include Stewart Baker (formerly NSA General Counsel), Zachary Tumin (Deputy Commissioner NYPD), Niloo Howe (Endgame), Joe Fitzpatrick (Firmware hacker), Kurt Stammberger (Norse), and actress Janina Gavankar (invited).

There are only 35 seats left so register soon before we sell out. Use discount code NYC2015 and save 50% on your registration fee (only $299 with code).

Thursday, May 14, 2015

How To Attend Suits and Spooks NYC or DC For Free

Suits and Spooks isn't like any other security conference, which anyone who has attended will tell you. One of the ways that it's different is that you can become a member and receive many of the speaker presentations from events that you can't attend (speakers have the option to share their decks or not).

Benefits include:

  • Free access to a live webcast (if offered) 
  • A 15% discount on all Suits and Spooks events
  • A copy of all speaker decks (with speaker approval) from every Suits and Spooks event so that you don't miss content when you can't attend.
  • A distinctive and incredibly cool metal membership card/event name tag with the Suits and Spooks logo and your name imprinted on it.

If you sign up in the next 24 hours, you'll also receive free admission to our New York City All Stars event on June 19-20 OR our Washington DC event in early 2016. Either one of those events is worth more than the price of your membership ($425) so take advantage of this very limited time offer and join today.

Monday, May 11, 2015

Dan Geer: What Will Cyber Offense and Defense in 2020 Look Like?

I've commissioned Dr. Daniel Geer, the CISO of In-Q-Tel, to give a one hour talk at Suits and Spooks NYC on June 19 on what cyber offensive and defensive operations of the future might look like in 2020. Some of the questions that he'll be examining are:

  1. How will the disparity of the world's wealth be impacted by even the world's poor having an online presence?
  2. How will nations'  defense budgets be impacted when offensive resources become ubiquitous and attacks can be routed and re-routed from everywhere?
  3. What effect will biomedicine have in bringing the world closer to digital Singularity and what would the security implications of that be?

If you heard Dan's keynote at Blackhat last year, you know what a brilliant speaker he is. Unlike Blackhat, at Suits and Spooks New York, you'll actually have the opportunity to speak with Dan and have a conversation about this provocative look at the future.

PLUS - you'll have the same opportunity to hear and interact with almost a dozen other great speakers including:

  • Joe FitzPatrick - an internationally-known firmware hacker
  • David Kilcullen - a leading global conflict strategist
  • Zach Tumin - a Deputy Commissioner of the NYPD
  • Carmen Medina - a former Deputy Director of Intelligence at CIA
  • Stewart Baker - former General Counsel at NSA
  • Christofer Hoff - VP and Security CTO at Juniper Networks
  • Niloo Howe - Paladin Partners and Endgame
  • Janina Gavankar - Internationally-known musician, actress and geek
  • a soon-to-be announced blackhat hacker who knows Anonymous from the inside out.
Join us as we kick off the Summer Solstice weekend at the ultra-cool Soho House in NYC and spend two days listening to and speaking with these incredible speakers and more.

72 Hour Registration Special

Register before Thursday May 14 and save $100 off the Early Bird rate ($495)! We are capping attendance at 60 people so act today to reserve your spot. We also offer a very low government/military rate of $399 for full-time employees only.

Friday, April 24, 2015

Signature-based Intelligence Resulted In Tragedy: A Lesson For Cyber Intel Consumers

The New York Times reported yesterday that a drone strike mean't to kill four Al Qaeda terrorists also killed two hostages that no one knew were there. This tragedy also revealed that drone operators rely upon signatures to form a "guesstimate" of the target.
In Pakistan, unlike elsewhere in the world, the White House permits the C.I.A. to carry out drone strikes without knowing the identities of the people the agency is trying to kill. These “signature strikes,” based on patterns of behavior rather than intelligence about specific people, have been criticized in the past as generating a higher number of civilian deaths.
I've written before about the problems that stem from our over-reliance on signals intelligence versus human intelligence in the world of cyber security. The commercial cyber security intelligence sector relies almost exclusively upon technical indicators, and those that claim they don't usually confuse collecting data from forum postings in public hacker forums with actually building relationships with blackhat hackers (the latter is human intelligence, the former isn't).

Fortunately, the worst that can happen to consumers of bad cyber intelligence is that they'll mis-allocate resources and/or develop terrible foreign policy initiatives. It's unlikely that any lives will be lost, thank goodness.

