Monday, March 30, 2015

Cyber Threat Intelligence: More Threat Than Intelligence?

This article proposes that commercial cyber intelligence products have multiple flaws which make it unreliable for use by the U.S. government, and that it falls upon the government to address those flaws in the following ways:

  1. Examine cyber threat intelligence for indicators of deception. 
  2. Differentiate between bad actors in an attack. 
  3. Invest in developing human assets who are in a position to corroborate or deny what the technical indicators present as possibilities. 
  4. Exclude other possibilities until one remains. 

“Hit anything that doesn’t look like a knife until it does.”(1)

The U.S. government has relied heavily upon the private sector for cyber threat intelligence since 2005 when a team at Northrup Grumman was giving classified briefings to the Air Force about a group of Chinese PLA hackers known by a variety of names like Comment Crew, APT1, and a classified moniker that has since been made public (2).

Back then and continuing through at least 2011, the conventional wisdom was that cyber threats fell into two buckets: Financial crime was attributed to Russian hackers and intellectual property theft was attributed to the Chinese government. There was no allowance made for mercenary hacker groups who we now know were active during that time frame (3), or from Russian criminals (Russian Business Network) operating from Chinese IP space in 2007, or for cyber espionage operations run by France or Israel (4). Threat intelligence generated during the “two buckets” era was shared with the FBI and other agencies, and the FBI at least didn’t (and still doesn’t) have the time or resources to vet the source of the intelligence.

To put it simply, there are four things missing from the overwhelming majority of cyber threat intelligence generated from the private sector; things which are fundamental to generating a reliable analytic product:

  • Deception
  • Differentiation
  • Corroboration
  • Exclusion


Conducting Military Deception (MILDEC) operations in cyberspace is already a priority for Russia’s FSB according to Taia Global contacts in the Russian blackhat community. The FSB regularly recruits blackhats for contract work, and one of the standing orders is to leave evidence pointing to an entirely different government as the perpetrator of the attack (5). This is relatively easy to do since 95% of threat intelligence is based upon technical indicators (6) such as:

  • Keyboard Layout
  • Malware Metadata
  • Embedded Fonts
  • DNS Registration
  • Language
  • Remote Administration Tool Configuration
  • Behavior

All seven of these indicators can be easily spoofed by a savvy attacker, which the FireEye report properly notes in the Introduction. Take the Keyboard Layout, for example:
“FireEye researchers have found that many aspects of malware campaigns have the earmarks of being typed on a Mandarin (GB2312) keyboard used in China. In a similar vein, North Korea’s KPS 9566 character set can help identify the campaigns that emanate from that region. This method of tracing the origins of an attack is not foolproof. In theory, a Russian national could employ a North Korean keyboard to disguise his or her identity and whereabouts, for example. (7)”
The problem with focusing solely on technical indicators is that the attacker controls all of them; therefore you see what the attacker wants you to see. Unfortunately there is little investment in recruiting human assets to corroborate signals intelligence when it comes to cyber attacks, so investigating agencies and the private sector are in the highly vulnerable position of letting the attacker control all of the evidence that they have to go on.


The responsibility for the Sony breach of November 2014 has been assigned to North Korea by the U.S. government. However, Taia Global researchers found that the native language of the attackers was most likely Russian, not Korean; that Russian hackers had breached Sony’s network, and still had access 60 days after the destruction of 80% of Sony Pictures Entertainment’s network (8).

Technical analysis of a network will fail to differentiate between multiple bad actors operating simultaneously. No one mentioned Russian hackers until Taia Global published its findings. That’s because the White House with input from the intelligence community decided within days of the attack that the responsible party was North Korea (9), and then went about finding ways to prove it, which is the antithesis of sound intelligence analysis. Differentiation cannot be done when the analytic process doesn’t allow for it. The fact is that none of the publicly available evidence provided by the FBI rules out other perpetrators as being responsible. The NSA’s classified evidence can’t be vetted however whatever that evidence is, it failed to disclose that Russian hackers were in the network at the same time as the North Koreans.