However this news story by the New York Times serves as an apt and timely reminder that cyber threat intelligence based upon "signatures" alone must be subjected to vetting by other sources and always treated with a high degree of skepticism. Bad things happen when your intelligence is unreliable, and for many of today's cyber intelligence purveyors - it frequently is.

Friday, April 17, 2015

AEI - Norse: Subverting Cyber Security Research For Political Fear-Mongering

"I was recently invited to participate in a cyber security dinner discussion by a few members of a well-known Washington D.C. think tank. The idea was that we could enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about this “cyber warfare stuff.” It seems that the new threatscape emerging in cyberspace has caught them unprepared and they were hoping we could help them grasp some of the essentials in a couple of hours. By the time we had finished dinner and two bottles of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his hands, and it wasn’t because of the wine." - Jeffrey Carr from the Preface of "Inside Cyber Warfare" (2009)
The think tank that I wrote about in 2009 was none other than the American Enterprise Institute (AEI). They were ill-equipped to provide insight into this domain back then and nothing has changed in the 5 years since.

Fred Kagan and his father Donald Kagan published a book in 2000 "While America Sleeps" which advocated for a strong military in the face of U.S. complacency about threats - especially Iraq's WMDs which, of course, never existed. Today's release of "The Growing Cyberthreat From Iran", authored by Fred Kagan (AEI) and Tommy Stiansen (Norse Corp) promotes the same fear-mongering, slanted analysis that Fred is known for. AEI has simply moved from Iraq's WMDs to Iran's cyberweapons. Unfortunately, he found a cyber security company (Norse) willing to partner with him and provide the technical data which AEI is incapable of generating on its own.

The Growing Cyber Threat From Iran: Project Pistachio Harvest

Un-abashed Confirmation Bias
AEI approached Norse Corp to co-author a report about Iran as a growing cyber threat actor. It's important to note that the genesis of this report was to start with an assumption and then find proof that supported the assumption, which is the worst type of analytic methodology and the very definition of confirmation bias. The authors even acknowledge that normal standards of proof shouldn't apply when it comes to Iran:
"We assert, therefore, that the typical standards of proof for attributing malicious traffic to a specific source are unnecessarily high when we examine traffic from Iranian IP addresses." (p. 12)
Furthering a Political Agenda
AEI's political agenda for this report was clearly the current multilateral agreement with Iran to curb its nuclear weapons program. AEI has published 14 articles critical of that agreement since April 3, 2015. That's more than one per day. And the first paragraph of the Introduction in the Pistachio Harvest report reads:
"The framework for an agreement on Iran’s nuclear program announced April 2, 2015, may significantly increase the cyberthreat the Islamic Republic poses to the US and the West." (p. 1)
The report's conclusion reiterates that sanctions against Iran must not be lifted as part of the nuclear framework agreement because of Iran's role as a cyber threat actor. Bottom line - this report is all about politics, not cyber security.

Blaming AEI for having a political agenda is like blaming the scorpion for stinging the frog - it's the nature of the beast. However, for security research to be valuable it must be objective and verifiable. Norse Corporation's decision to team up with AEI and supply them with their data for use in a politically motivated report was a terrible decision that taints both the research and the company. Imagine if Kaspersky Lab, who was recently lambasted in the media for merely being a Russian company with Russian government contracts, co-authored a report with Gleb Pavlovsky's Foundation for Effective Politics. It would kill the credibility of Kaspersky Lab forever.

Questionable Attribution
The Introduction lists three examples of "malicious Iranian cyber activity". None of the three have been positively attributed to the Iranian government. All represent guess-work on the part of investigators (including myself) and at least one (Saudi Armco) has been completely mis-represented in terms of the malware's "complexity". In reality, Shamoon was a half-assed, reverse-engineered piece of malware that was only 50% functional.

Even worse is this paragraph allegedly "proving" Iran's targeting of critical infrastructure:
"Telvent was the victim of a significant attack attributed to Chinese hackers in September 2012.105 This attack breached Telvent’s “internal firewall and security systems . . . and stole project files related to” OASyS SCADA."

"It is possible that the Chinese were at it again two years later using compromised Iranian systems, but it is unlikely. The Iranian IP hosts no visible infrastruc- ture and is apparently owned directly by the Telecom- munications Company of Iran, running on AS12880. There has never been any public system identified with this IP, or with any of the IPs on this subnetwork, so there has not been any visible server to try to hack. Nor have the Chinese changed their methods from operating openly from their own infrastructure to using that of third parties."
In other words, it must have been Iran because the Chinese government only sends out attacks from its own IP blocks.  This is a great example of the idiocy that's prevalent in what passes for attribution today. No government is stupid enough to engage in cyber attacks which can be easily traced back to them. That kind of stupidity only resides with security researchers who have a vested interest - often a monetary interest - in placing the blame for an attack on a given nation state.

A Reprehensible Decision by Norse
As a cyber security professional and the founder and CEO of a cyber security company, I'm offended and disgusted that the CEO and CTO of Norse Corporation supported this type of heinous fear-mongering by getting into bed with Fred Kagan and the American Enterprise Institute. I've never seen this type of collaboration before and I hope that I'll never see it again.


"Four Fatal Flaws in Cyber Threat Intelligence Reports"

Monday, March 30, 2015

Cyber Threat Intelligence: More Threat Than Intelligence?

This article proposes that commercial cyber intelligence products have multiple flaws which make it unreliable for use by the U.S. government, and that it falls upon the government to address those flaws in the following ways:

  1. Examine cyber threat intelligence for indicators of deception. 
  2. Differentiate between bad actors in an attack. 
  3. Invest in developing human assets who are in a position to corroborate or deny what the technical indicators present as possibilities. 
  4. Exclude other possibilities until one remains. 

“Hit anything that doesn’t look like a knife until it does.”(1)

The U.S. government has relied heavily upon the private sector for cyber threat intelligence since 2005 when a team at Northrup Grumman was giving classified briefings to the Air Force about a group of Chinese PLA hackers known by a variety of names like Comment Crew, APT1, and a classified moniker that has since been made public (2).

Back then and continuing through at least 2011, the conventional wisdom was that cyber threats fell into two buckets: Financial crime was attributed to Russian hackers and intellectual property theft was attributed to the Chinese government. There was no allowance made for mercenary hacker groups who we now know were active during that time frame (3), or from Russian criminals (Russian Business Network) operating from Chinese IP space in 2007, or for cyber espionage operations run by France or Israel (4). Threat intelligence generated during the “two buckets” era was shared with the FBI and other agencies, and the FBI at least didn’t (and still doesn’t) have the time or resources to vet the source of the intelligence.

To put it simply, there are four things missing from the overwhelming majority of cyber threat intelligence generated from the private sector; things which are fundamental to generating a reliable analytic product:

  • Deception
  • Differentiation
  • Corroboration
  • Exclusion


Conducting Military Deception (MILDEC) operations in cyberspace is already a priority for Russia’s FSB according to Taia Global contacts in the Russian blackhat community. The FSB regularly recruits blackhats for contract work, and one of the standing orders is to leave evidence pointing to an entirely different government as the perpetrator of the attack (5). This is relatively easy to do since 95% of threat intelligence is based upon technical indicators (6) such as:

  • Keyboard Layout
  • Malware Metadata
  • Embedded Fonts
  • DNS Registration
  • Language
  • Remote Administration Tool Configuration
  • Behavior

All seven of these indicators can be easily spoofed by a savvy attacker, which the FireEye report properly notes in the Introduction. Take the Keyboard Layout, for example:
“FireEye researchers have found that many aspects of malware campaigns have the earmarks of being typed on a Mandarin (GB2312) keyboard used in China. In a similar vein, North Korea’s KPS 9566 character set can help identify the campaigns that emanate from that region. This method of tracing the origins of an attack is not foolproof. In theory, a Russian national could employ a North Korean keyboard to disguise his or her identity and whereabouts, for example. (7)”
The problem with focusing solely on technical indicators is that the attacker controls all of them; therefore you see what the attacker wants you to see. Unfortunately there is little investment in recruiting human assets to corroborate signals intelligence when it comes to cyber attacks, so investigating agencies and the private sector are in the highly vulnerable position of letting the attacker control all of the evidence that they have to go on.


The responsibility for the Sony breach of November 2014 has been assigned to North Korea by the U.S. government. However, Taia Global researchers found that the native language of the attackers was most likely Russian, not Korean; that Russian hackers had breached Sony’s network, and still had access 60 days after the destruction of 80% of Sony Pictures Entertainment’s network (8).