Cyber threat intelligence is primarily signals intelligence, however there are multiple examples of Signals Intelligence getting it wrong, such as the second Gulf of Tonkin attack, the lack of WMDs in Iraq, and the Yom Kippur war to name a few. There must be more of an effort made to acquire human assets such as blackhat hackers who can corroborate the evidence provided by technical indicators. Minus such corroboration, the degree of trustworthiness of intelligence gained through signals intelligence alone is highly suspect.


How does an investigating agency rule out other suspects in a computer network attack? It must have the ability to differentiate between hacker groups and/or nation states, which is extremely difficult without consulting human assets who were either involved themselves or know someone who was. Yet, the ability to exclude other parties from a finding of responsibility is a necessary part of generating reliable threat intelligence. More resources should be provided to the Central Intelligence Agency to fulfill this part of their mission even if that means cutting the NSA’s share of the budget to make that happen.

The Private Sector

“Must be nice to be a Threat Intelligence company.”
“Can anyone disprove this?”
“Run with it. (10)”

Cyber threat data and cyber intelligence reports are generated by the private sector and provided to the FBI and other government agencies on a frequent basis. This wouldn’t be a problem if the FBI has the resources and the manpower to vet the intelligence before adding it to their database however they don’t have those resources. They rely heavily on the private sector’s cooperation precisely because their own resources are limited.

The private sector isn’t trained to do intelligence collection and analysis, nor do they have any oversight or suffer any consequences for bad practices or mis-attribution.

There are numerous reasons why government agencies should question the quality and value of intelligence generated by the private sector.

It has no skin in the game.

If the private sector is wrong about attribution for any given attack, there are no consequences. They just move on to the next report.

They are profit-driven.

Private threat intelligence companies generate intelligence as a sellable product. For many years, blaming an attack on China was guaranteed to get them a mention in the New York Times or the Wall Street Journal, which in turn brought in new customers. Blaming an attack on Romania might merit an article in an industry blog like Dark Reading, which wasn’t nearly as desirable.

They’ll never have an “intelligence failure”.

The U.S. Intelligence Community has suffered many intelligence failures, and for the bigger ones it usually results in the forming of a commission and a subsequent report with recommendations on how to avoid another failure. While this is embarrassing for the agencies involved, it has the important benefit of improving their sources and methods for collection and analysis. The private sector will never have that experience, therefore they can run with whatever evidence they want in a way that will maximize profits for their stockholders.


The U.S. government is overly dependent upon the private sector for cyber intelligence and needs to make investments to off-set this dependence.

The U.S. government should receive attack data from the private sector solely as raw information that requires vetting and all-source analysis. It should never take private sector intelligence reports at face value without fully examining the evidence and watching for a plethora of cognitive biases including the all-too-prevalent confirmation bias.


1) Spijk Selby quoting Jacob Maheu, “Horseshoe Knives”, December 28, 2013:

2) Private correspondence between the author and a former Northrup Grumman employee whose team generated the intelligence and gave those briefings between 2005-2008.

3) Su Bin criminal complaint:

4) “The Report to Congress on Foreign Economic Collection and Industrial Espionage”, p. B2:

5) Private IM chat between the author and Russian hacker Yama Tough.

6) “Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks”, A FireEye White Paper

7) Ibid., p.4

8) “New Evidence Shows Russian Hackers Have Access To Sony’s Network”, The Taia Global blog, February 4th, 2015:

9) “New Agency To Sniff Out Threats In Cyberspace” by Ellen Nakashima, The Washington Post, 10 Feb 2015:

10) Tweet by Steve Tornio on Feb 10, 2015:

Tuesday, March 24, 2015

Regarding FSB, Forget Kaspersky Lab. Check out Group-IB Instead.

Bloomberg's piece on Kaspersky Labs' ties with its own nation's security services is such a non-story that I'm surprised that journalists as good as Michael Riley even ran it. What do you expect from a Russian company, and as if they had any choice in the matter (they don't).

If you're looking for Russian companies with serious connections to the FSB, then look no further than Group-IB. Here's a small portion of the due diligence report that my company Taia Global produced for our paying clients on their government affiliations.
Group-IB is Russia's second largest private Information Technology (IT) security company after Kaspersky Labs. Group-IB's specialty is computer forensics and protection against cyber-crime with customers that include the 10 largest Russian banks and foreign companies. Group-IB has offices in New York. Group-IB, however, performs functions that under Russian law are assigned to the Federal Security Service (FSB), Russia's domestic security service. 
Group-IB maintains both English language ( and Cyrillic ( web sites. The sites structure are similar although the information presented on web pages differs somewhat. For example, the Cyrillic About Us web page states that Group-IB has an FSB license to work with state secret information while the English About Us web page does not mention the FSB license.
 Both Group-IB web sites deviate from normal Russian commercial web site practice and provide no information on company management and no financial data such as Russian Federation tax identification (ID) numbers and corresponding bank information.
Group-IB states that company capabilities include “access to domestic and international filtering systems.” However, Russia's domestic and international filtering system is run by the Federal Security Service (FSB), Russia's domestic security service.
Group-IB General Director Ilya Sachkov discussed security service relations explicitly in Russian press interviews. In a Russian Forbes interview, Sachkov stated he started the company while a student after the Bureau of Special Technical Measures (BSTM) Ministry of Internal Affairs (MVD Directorate K) told him there were no job vacancies. Sachkov stated that Group- IB often worked for the MVD and FSB for free during the company's early years, presumably to generate future business. Sachkov stated that many Group-IB employees were former law enforcement. 
Group-IB's client list includes very large U.S. companies:

Again, trying to stigmatize any security company for having ties to its own government's security services is ludicrous. In some nations like Russia, companies have no choice but to comply when asked. In other nations like the U.S., companies do it for commercial reasons. The best one can hope for is that the company in question is transparent about who they do business with. That's actually easier to discover about Russian companies than it is about U.S. companies.

Cyber Security Startup? Pitch Our Attendees At Suits and Spooks NYC.

If you've got a cyber security startup and want ten minutes to pitch 80 influential decision makers in between speakers like Dan Geer, Christofer Hoff, Joe Fitzpatrick and David Kilcullen at our New York Suits and Spooks All Stars event, then I'd like to hear from you as soon as possible.

For the first time since our very first event in Palo Alto in 2011, I'm bringing back the lightning round for startups on a trial basis. This is part of a paid sponsorship which includes:

  • One ten minute speaking slot to pitch your product and give one use case
  • Distribution of company materials including white papers to all attendees and speakers
  • Banner placement at the event
  • Article placement at or
  • Other benefits as included in the sponsorship prospectus for Silver, Gold, or Platinum sponsors
This is limited to six companies, and no more than 3 companies will present each day. Sponsorships are first-come, first-served and there are no constraints on company size or funding rounds. For more information, shoot me an email.

Sunday, March 22, 2015

Open Letter to Premera Blue Cross CEO Jeffrey Roe

22 March 2015

Dear Mr. Roe,

My wife and I were Premera Blue Cross customers during my tenure with Microsoft. During that time, we both had surgeries done and she has a long history of medical treatments. In other words, Premera Blue Cross holds a lot of very sensitive information on both of us, separate and apart from our social security numbers, dates of birth, and other personally identifiable information. I'm sure that many of your customers could say the same. This open letter serves to notify you of my intention to see that Premera Blue Cross is made an example of for the insurance industry, much like Target was for the retail industry for the following reasons:

You Knew About The Problems Beforehand And Didn't Fix Them

The U.S. Office of Personnel Management's Office of the Inspector General conducted an audit of Premera's controls regarding the protection of federal employees' personal information. Your predecessor Gubby Barlow received the results on April 18, 2014, three weeks before attackers gained access to your networks. Here are my top three:

Primera failed to implement its own patch policy leaving its network exposed to hackers who monitor patch announcements and then look for targets who are slow to implement those patches.

Primera persisted in using un-supported and/or out-of-date software which is essentially an always-open door to attackers.

You had servers that standard vulnerability tests revealed were insecurely configured. Malicious hackers frequently use those same vulnerability testing tools to identify which servers on a network will be easiest to crack.

You claimed that your company suffered a "sophisticated attack". Considering the above issues, I highly doubt that. Any one of those would allow even a novice hacker (or script kiddie) to gain access to your network. To have all three means that your IT department has been negligent at best. To then respond to the IG's audit by saying that they'll be remediated in eight months instead of immediately tells me that the security of your customers most sensitive information is simply not a priority for you, your board, or your senior executives.

Two Years Of Free Credit Monitoring Is Laughably Inadequate

Your notification letter contains a paragraph entitled "What is Premera doing to protect you?". Let's start with the fact that the state of your network security pre-breach tells me that you didn't protect me before the breach, and your offer of free credit monitoring certainly won't protect me after the breach. That's because the risk for your customers goes WAY beyond simple identity protection. They become targets for new spear phishing attacks with the end result being the the customers' banking information and/or entree' to the next corporate network - probably an employer of one of Premera's customers such as Microsoft, Amazon and Starbucks to name a few. 

While companies like yours have frequently gotten away with giving customers whose information has been compromised while under your stewardship nothing more than free credit monitoring service, that time is coming to an end because it does not address the vast potential for harm that Premera's poor security practices have negligently permitted.

Inadequate Breach Response

Your customer notification letter didn't contain enough information to know the state of our sensitive data. It should specify what happened. Your job is to protect your customers by providing enough information for us to gauge the seriousness of the breach, not make it easier for your breach remediation company to gather information for their own purposes and benefit. 

Incident Responders Cannot "Clean" Your Network
If you believe that your network is now "clean" and will stay that way, you've been misinformed. Incident responders cannot give any company a "clean bill of health", because no one has sufficient visibility across a global network with tens of thousands of endpoints accessed by thousands of employees and vendors, any one of whom could have their network credentials used by malicious actors who are simply dormant during the investigation. The proper assumption for companies like yours to make about the state of their network is that it is either in a state of breach currently or it will be tomorrow. Your goal should not be to keep attackers out. It should be to keep your critical data, especially your customers' data, secure. 

Instead of wasting six to seven figures on incident response, you should spend at least some of that money finding and hiring an experienced Chief Information Security Officer who can properly manage the security of your network; something that Premera apparently has never seen fit to do. The rest of it should be spent on better securing your customers personal and clinical data so that even if an attacker has access to your network, they can't access the data that you should be protecting. 

Then you won't have to send me a breach notification letter with ambiguous language like "attackers may have gained access to your data". Instead, you'd be able to say "Mr. Carr, we had a breach but your data is safe." 

Unfortunately, you can't say that and I'm forced to do what I can to hold companies like yours responsible for more than just two years of credit monitoring.


Jeffrey Carr
President and CEO, Taia Global, Inc.

Wednesday, March 18, 2015

Beauty, Brains, and Bad-Assery: Suits and Spooks All Stars NYC June 19-20

With 12 Suits and Spooks Collision events on the books, I decided it was time to do our very first All Stars event featuring the best of the best of the several hundred speakers that we've had in the past. 

Unlike our typical "collision" event, our All Stars will have at least 60 minutes each for their talks. And seating will be limited because we're going to hold it in one of our most popular venues - Soho House NYC - on Friday June 19 and Saturday June 20th. It'll be our last event there because they're converting the library to a member-only space starting July 1st. So think of this as your exclusive invitation to spend 8 to 16 hours talking security, multi-disciplinary problem-solving, and out-of-the-box thinking with some of our best bad-ass game-changers.

Dan Geer (In-Q-Tel - Suits and Spooks 2012, 2013)

Janina Gavankar (actress and geek - Suits and Spooks 2012)

Christofer Hoff (Security CTO, Juniper Networks - Suits and Spooks 2013)

Carmen Medina (Deloitte; Retired CIA - Suits and Spooks 2013, 2014)

David Kilcullen (Founder and Chairman, Caerus Strategic Solutions - Suits and Spooks 2013)

Joe FitzPatrick (Hardware Security Researcher - Suits and Spooks 2014)

Niloofar Howe (Endgame, Paladin - Suits and Spooks 2014)

More speaker announcements will be forthcoming over the next few weeks. Janina is confirmed pending her shooting schedule. 

Your ticket will include a continental breakfast and lunch on both days, plus all sessions. Seats are limited to 75. Of those, we are offering a special super early bird rate of only $515 to the first 25 people who enroll between March 19th and April 10th (that's a $310 savings from the standard rate of $825). Register today and secure your admission at the best price before we sell out. 


The Military Charity Third Party Fundraising Scam: Operation Warrior Support

Operation Warrior Support (OWS) claims to be a third party fundraiser for military 501(c)3 charities but is not itself authorized to collect any funds on behalf of charities by the California Attorney General's office. If this organization approaches you for donations or hire, you should immediately contact the California Attorney General's office and file a complaint against them as an unregistered fundraising professional.

It's difficult enough for most military charities to raise money, let alone have to worry about suffering from attacks on social media from the very same people who claim to be trying to help them. That's exactly what @opwarriorteam (OWS's Twitter account) has been doing to multiple Naval Special Warfare charities. I've spoken to several of them who have been on the receiving end of online nastiness and other ethically questionable acts (including raiding one charity's donor list) and while all are angry, most just want this group to go away and leave them be. I'm going to honor their wishes and not lay out the many spiteful acts conducted by this fake fundraising operation and stick to the core problem; i.e., they're operating illegally.

It is not enough in CA to simply register as a nonprofit corporation, which Lori Douhan (the group's founder) did. All charitable trustees and fundraising professionals who do business in California are required to register with the Registry of Charitable Trusts at the Attorney General's office and file annual financial disclosure reports. You can check on Operation Warrior Support's status for yourself at this website. Once you plug in their name and hit [Search], here's the result:

Figure 1: Search results for Operation Warrior Support as a fundraising professional in CA.

Notice in Figure 1 where it says "Registration Status". The returned response is "Not Registered".

Anyone can register a corporation in CA and receive an FEIN number, which is what Operation Warrior Support presents on their website. That's irrelevant for this purpose and unfortunately that has fooled legitimate 501(c)3 charities who have contracted with them in the past. The registration number which a California charity or professional fundraiser is required to have is a CR or Charity Registration number.

Here is what California law requires of a professional fundraiser:
"Prior to soliciting any charitable donations, a commercial fundraiser must register with the Registry of Charitable Trusts on a form provided by the Attorney General, pay a fee of $350, and obtain a $25,000 bond. The commercial fundraiser must renew that registration and bond annually and pay a fee of $350. A commercial fundraiser must also file an annual financial report with the Attorney General accounting for funds collected during the preceding year." - CA Attorney General's Guide for Charities, p. 30

"A commercial fundraiser must file a notice with the Attorney General’s Registry of Charitable Trusts no less than 10 working days prior to commencing each solicitation campaign, event or service. (Notices of solicitations for victims of emergency hardship or disasters must be filed no later than the commencement of solicitation.) The notice must include certain information which is set forth in Government Code section 12599, subdivision (h)." - CA Attorney General's Guide for Charities, p.27
Whatever money OWS has raised to date for charities in addition to the money that they have kept for themselves wasn't in compliance with California law and most likely not in compliance with other State laws regarding professional fundraising; for example - the Commonwealth of Virginia where LZ Grace Warriors Retreat is based (a military charity that OWS raised money for). Virginia has similar registration requirements as California. Guess whether or not OWS is registered in Virginia? If you guessed no, you're right.

    Figure 2: Search results for Operation Warrior Support as a fundraising professional in VA.

States have these regulations because so much fraud happens with military fundraising by third parties who rip off both the public and the charities that they claim to help. Lori Douhan and her associates at OWS need to either comply with the law or get out of the fundraising business.

If your military charity is approached by this group, I can only recommend that you do your due diligence first before signing any contracts. If you are one of the charities that they have harmed through malicious acts either online or offline, I recommend that you report them to the California Attorney General's Office or the AG's office in the State in which you reside.

The OWS Facebook page has responded to this post with the following statement:
Just so we are clear...a Commercial Fundraiser is an organization that gets PAID to fund raise for a charitable organization. It's run like a business where an organization is contracted to fund raise on behalf of a 501c3 organization. We do not operate as such.
Since we do not charge a fee for our fundraising efforts, nor do we take a salary...nor do we "Hire" our services out...nor did we require a written contract from the organizations we fundraised for, we are not required to be registered as one. For more information:
It's been a long time since I've seen this level of self-delusion:
1. OWS calls itself a third-party fundraiser.
2. They ask donors to a charity to pay them money.
3. They use some of that money in unspecified ways.
4. They give the rest to the charity.
5. They believe that the State of CA won't see that as requiring registration.

I don't have the time to play footsie with this group so I'll let the California Attorney General decide if Operation Warrior Support needs to register with the Registry of Charitable Trusts by filing a complaint. I encourage those readers who are as offended by their activities as I am to do the same.

Wednesday, March 11, 2015

Former Sr. Pentagon Official Labels Sony as a Cyberwar Conflict

"Obama Needs A Cyberwar Cabinet" by Todd Rosenblum is one of the worst opinion pieces that I've read in a long time. Rosenblum has a long history in government service (DoD, DHS, Senate Staffer) and just left three months ago to start his own consulting company.

The point of the OpEd was that President Obama needed to form a cyberwar cabinet which pulls equally from the Federal government and the private sector. In order to make his point, he inflated the Sony attack almost beyond recognition:
The president quickly assembled his war cabinet: the intelligence community to tell him the what, why, and how; departments of State, Defense, and Treasury to review response options; and the FBI and Department of Homeland Security to assess whether the attack to be part of a larger threat that could put the nation’s critical infrastructure in danger.
My understanding is that a "war cabinet" is a committee formed during a time of war. What actually happened according to Lisa Monaco who called the meeting was that the President wanted to know the details of what happened. There was no "war cabinet".
After all, a nuclear-armed state committed an act of cyberwarfare against a private company that owned and managed its own networks. While many debate the exact definition of cyberwar, there is no debate that North Korea used a virtual weapon to cause damage on American soil, and did so with political intent. This was not an act of vandalism, theft, espionage, or crime.
In fact, Merriam-Webster defines vandalism as "willful or malicious destruction of private or public property." President Obama called it vandalism. It clearly did not rise to meet the right of self defense bar as established by Article 51 of the U.N. Charter or the Law of Armed Conflict.
But something was different with the Sony hack than any previous conflict.
Really? The Sony hack is a "conflict" now?

I have no idea what motivated Todd Rosenblum to write such an enormous pile of horse shit but I hope that it isn't representative of what "un-named senior Administration officials" tell journalists because Rosenblum considered himself one of them:
As a former senior administration official at both the Pentagon and Department of Homeland Security ...

Tuesday, March 3, 2015

Announcing our 1st Suits and Spooks All Stars event at Soho House NYC (June 19-20, 2015)

We've held 10 Suits and Spooks events since 2011. 

Who have been some of your favorite speakers?

Beginning July 1, 2015, Soho House, our Suits and Spooks home in NYC, will be closing the Library (our past venue) for renovations and will turn it into a members-only space, which means that we won't be able to hold future events there after June 30th. 

Therefore, in honor of that great venue, we've selected NYC for our first All-Stars Suits and Spooks event. We want to feature some of our most popular speakers and give each of them more time (45 minutes) to talk and interact with our attendees.

Attendance will be limited to 75 people and there will be a commemorative t-shirt designed for the occasion. 

Please contact me with your nominations for speakers, and if your employer is interested in sponsorship, please contact our events manager

Early bird tickets will go on sale in mid-March. Please watch for a future announcement.