Technical analysis of a network will fail to differentiate between multiple bad actors operating simultaneously. No one mentioned Russian hackers until Taia Global published its findings. That’s because the White House with input from the intelligence community decided within days of the attack that the responsible party was North Korea (9), and then went about finding ways to prove it, which is the antithesis of sound intelligence analysis. Differentiation cannot be done when the analytic process doesn’t allow for it. The fact is that none of the publicly available evidence provided by the FBI rules out other perpetrators as being responsible. The NSA’s classified evidence can’t be vetted however whatever that evidence is, it failed to disclose that Russian hackers were in the network at the same time as the North Koreans.


Cyber threat intelligence is primarily signals intelligence, however there are multiple examples of Signals Intelligence getting it wrong, such as the second Gulf of Tonkin attack, the lack of WMDs in Iraq, and the Yom Kippur war to name a few. There must be more of an effort made to acquire human assets such as blackhat hackers who can corroborate the evidence provided by technical indicators. Minus such corroboration, the degree of trustworthiness of intelligence gained through signals intelligence alone is highly suspect.


How does an investigating agency rule out other suspects in a computer network attack? It must have the ability to differentiate between hacker groups and/or nation states, which is extremely difficult without consulting human assets who were either involved themselves or know someone who was. Yet, the ability to exclude other parties from a finding of responsibility is a necessary part of generating reliable threat intelligence. More resources should be provided to the Central Intelligence Agency to fulfill this part of their mission even if that means cutting the NSA’s share of the budget to make that happen.

The Private Sector

“Must be nice to be a Threat Intelligence company.”
“Can anyone disprove this?”
“Run with it. (10)”

Cyber threat data and cyber intelligence reports are generated by the private sector and provided to the FBI and other government agencies on a frequent basis. This wouldn’t be a problem if the FBI has the resources and the manpower to vet the intelligence before adding it to their database however they don’t have those resources. They rely heavily on the private sector’s cooperation precisely because their own resources are limited.

The private sector isn’t trained to do intelligence collection and analysis, nor do they have any oversight or suffer any consequences for bad practices or mis-attribution.

There are numerous reasons why government agencies should question the quality and value of intelligence generated by the private sector.

It has no skin in the game.

If the private sector is wrong about attribution for any given attack, there are no consequences. They just move on to the next report.

They are profit-driven.

Private threat intelligence companies generate intelligence as a sellable product. For many years, blaming an attack on China was guaranteed to get them a mention in the New York Times or the Wall Street Journal, which in turn brought in new customers. Blaming an attack on Romania might merit an article in an industry blog like Dark Reading, which wasn’t nearly as desirable.

They’ll never have an “intelligence failure”.

The U.S. Intelligence Community has suffered many intelligence failures, and for the bigger ones it usually results in the forming of a commission and a subsequent report with recommendations on how to avoid another failure. While this is embarrassing for the agencies involved, it has the important benefit of improving their sources and methods for collection and analysis. The private sector will never have that experience, therefore they can run with whatever evidence they want in a way that will maximize profits for their stockholders.


The U.S. government is overly dependent upon the private sector for cyber intelligence and needs to make investments to off-set this dependence.

The U.S. government should receive attack data from the private sector solely as raw information that requires vetting and all-source analysis. It should never take private sector intelligence reports at face value without fully examining the evidence and watching for a plethora of cognitive biases including the all-too-prevalent confirmation bias.


1) Spijk Selby quoting Jacob Maheu, “Horseshoe Knives”, December 28, 2013:

2) Private correspondence between the author and a former Northrup Grumman employee whose team generated the intelligence and gave those briefings between 2005-2008.

3) Su Bin criminal complaint:

4) “The Report to Congress on Foreign Economic Collection and Industrial Espionage”, p. B2:

5) Private IM chat between the author and Russian hacker Yama Tough.

6) “Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks”, A FireEye White Paper

7) Ibid., p.4

8) “New Evidence Shows Russian Hackers Have Access To Sony’s Network”, The Taia Global blog, February 4th, 2015:

9) “New Agency To Sniff Out Threats In Cyberspace” by Ellen Nakashima, The Washington Post, 10 Feb 2015:

10) Tweet by Steve Tornio on Feb 10, 2015: