Recent Days of Whine and Wiping of Noses:
Recently I have had my sensibilities assaulted by the whining on my Twitter feed coming from soundbites from Source Boston as well as others talking about INFOSEC Burnout and community communication issues. What really grinds my gears is the sense that we are all just helpless mental geniuses that need to learn how to communicate better to do our jobs more effectively as well as the whole “Woe is me no one listens to me” bullshit I keep seeing it reverberate across the community. Well I am here to tell you right now to stop blubbering and put on your big girl/boy/transgendered pants and cut it out.
Last week I had a long back and forth with someone who is “studying” INFOSEC burnout and throughout the conversation (yes hard really in 140 chars per yes yes yes I know Beau) I could not get them to nail down exactly how they were “studying” it as well as what would be the efficacy of doing so. What are the ends that justify the means of this study? Was there to be a self help book? Or are you just having a kumbaya “I’m in INFOSEC and no one listens to me!” bitch session at each conference?
At the end of the day people got hissy and I began to think more and more about just how entitled this community thinks they are as well as how smart they “think” they are. So smart that they can’t get past a problem that properly studied would likely give you all some perspective and solace perhaps and this chaps my ass. While some of you out there are being vocally the new INFOSEC Dr. Phil’s others just go about their day in the war and do their jobs without whining about it.
Not all of us have INOFSEC Jesus complexes.
The Problem Statement:
So here’s the general feeling I get from what I have seen (yes I went to an infosec burnout presentation) from the community on this whole burnout thing.
- We can’t win the war and it’s hard to even win battles
- The job is hard because the adversaries have no rules while we do
- We are constrained by our managements
- Our end users are morons
- We’re the God damned smartest people in the room and no one listens to us!
- We are just perceived as an obstacle to be bypassed or ignored
I am sure there are other complaints that weigh heavily upon the INFOSEC brow but these are the biggies I trust. Perhaps a real study with a real psychological questionnaire is required to get some analytical data to use for a proper problem statement but to date I have seen none. While I agree we work in a tough field from the perspective of “winning” the day and yes we are looked upon by the masses as an impediment and a cost centre this is not the problem set we need to work on. I propose that this problem set is the most self centered and useless one making the rounds today and smacks of every bad pop psychologist’s wet dream of making it big.
In other words; You are all problem solvers. Solve the god damned problem by studying the root causes and then implement what fixes you can come up with. What you are dealing with is human nature, the mechanics of the human brain, and the psychology that goes along with all of this. Apply that laser like focus you all claim you have out there on the problem set and you will in fact come to some conclusions and perhaps even answers that will make you see the problem in a pragmatic way. Once you do this you can then rationalize all of these problems at the end of day and hopefully get past all this self centered bullshit.
Then again this is a community full of attention seekers and drama llama’s so your mileage may vary.
The Psychology of Security:
Once, a long time ago, I found Bruce Schneier relevant. Today I don’t so much think of his mumblings as at all useful however he did write an essay on Psychology and Security that was pretty damn prescient. I suggest you all click on that link and read his one piece on this and then sit back and ponder for a while your careers. What Bruce rightly pointed out is that our brains are wired for “Fight or Flight” on a core level when we lived on the great savannah and that Amygdala (lizard brain) is often at odds with the neocortex, (the logical brain with heuristics) that often times helps us make shortcuts in decision making out of pattern recognition and jumping to conclusions to save the brain cycles on complex data that is always coming at it.
What Bruce and others out there have pointed out is that all of our experiences in security, good and bad, are predicated on the fact that primates at the keyboards are the problem set at the core of the issues. We create the hardware and software that is vulnerable. We are the ones finding and creating vulnerabilities that are exploited by bad people. We are the ones who at a core level cannot comprehend the security values and problems because we are not wired to comprehend them on average due to the way the brain formed and works even today. There are certain problems psychologically and brain wiring wise on the one hand and then there are the social and anthropological issues as well that also play a part in the problem statement. All of these things can and do hinder “security” being something that generally is comprehended and acted upon properly as a society and a species that play into our day to day troubles as INFOSEC workers and we need to understand this.
So, when I hear people decrying that security is hard and that they are burned out because you can’t win or that the client/bosses/those in charge do not listen to you please step back and think about Schneier’s essay. The cognitive issues of comprehending these things is not necessarily the easiest thing to do for the masses. Perhaps YOU are just the Aspergers sufferer who’s wired differently to get it, had you ever considered that?
Security is a complex issue and you INFOSEC worker, hacker, Aspergers sufferer, should look upon all of this as a tantalizing problem to solve. Not to whine about and then turn it on it’s ear that you need to be more soft, and listen to your clients/bosses to hear their woes. We all have problems kids. It’s just a matter of looking at the root of the issues and coming up with solution statements that work. In the case of the brain and cognition we have our work cut out for us. Perhaps someday someone will come up with a nice framework to help us all manipulate the brain to understand the issues and cognate it all efficiently… Perhaps not. Until then, just take a step back and think about the issues at hand.
A Pragmatic Approach To Your Woes:
So with the problem statement made above what does one have to do to deal with the cognitive problems we face as well as our own feelings of inadequacy in the face of them? The pragmatist would give you the following advice:
- It is your job to inform your client/bosses of the vulnerabilities and the risks
- It is your job ONLY to inform them of these things and to recommend solutions
- Once you have done this it is up to them to make the decisions on what to do or not do and to sign off on the risks
- Your job is done (except if you are actually making changes to the environment to fix issues)
That’s really all it’s about kids. YOU are a professional who has been hired to be the canary in the coal mine. You can tweet and twitter all you like that the invisible gas is headed your way to kill you all but if the miner doesn’t listen …Well you die. If you want to change this problem statement then you need to understand the problems cognitively, socially, and societally (corporately as well) to manipulate them in your favour at the most. At the least you need to understand them to deal with them and not feel that burnout that everyone seems to be weeping about lately.
Look at it this way, the security issues aren’t going to go away. The fact of the matter is they will only increase as we connect every god damned thin to the “internet of things” so our troubles around protecting ourselves from the digital savannah and that “cyber tiger” *copyright and trademark to me…derp** are not going to diminish. Until such time as the brain re-wires or we as a society come to grips with the complex issues of the technologies we wield today we as security workers will need to just deal with it. Either we learn to manipulate our elephants or we need to get out of the business of INFOSEC and just go hack shit.
Finally one comes to a cathartic state when you realize that only YOU can fix your problems coping with your work. Sure, people can feel better if this sit around and bitch about their problems but that won’t stop their problems from being problems will it? Look at the issues as a problem statement Mr. or Miss/Mrs security practitioner as a problem to hack. Stop being a whiny bunch of bitches and work it out.
HACK THE GOD DAMNED SYSTEM!
Failing that, come to accept the problems and put yourself in the place where you are just the Oracle at Delphi. You impart your wisdom and say “You’re mileage may vary” and be done with it. Until such time as you manipulate the means that you get this across to the companies management and they make a logical decision based on real risk you just have to accept it. If your place of work has no real risk acceptance process then I suggest you get one put in place or perhaps find a new job. You are not Digital Jesus. You can’t fix everything and you cannot fix those who are broken like Jesus did in healing the blind and making a hell of a lot of fish sandwiches from one tuna can.
Either understand and come up with a way to fix the problem or accept it for what it is and move on.
Stop the whining.
Yesterday’s Source Boston keynote started bubbling up in Twitter like swamp gas releasing soundbites that were reminiscent to new age babble on how we as a community are bad communicators. While I agree that many in the community at large are bad at communicating anything other than self interest (i.e. con deadheads) I would have to say that there are many many more of us with day jobs who can communicate and do.
The fact of the matter is that if you are a con deadhead then perhaps Justine Aitel is talking to you, which she did coincidentally at a conference! Gross generalities make my eye twitch and so do new age koans about such a complex issue as information security. So I would like to address the snippets that came out yesterday in my usual style of bilious and yet hopefully thought provoking responses.
The first slide in the roster actually struck me as something I have been saying for quite a while but in this re-telling it’s much softer. I have been calling bullshit on the con deadheads for a while now but I guess it’s finally getting traction. The truth of the matter is that if you are just speaking at conferences all the time what the fuck are you really doing? You speak to the same crowds and often times of late you present the same god damned things. What is the fucking point?
So yes I agree with you Justine on this but I think you could be more blunt. If all you do is go from con to con partying and giving the same talks then you sir or madam are committing cyber douchery. It’s just that simple.
We develop secret knowledge and power? Holy what the fuck does that even mean? If this is the case then we are all collectively Dr. Evil at worst or Bloefeld at the best? We also suck at listening because we are evil geniuses? What the fuck does this even mean? Look we are technical people and we speak in technical language which often times seems like magic to the people who do not comprehend the rudiments of technology never mind some of its most complex theory and implementation.
We also suck at listening? Really? All of us? Gross generality much? Look there are two sides to the equation here and sure some of us in the community may not listen well. For that matter we may not listen at all except to our own base drum of LOOK AT ME! LOOK AT ME! but please, we aren’t the only problem here when it comes to the security problems of today. You are over simplifying things just a bit in a time when we need more complex and nuanced thought on the matter. The corker here is that all of this is being transmitted by soundbite by Twitter of all things.
Uh what? Are you going to tell me that Hitler wasn’t a great communicator? Have you seen those old movies of his speeches? I am in no way saying he was a huggybear but HOLY WTF are you on a roll with generalities and useless new age speech. So once again you see us as great technical masters of the universe and yet we are all portrayed as somewhere on the far end of the spectrum on the DSMV for Aspergers? Look, we may have great technical abilities in some cases. In others we may be just useless twats. Let’s not put this into axis of evil territory or paint us all with the same inept brush of bad communicators or sufferers of Aspergers here.
Oh here we go.. We need to be vulnerable to grow. Thanks Dr. Phil. How about instead we just be more self aware and able to comprehend the social surroundings we are in. Understand the system to work the system. Better yet how about you understand the system and the players to come to the place where you accept that nothing you do really matters unless the people WHO PAY YOU are willing to make changes or LISTEN to you. It has nothing to do with being soft or vulnerable and this kind of shit is just as bad as the polar opposite of “Real men don’t eat quiche”
No no no NO. The word CYBER is a mystical amulet that the masses use to infer some vague notion of all things magic and incomprehensible! This is not something we should promote whatsoever. It’s perpetuation should stop and you just crossed the Rubicon on this. This really burns me and that this idea was even floated makes my blood boil. You say you want to communicate but you are willing to compromise with the word CYBER instead of using real language to convey the complexities we deal with? Good God this is one of the most idiotic statements I have seen of late!
I agree.. Much of society at large has no idea what we do. Do you really want to know why this is true? Have you ever tried to explain to them why it’s important and how it works? Even in small words? You get the glazed eyes and they begin musing on what Kim Kardashian is doing. THEY DON’T CARE TO UNDERSTAND! Still you want to call it CYBER and use general terms in an attempt to dumb it down so they get it? I am saying to you right here and right now that they won’t care and they won’t get it. It’s all fucking CYBER APT CLOUD MAGIC to them all.
So as an industry we are too self involved and unable to listen to the people we are tasked with protecting… Hmmm… Ok sure. We are a calamity of derp as an industry that has been riddled with FUD and sales buzzwords. We also have a populace of attention seekers with a real penchant for TNT Dramallama flogging. We wallow in our soup of “Ain’t I cool” and look at me look at me! It’s true. However, that is not the whole community and this is yet another generality that borders on the new age derpy.
I also would say just what is it we need to listen to? Listen to the companies and players who have agenda’s that make bad choices in the face of being told that they are vulnerable? Listen to the people who say that the work is too hard and that out of hand deny anything you say is relevant or important? Some actually put on a show and say they will fix things or change their ways but really, how many times have we seen that and then seen nothing change? Listening is just fine but the crux of the matter today is that you tell the client what is wrong and then say “You can fix this or you can accept the risk on this”
You don’t need to be a great communicator here or all new age fuzzy because the fact of the matter is that people will make decisions based on their own needs and desires and not the truth. What this community (and the one I speak of are the con deadheads) needs to do is grow up. Spend less time lauding their own ingenuity and grok a bit more on other things in the world. Perhaps there are a mass of Aspergers sufferers at these cons but that is no reason to paint the whole community of security with the same brush. I communicate just fine and I have come to accept the fact that all I can really do is present the information, the risks, and recommendations. It is up to the client to decide whether or not it is in their own interests to do anything about them. I just get them to sign off on the risks of not doing so and my job is done.
Enough of the new age fuckery…
I recently asked people on Twitter what they would like to see me write about here for a new post and the majority of people came back with something around the Darknets. So I am bowing to all those calls and I now present to you a post on THE DARKNETS! How to get there, what to see, and how not to get yourself into a shitload of trouble…
Well, I can’t vouch on that last one though…
I suppose though I should back up a bit and explain to some of you out there just what the darknet is. The darknet is actually just a sub-basement of the Internet that is comprised of systems on the regular internet that have a separate gateway to get to them and an infrastructure that is separate from the internet proper. Simply put, the basement analogy is really apropos due to two things. First, the connection to it is rather like taking a creaky and rickety old staircase into a dark basement in an abandoned building. Second is what you find once you are in that dark and creepy basement often times are things you want to never see again yet you cannot un-see.
So take care gentle reader for if you decide to follow me into the dank world of the DARKNETS you may encounter things that you might never recover from. Alternatively you could just laugh and laugh and laugh as you see some of these sites out there offering snake oil and drugs. Hey, maybe you can buy snake oil as a drug! Oh and yeah one more thing. If you decide to go anywhere near the child porn I will personally hunt you down and make you disappear into federal custody.
Do you know the way to the Darknets?
Do you know the way to the DARKNET? Well obviously if you are looking at this blog post you don’t. That is unless you want a good giggle. Anyway, the darknet can be reached pretty dang easily today and you have a few choices on how to get there as well as varying versions of networks to choose from. The best way though for the casual observer would be to go to the Googles and just type in TOR BROWSER DOWNLOAD
You download the file for your system (one hopes it’s a Linux or UNIX system.. Or maybe even that MAC crap) and then install it. Once installed you RUN it. It’s really that simple. Of course if you are in Linux you unzip, save it to a directory, then run it (run as program not as a txt file thank you very much!) which will start the version of Firefox fr you that is already pre-configured to proxy to TOR.
Guess what.. If you have done this then you are able to get to the DARKNETS! Now you just need to find some links like to The Hidden Wiki (the first layer of 7 levels of DARKNET HELL! *waves at Dante*) This site was recently taken control of by the inimitable DOXBIN because of the amount of paedo links that it was allowing to fester. This is just one place where you can get links to the DARKNET sites out there though. You can in fact use the TOR SEARCH or something like that but the best way I have found of late is just to hit up Pastebin.
There you have it.. By doing some simple points and clicks and then using your frontal cortex a bit you too can be on the DARKNETS with the rest of us. Come on in! The water is… Well.. Scummy but it’s at least warm from all the kids peeing in the pool!
TOR vs. i2p:
Now some old timers may tell you that the TOR is full of Feds and that you need to just go straight for i2p for your DARKNET binges. I for one would tell you that this is a falsehood because i2p is FUCKING SLOW AS ALL SHIT. However, it is an option if you aren’t in a hurry to see anything and you want to see different content than what you may map out on the TOR DARKNET.
Another word of warning on the i2p front is that you have to be a bit more savvy than the usual user to make this one work for you and to correctly manage and configure your system because YOU are also a router within the arcology when you get on i2p. You can of course change that and secure the system more so that you aren’t going to be pwned but you have to keep this in mind before you just go download and run it.
On the other end of the spectrum you can also go download the full TOR node setup and make youself a page or you can just use it to access the net in a configuration of your choice (secure one would hope) instead of the pre-configured browser bundle. If you choose to do this just make sure you understand what you are doing and do keep an eye on the versions out there. TOR seems to be a target for security flaw hunting by the likes of the NSA so ya know, you kinda have to be careful if you are out there doing things you perhaps shouldn’t be on an un-secured version.
Personally I use all of the above but as you might have guessed from above, I find the idea of all the caching on i2p to be rather tedious so I don’t go there often. You can in fact find gateways to both DARKNETS if you GOOGLE for them. These are gateways that allow you to enter by using the CLEARNET (i.e. internet) as the gateway with a node handling all the routing for you. I don’t know about their security but let’s put it this way; people can see your traffic in the clearnet so… Yeah…
Abandon hope all ye who enter here…
Ok so now you know how to get the software, what to click and where to get links. Now comes the abandonment of hope. See once you get inside the darknet and you start looking around you realize just how much of it is lame, how much of it is illegal, and how much more of it seems to be rather puerile. I have spent hours, aw hell, let’s say days in there looking around. I have laughed, I have cried, and it changed my life like “Cats” the musical. The gist here is prepare yourself for an experience that may just leave you slumped in your seat saying “Is that it?”
Alternatively you might be able to find new and interesting sites that no one really knows about (if you do please tell me!) such as a nice site on furry on furry cosplay sheise movies. Who really knows what you will find. Take a stroll around and see what you see. Mostly though I think you will find that unless you start messing about with the technology deeply, you will just see the same things everyone else does.
I for one have begun looking at the intracacies of things like transient sites and covert url exchanges but that’s just me. You might want to do other things. All of these things though usually are shall we say more exotic in nature to begin with and mostly considered illegal and this is why they are in the DARKNET to start. They think that it’s all anonymous and that you can then not only access the DARKNET but the internet without leaving a digital trail. This of course has been shown to be wrong.
This brings me to the arcology of the DARKNET and security. There are ways that you can in fact be tracked by wily people who can poison the network with their own nodes or be sniffing their exit data. In one case it has been posited that the whole of the onion router system could be cracked by the use of nodes under the control of a determined adversary.
This is an interesting idea as are all of the others out there on how to de-obfuscate users on the DARKNET. Be aware that the NSA is more than likely working on this if not already there and monitoring traffic. Why aren’t more people being arrested then you ask? Well, then how would they get the really bad guys if they tipped their hand huh? Cracking the DARKNET would be a HUGE thing and a real tipping of the scales were it to get out in the open. Is it happening now? I am not sure but what I am sure of is that they are trying very very hard to make it happen at the very least.
So gentle reader go forth, get the software, secure it as best you can and then wade into the DARKNET! Remember, the water is warm because of all the pee.. And remember too that; “We are the reason we can’t have nice things”
The Target Hack Media Failures:
From the moment that Brian Krebs first put out his story on the Target hack it’s been mostly a feeding frenzy of reporters trying to out scoop not only Brian but everyone else they could leverage to get a headline. Throughout the whole affair though there has been a lot of speculation on how the hack happened, the timelines and just what if anything Target knew about what was happening to them as it was going on. Since the first report we have come a long way to understanding through confidential sources just how the happened but the reality is that there are many things still unsaid about the hack itself with any certainty.
The biggest hole in the whole story to date has been how did the hackers infiltrate into Target in the first place? After looking at data that Brian had shown me and doing my own research on Rescator and the Lampeduza he and I came to some conclusions on how they most likely got into their systems. Primarily the phish on Fazio allowed the attackers to gain access to Target’s booking/payment systems for doing business with their vendor’s online. It was a supposition on my part that they used an infected Excel sheet, doc file or pdf to gain access to the peripheral system connected to the internet by passing it with the stolen credentials to Target’s online system. Once a user had the file inside they likely opened the document and infected themselves and thus allowed access to the general network. Of course then it become simply an issue of locating a machine that sits on the LAN where the servers and the POS can be accessed.
The media generally though has been harping on the idea that since Fazio is an HVAC company that they had access to ICS or PLC units within the Target network as this is all the rage in the news. There never has been any proof of this happening and in fact Fazio has made a statement saying they never had access to the Target HVAC systems remotely as they don’t do that kind of work for them. This however escaped the media in general as well as some Infosec bloggers that I know as well. Now however we have a new twist on this media festival of failure with the advent of the Target lawsuits recently brought out by banks involved with this mess.
The Target Lawsuit Failures:
The Target lawsuit now not only goes after Target Corp itself but also Trustwave, a security company that allegedly carried out the Target PCI-DSS (Payment Card Industry) assessment at or around the same time as the compromise to Target was happening. It was at this time that Trustwave certified that Target was in fact “PCI Compliant” and that in the industry’s eyes secure. Of course this is a misnomer that many in the security field have been venting about for years and the popular euphemism for it is “Check box Security” because in reality it is just a check mark on a form and not a real means of protecting data.
The lawsuit is filled with ill informed views on what happened to Target as well as how security works and has been roundly regarded in the security community as well as the legal community as a joke. Using dubious sources on cyber security and primarily believing all that the media has written on the subject of the Target breach this lawsuit makes assumptions about the PCI that are common and untenable. One of the more egregious failures in comprehension is that any system of checks and or regulations would make any system or database secure just by the very fact that you have checked off all the boxes in a list of things to do. This is especially the case with PCI due in a larger part because of the way it is audited and by whom.
One of the real issues that seems to be coming out of the lawsuit and the reporting on it centers on encryption of data. The encryption of data at rest (in a database) or in flight (on the network between systems) is the crux of the issue it seems to the legal team for the litigants in the Target affair but I would like to state here and now that it is a moot one. The idea is that if everything is encrypted end to end then it’s all good. This is not the case though as in the case of this particular attack on Target the BlackPOS malware that was used scraped the RAM of the systems which was not encrypted and usually isn’t. This is a key factor in the case and unfortunately I know that the legal teams here as well as the legal system itself are pretty much clueless on how things work in technology today so this will just sail right over their heads.
Here are the facts in as plain a way as I can get across to you all:
- BlackPOS infects the system and scrapes the RAM for the card data
- BlackPOS then copy’s the data and exfiltrates it to an intermediary server to be sent eventually to the RU
- The data is not encrypted at this time and thus all talk of encryption of data or databases is moot unless said data came from database servers and not copied from POS terminals
- Encryption therefore in database or on the fly is a MOOT POINT in this case
There you have it. It’s a pile of fail all the way round and the media and the law are perpetuating half truths and misconceptions on how things really work in the digital world. There are many issues with PCI-DSS and the encryption issue that is cited in the law suit and the Wired piece linked above are just silly because the writers and the lawyers haven’t a clue. While PCI needs to either die a quick death for something better it is not the only reason nor the primary one that the attack on Target worked. There are of course many other reasons due to inaction that have been brought forth recently that do paint quite another picture of ineptitude that are the real culprits here.
Overall the analysis here is that there are many to be blamed for this hack and not all of them are the adversaries that carried it off. The fallout now with the lawsuits and the press coverage of the debacle has only amplified the failures and is making things worse for some and better for others. We have seen an uptick already in finger pointing as well as sales calls laden with snake oil on how their products could have stopped Rescator cold. The fact of the matter is Fireeye and Symantec both tried but the end users failed to allow it to act as well as heed their warnings. Of course one also should look at this and see that even if the tools had been heeded it may not have stopped the attack anyway without a full IR into what was going on.
The people who are any good in this business of security live every day with the assumption that their network is already compromised. This is a truism that we all should take to heart as well as the knowledge that we cannot stop every attack that is carried out against us. We can’t win every battle and we may never win the war but we have to try. Targets failures will hurt for some time within the company as well as to those who were working there at the time. I have no doubts that heads rolled and perhaps that was necessary. It is also entirely possible that people did try to stop this event but were told not to do something because it might affect their production environment. Of course this is all speculative but you people out there reading this from this business know what I am talking about. It’s a universal thing to be shackled in your battle to secure the network because it affects the bottom line.
What I would like you all to take away here though is that PCI is not the only reason for this hack and certainly it isn’t because Target was not encrypting their traffic or their databases. This is just a ridiculous argument to be having. Just as ridiculous as it is to have the cognitive dissonance to believe that checking a box in an audit makes anything more secure.
I cannot count the amount of times that someone has called this or that person a “Ninja” in the INFOSEC/Red Team community that we all inhabit. One cannot go to a hacker conference without seeing Ninja imagery in the artwork surrounding the business of digital security today and this allusion to the Ninja has been problematic for me for some time. I think my feelings on this are akin to the feelings of some who grind their teeth on hearing about another presentation on security that contains Sun Tzu quotes from the Art of War. Recently though I have had some insights due to some reading as well as a series of incidents involving the Target story that got me thinking. My conclusion is this; “If we are going to use the imagery and call ourselves Ninja then we had better also look at the Samurai who defend their domains and their Shogun as well as the odd Ronin out there we run into”
To this end I am writing this post on the parallels today for those who wish to consider themselves Ninja as well as perhaps reach those defenders or “blue team” folks to understand the landscape here from a historical perspective as well as a tactical one. Given the nature of the threats today and the increasing use of unconventional warfare tactics in everyday compromises it is my opinion that we all must be much more versed with warfare as well as espionage in order to deal with the everyday job of compromising a network as well as defending it. This too also follows through to the idea that you must be able to deal with your particular “Shogun” and take their orders as well as advise them on the battles that you are waging.
So, if you want to consider yourself a Ninja Mr. pen-test red team-er then so shall I consider myself a Samurai. However, I will understand their meanings in the context of history, not Hollywood, and apply their traditions and capabilities to today’s battle on my Shogun’s network.
The history of the Ninja is shrouded in mystery for many but the truth of the matter is that they were primarily two clans from Iga and Koga during the 14th century that are the wellspring of the story of Ninja. These were mountain ascetics at first and then commoner families or clans who passed down their teachings within the family for security’s sake. These Ninja were not bound by the Bushido as completely as the Samurai were but did have their core ideals emanate from the same code. The Ninja were specialists in unconventional warfare using common tools as weapons but their primary aegis was to not have to fight in the first place. A Ninja you see was in fact a spy more than anything else and their first tool in their arsenal was stealth. The use of disguises and psychological warfare were the first tenets outside of a command of their bodies as weapons and this made them a force to be dealt with that the Samurai often failed to do well.
The reason that the Samurai often failed to win against a Ninja was that the Samurai’s main goals were to die in battle honourably and to use no artifice in battle. The Ninja on the other hand used trickery and deception as their primary tools and this extended to individual fighting between the two which often times was not on a field of battle but instead at a gate to the castle or elsewhere where they were not prepared to fight. This is of course if the Ninja was forced into a battle in the first place. As one master put it; “The best ninja has no smell, leaves no name, and makes everybody wonder whether he existed.” so the first priority was never to be seen at all.
For more on Ninja go HERE
Given the quick primer above we then have to look at the dialectic today when these people are calling themselves Ninjas in our community. If we are to consider a Ninja then to be a warrior or adversary who uses unconventional warfare tactics and espionage techniques in the digital sphere many within the Red Teaming and Pen-Testing field “might” qualify. One has to ask though just how many of these red teams are using unconventional tactics like 0day to carry out their attacks as well as recruiting spies or physically infiltrating targets. This all depends on whether or not you are in fact allowed to take the gloves off and actually do things that an actual adversary would do. All too often I have seen penetration tests that would be called red teaming that had very limited scopes and ground rules that no self respecting Ninja would allow or abide by. So is this really a Ninja? One who follows the rules of engagement set forth by the target? Are they in fact then more of a Ronin or Samurai posing as a Ninja performing their task?
What I am trying to get at here is this;
- Does following the rules of engagement on an assessment allow you to be called a Ninja?
- Did you get in and get out without being seen or heard?
- Did you use unconventional means or did you just use Metasploit?
Many guys out there I know personally are doing great work and I would call them Ninjas if it weren’t for my dislike of the whole hype and silliness around this imagery personified by Hollywood and now the INFOSEC community without the benefit of real historical context or understanding. As I mentioned above though increasingly this field of information security both aggressive and defensive is becoming more and more a pawn in a greater geopolitical game as well as field of battle and we need to catch up. The points I made just a bit ago about just how you carried out your penetration tests comes to bear here with adversaries like China and others who have no rules of engagement. They use whatever they can to get in and take the data they want and no amount of compliance like PCI will stop them or the common carder like Rescator and his crew. Unless we as a community can get it across to our Shogun’s (aka corporate America) that there are no rules we will then always see more Target breaches because they only followed the rules of PCI compliance and did no more.
I have been thinking about this post after watching an episode of TMNT (yes I watch Nick) and how the story line is including April O’Niel as a Kunoichi. A Kunoichi is a female ninja and they were also commonplace before the comic book world got their hands on the idea. Of course today you think Kunoichi and you may see something like “Shi” in your head. This was not necessarily the case but indeed there were female Ninja and they were often times inserted into situations like Anna Chapman was as an illegal and a honeytrap but they were exceedingly skilled in the same techniques as the men and equals if not more efficient.
Today there are many women Ninja in our business and it was an oversight on my part not to mention this designation. I am correcting this now though. I would like to however make the distinction that today’s Kunoichi is not just a pretty girl but there are many highly technical women in this business that can hack and to not acknowledge this is a disservice. This designation is not to separate the sexes and skills but to be inclusive where I had been remiss before in not thinking about including the term.
The opposite side of the coin for this argument is that the Blue Team side is in fact the hapless Samurai. Why are they the Samurai? Well, take a look at your average defender and you will see the similarities. The primary thing though is that the Blue Team is bound by the rules of the system in place or the Shogun they report to. In the case of corporate America your Shogun is your CSO/CISO/CIO and your Emperor is of course the CEO. The blue team cannot go outsides the confines of the rules set forth by the Shogun and the Emperor no matter how much you try and all too often it seems that the C level execs are hard to reach and consider the blue team more of a check box than anything else in today’s culture. Thus I add the title of “Hapless” to the Samurai because no matter how good the Samurai is he is always defined by the Bushido of the lord he or she works for.
In a battle against the Ninja (i.e. APT/Criminals/Mal-Actors) who use the tactics of unconventional warfare there is little that can be done by the Hapless Samurai who wears the shackles of corporate Bushido rules. How many of you out there have been hamstrung by policy or lack thereof in trying to address the unconventional war that is being waged today on all our networks by various actors? Again what I am trying to say is this;
- How many times have you been told you cannot get a tool for prevention/detection because it costs too much and there is no budget?
- How many times have you attempted to get the word out on security and awareness let’s say only to get a half hearted or any response at all?
- How many times have you laid out the risks to your Shogun and been told that they would not fix the issues due to time/money/business continuity issues?
There are a host of questions I could ask but you get the gist here right? YOU are at the feet of your Shogun and your corporate emperor and you have little to no say in the direction of things. All you can do though is serve and serve with honor no matter the cost. Oh, and yeah, usually when the compromise happens who gets the blame and then is shuffled off to the unemployment line? Hey, at least it’s just that instead of being told to commit Seppuku right? Remember that you are the Infosec Samurai and learn to live with this because if you cannot, you will be very unhappy and your every day will be filled with angst and misery. If you take a real look at the Bushido code though or the Hagakure perhaps you can find meaning.
The Infosec Shogun is in fact the CSO or CISO in today’s corporate structure. These are the lords who, like the Shogun generals should be marshaling the troops and fighting the overall tactical battles. My experience to date has been that far too few of these Shogun’s had actual viable experience to be the Shogun and more often than not got their jobs by the fickle flying finger of fate. Of course this is changing now in more places but I would hasten to point you at the Target affair to show you otherwise. Given the information that has come out of Target so far there was no CISO or CSO Shogun but instead a CIO who had no real IT background to begin with. Unfortunately all too often this is the case with the CSO as well. What good is a general (Shogun/CSO/CISO) who has no experience in battle? How can one expect to win any battle with someone at the army’s head who has no idea what the conventions are never-mind the tactics to fight it?
Alternatively you may have a Shogun who does have experience and can give you direction as well as take counsel to fight the war but they too may be hamstrung by their emperor who holds them back. The idea here is that like it or not, whether you are literally in ancient Japan or the corporate boardroom today you are always reporting to someone and taking their orders. This is the key here, that while the Ninja may have basic orders they also were given greater purview on tactics and mission parameters and we, the hapless Samurai are not. We are governed by our corporate masters and to go outside the rules is to be let go. Remember this Blue Team Samurai as you prosecute your daily battles against the adversary who laughs at rules.
The last designation I would have you consider is the Infosec Ronin. The Ronin are master-less Samurai who often became more NInja than anything else historically. Some of these Ronin were in reality still Samurai but using the tactics of the Ninja to win the day for their Shogun but this was not the norm. In today’s world I would consider the consultant to be a Ronin. A consultant goes from job to job and does the bidding of the master of the day and in fact may have the latitude to tell the master that they are wrong. A Ronin may in fact operate as a Ninja primarily because they have no set master and this is rather liberating.
For the sake of this argument I am going to just say that the Ronin, one who is established can walk away from any contract if they are unhappy with the responses from their “master Shogun” and move on. This is the key to perhaps actually being an effective Samurai in some cases. It really does depend though on the master who has hired you to perform a job. I personally have walked away from clients because after the first pass of a final report they had decided that certain things were not worth re-mediating. If I feel that the client is only going to perform “check box” security then I am no longer willing to help them if I am in fact a Ronin. I know that some will say that this is just stupid and you will not make your pay day but I personally would rather be benefiting the security of a place than just giving it lip service wouldn’t you? Of course not many of us out there are in the position to do this and I will admit that my consulting is a side business to my main income so for me it is a bit of a luxury having this code of ethics. The Ronin though has a place at the information security table specifically next to the Ninja because they are not bound solidly by the rules of the emperor at that particular shogunate.
Unconventional Warfare & INFOSEC:
Finally I would like to cover the idea of Unconventional Warfare and the state of INFOSEC today. As I have made statements about above, we are now in a place where information is power and all warfare with it is allowed. The advent of APT (Advanced Persistent Threats) and nation state actors has changed the paradigm of Information Security forever as much as networking has. We have seen the advent of many kinds of laws and rules being put in place to stop bad actors as well as force corporations to at least adhere to a modicum of security practices to protect their clients. Many of these, such as HIPAA or PCI-DSS have come out of Washington as toothless cudgels that corporations can just speak to as talking points and skate on actual practices. Alternatively many of these rules have little to no comprehension of actual technological issues nor address unconventional warfare tactics that are being used to attack systems and companies to steal data. On the whole nothing to date out there really will make a difference against a determined adversary and that knowledge needs to be common. Instead though it seems to be arcane and mysterious to many in power.
Until such time as ideas like Defense in Depth are more common and we have Shogun’s and emperors who understand not only how their business runs but their threatscape we will be doomed to failure. Of course one might also hasten to add that even with the best of the best we will always lose a battle or two and this is quite correct. The key though is to attempt to win the war itself and leave the battles to the day to day. Accept those we lose and learn from them to hopefully win the overall war later on. Unfortunately too many of the people that we the Samurai deal with are not at all aware and in many cases do not seem to care to understand the issues until they have been burned and burned badly (like Target)…
We, the Samurai face the battle today that no one has faced before. The threatscape is ever changing at the speed of light and the adversaries are many. Prepare for your daily battles knowing who you are and where you sit in the hierarchy. If you decide you want to be a Ninja understand that you too may be bound by the rules of the Shogun as your retainer. I want you all to think about the names we give ourselves and the perceptions we want others to have of us but most of all I want us all to be enlightened about our fight and who we are. Today it’s just a given that you must consider your networks are already compromised and that Ninja is in there stealthily stealing data and it more than likely isn’t one that you may be paying to test your security.
Inspire 12 Shattered:
Inspire issue 12 was dropped on Alplatform Friday night and this issue is somewhat different from past issues due to changes in staff and a change in thought probably brought on by the attrition that has occurred. It is also of note that this issue is ostensibly just put out by AQAP and makes no mention of Al Malahem which may show some of the fractions in the AQ umbrella as well as security issues that may have happened online in the recent past. Of course AQAP was the progenitor of the magazine but it was also a group effort for some time and that seems to have changed with the isolation of groups in part due to the death of OBL and the pedantic leadership of Ayman. This issue seeks to reach the “lone wolf” audience and broach the field of operations in the West as opposed to the Ummah in the lands which has been the standard of this magazine nearly from the beginning.
It has been some time since the last issue was released and I am assuming this was because of the attrition I spoke about before. Indeed there seems to be little input from Abu Al Amrici in this issue and there are new guest writers as well as a scope creep into other areas of concern such as North Africa which was a bit of a surprise but as you look at the bigger picture of the magazine that makes sense as the publishers are trying to change the scope to cover more areas of jihad outside the lands of the Ummah such as the EU and now Africa. Covering such things as an article on the bombings in Kenya by Al Shabaab and even having a Harakat (Shabab Youth Brigade) guest writer. Overall, there are some subtle changes within this issue that analysts should take note of that bespeak a change in thought to a more global approach.
Changes From Previous Issues:
The biggest change in Inspire other than a change in staff and writers was the subtle tone from a more Koran centric and pedantic messaging to a more political and Western thought driven methodology. Through the course of the magazine the writers have been coming to grips with trying to motivate the Westerner to action while doing so with the call of jihad through the Koran and their particular spin on it. Over time I believe they have come to realize that to reach the Western audience that may be enamoured but unwilling to act solely on the Koranic call to jihad they have to reason with them in a more Western manner. In this issue there is a much more political and economic spin that attempts to spark a response in a Westerner against the actions of America in particular. The authors have seized upon the times (i.e. Snowden releases, war weariness, and economic climate issues) to try and sway the reader into action.
The layout of the magazine is just as slick as before (because the authors have used the 2011 pdf frame used in the past from the metadata in the file) and the progression of the magazine’s dialectic is as follows;
- The state of the jihad (Koranic)
- The deen of jihad (Koranic)
- Interview/Questions on the reasoning of actions within Jihad with Anwar Al-Alawki (Koranic)
- Samir Khan on the politics of Palestine and the Jihad (Political)
- City Wolves “call to action” (political)
- Tawheed/Choosing AQ ( Doctrine/Koranic)
- Experience of Jihad (Koranic and Romanticism thereof)
- Q&A with President Obama *Q&A carried out by snippets of press conferences** (Political)
- The Sister’s corner *Mujahidah wives exhortations by Umm Yahya) (Koranic)
- Shattered *the political and economic bankruptcy of America and the West** (political)
- Open Source Jihad (IED’s)
This shows more of a creep away from the hard edged issues in the past that focused on the “duty” of the Ummah via the Koran to a more balanced logical/rhetorical argument basis for Jihad with softened approaches more palatable to the Westerner. The issues of the day make their appearances covering not only drone strikes and the pull out of Afghanistan (2014 maybe?) as well as the surveillance state that has been revealed by the Snowden releases. This magazine talks about the Snowden files indirectly but also shows that they have taken heed by removing the Q&A section via email “due to security reasons” which obviously is due to the Snowden revelations.
For the most part this issue shows a direction change that is more subtle but perceptible if you look at the entirety of the issues from 1 to 12. The changes to the organization through attrition slowed them down but it also perhaps gave them new blood and pause to determine just how they could attract the Westerner better. Mentions of Faisal Shazad as well as Dzokhar and Tamerlan make it into the issue as well as add targeting ideas that will be explored below in the next sections. This of course is the more troubling thing about this issue with more of a focus on targeting and timing for attacks. Generally though this issue once again follows the basic formula to engage the would be “Lone Wolf” and exhort them to action. The main difference being that the tenor is less strident and more engaging and this is the primary difference.
Open Source Jihad: Car IED’s
One of the more troubling points of this issue however is an expansion on a theme. I had heard pundits in the past ask why AQ and others had not used the idea of car bombs here in the US more often. Well, now they are advocating this with a type of bomb that actually failed in Times Square by Faisal Shazad. The Open Source Jihad section this go around focused solely on car bombs. In this case it was focused solely on the use of gas canisters and oxidization. I am not showing the how to’s but suffice to say that they have a basic design that Shazad used but with some changes to make it more effective. The authors also revised their operations manual to offer the lone wolf the choice of martyrdom or remote/timed detonation systems. With these plans a would be wolf could do some serious damage were they to carry out their plan with a working IED in a car or, more to the point as they show in their final image of the magazine, a panel van.
The most problematic part of the open source jihad section was a new feature called “Targeting” which needs no preamble. In this case the targeting is very directed and shows some thought post the bombings of the Boston Marathon. The authors are laying the groundwork for the wolves to be methodical about their target choices. In this case they have a focus on NY as always and Washington but also mandate that the UK has specific targets and times that are propitious for attacks to create the maximum kill ratios and fear factors. This is a significant change and what has me more worried is the whole package here. You have your device which is fairly easy to create with materials on hand (especially as summer approaches BBQ) and then you have directed targeting and times with which to carry out your action. The targeting also gives the wolf things to look for such as the usual congregating events but hints at specific events upcoming this spring and summer as well.
The final analysis on this issue of Inspire is that the changes in staff have also garnered a change in tone and approach to radicalizing the lone wolves into action. These changes are showing how they are learning to approach the Westerner to incite action and given the climate today there may be more people who are moved toward this line of thinking. Though I would hasten to add that the mental status of the individuals who wish to be lone wolves plays a key role in their movement from just ideating on such actions to actually putting them into practice. In the case of the Boston bombers they both came from a region that was fraught with issues and both had issues stemming from broken home lives and a desire to feel they belonged somewhere. This and other factors make it possible that some other deranged and motivated individual of the Western persuasion will act out upon these orders by AQAP.
If anything though, this publication is sure to get a reaction from the government and security around events throughout the world will be tightened even more than they might have been post the marathon bombing. In this instance the IED’s are specifically designed for carnage to bystanders and not for demolition of buildings as well. This is I assume to generate the maximum amounts of fear from attack but also because the complexity of larger and more powerful bombs is higher and the likelihood of failure is more probable from the lone wolf set. I can imagine though that the AQAP set may in the future attempt to engage the wolves to come to the lands of the Ummah and train for those more complex missions in places like Syria or perhaps in Afghanistan post US pull out. Time will tell though and I am sure we will be seeing another issue of Inspire for summer soon enough.
JM511 Hacking since at least 2004:
There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.
To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.
JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…
JM511 aka فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:
JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.
It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (firstname.lastname@example.org) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.
UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.
So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s you and someone else’s money that will get you some jail time I suspect.
My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.
While there is a lot of information out there on how the Target hack allegedly happened there are a few points that have been clarified. The blackPOS was installed in systems within Target after the hackers had been in for some time carrying out recon and getting a handle on how to carry out the ex-filtration of data. Given the information already out there it is a postulate that the hackers got hold of the Fazio credentials to the Target portal and then leveraged that system to carry out the compromise internally. The system trafficks in excel, word, and pdf files and to my mind, as the hackers had the Fazio creds to get onto that system they just uploaded a malware laden file for someone internally to open and compromise their system. The question then becomes just how long it took from that moment to the moment that the hackers gained access to the Target POS systems and servers to install their malware on.
According to PCI rules as well as the CEO of the company (Gregg Steinhafel) Target was in PCI compliance and that means that the network should have been segmented to disallow easy compromise from end users systems etc. Of course we are relying on the testimony of the CEO and others at this point in time because we have no other reports from FireEye or anyone else to attest to that fact. In any case the hackers got to the data and ex-filtrated it while triggering alerts that should have started an incident Response (IR) internally at Target. This did not happen though it seems and thus the hackers made off with all the data that they wanted. The moral of the story here can be summed up in an old aphorism I love to cite; “A fool with a tool is still a fool”
The After Action Report:
According to sources close to the investigation of the incident (Fireeye/Mandiant) alerts were given on key systems that were infected by the BlackPOS and detected as malware of indeterminate kind due to there not being any current signatures on it in the AV and IDS/SIEM systems. If the information given by the anonymous sources, then the fact of the matter is that the technologies that Target bought into to protect their data were in fact ignored at best and at worst turned off by the SOC managers internally at Target because they perhaps gave too many alerts. This is a common problem with IDS/SIEM/AV systems as they need tuning constantly and in larger companies the amounts of traffic that pass through the sensors is huge and complex. It is not uncommon in some organizations to have no real FTE’s watching those systems either with a reliance on employees who may be under-trained or not trained at all watching over the hen house. Security it seems has always been an afterthought for many companies, until that is they get hacked and outed in the press.
In the case of Target there are moves going on since the incident happened to shuffle the internal deck so to speak and make it seem that changes are happening to policy regarding security. The CEO is making the rounds with legalese responses couched in flowery language that really boils down to “no comment” and the CIO has resigned perhaps under considerable pressure. After the incident occurred I began checking the Target postings for security and began to see a lot of activity out there for workers to take over their security operations. I am assuming that there has been a bit of attrition other than the CIO and this should really be the case given the information that has come out to date on how this attack succeeded and the failures afterwards to cope with it. Suffice to say that the aphorism above about fools and tools applies certainly to Target in this instance but who else might it also cover as well out there today one wonders.
The final analysis of the Target hack cannot be fully determined because the evidence is not yet public. However, the data that has come out (re: Bloomberg piece linked above) shows a very salient fact that should be heeded by us all in INFOSEC. That fact is this; “Technology is great but one has to use it properly to stop these things from happening” If the Target SOC had not turned off functionality they would have caught this attack happening. If the Target SOC had in fact been paying attention to the Fireeye system as well as the Symantec system they could have reacted quickly to at least attempt to catch the data being ex-filtrated out of their company via FTP. The sad truth is that they did not catch it nor did they see it because the human propensity for ease of use caused a systemic failure to occur in security.
I am sure more data will come out someday as much as Target will allow. One has to wonder in a publicly traded company how much transparency they should provide and what you actually will get though. The information coming out so far though, if indeed true, is pretty damning to Target and their practices. I will say that I believe what has been told to reporters in confidence given my experience over the years with corporate entities and their lackadaisical attitudes toward security thus far. All too often companies are pretty cavalier about security and in the case of Target all you have to do is look to the reports coming out now about how they plan on hiring a CSO for the company. It seems the CIO had no real experience and the company did not see fit to have a CSO or CISO until now. To boot, if you look at the wording it was implied that they were seeking an internal candidate up until recently. Think about that for a minute, they wanted an internal candidate for a job function where they lacked skill sets to begin with and had such a spectacular failure? The word hubris comes to mind.
The ultimate takeaway I would like to leave you with here is that Target is just one corporation of many that have the same problems. In fact I would hasten to add that we as a species are our own worst enemy when it comes to security and if you add to this the dynamic of corporate mores you have a recipe for epic failure. You can have all the high tech gadgets in the world but you still can be defeated by the human animal either through shrewdness on their part of laziness and stupidity on yours. There is a trend today in a reliance on technology as the panacea to all of security’s ill’s and this must be tempered with the human nature of those who operate it before we will ever be at all secure.
Threat intelligence is the new hotness in the field of information security and there are many players who want your money to give you their interpretation of it. Crowdstrike, Mandiant, and a host of others all offer what they call threat intelligence but what is it really in the end that the customer gets when they receive a report? Too often what I am seeing is reports based on suppositions and little critical thinking rather than the traditional raison dartre of a threat intelligence report on actors that may have an interest in your environment. A case in point is the report from HP that was conveniently released right in time for this years RSA conference in San Francisco.
This report on the Iranian cyber threat was hard to read due to the lack of real product or knowledge thereof that would have made this report useful to anyone seeking true threat intelligence on an actor that may have interests in them. With a long winded assortment of Googling as Open Source Intelligence, this report makes assumptions on state actors motivations as well as non state actors who may, or may not, be acting on behalf of the Basij or the Iranian government altogether. While the use of Google and OSINT is indeed a valid way of gathering said intelligence, intelligence is not “intelligence” until proper analysis is carried out on it. This was one of the primary problems with the HP report, the analysis was lacking as was the use of an intelligence analyst who knew what they were doing.
Clients and Products:
When carrying out any kind of intelligence gathering and analysis you must first have a client for the product. In the intelligence game you have “products” that “clients” consume and in the case of the HP report on Iranian actors it is unclear as to whom the client is to be here. There are no direct ties to any one sector or actor for the intelligence to have any true “threat matrix” meaning and thus this report is of no real use. These are fairly important factors when generating an analysis of a threat actor and the threat vectors that may affect them when creating a report that should be tailored to the client paying for it. Of course the factors of threat actors and vectors of attack can be general at times and I assume that the HP analyst was trying to use this rather wide open interpretation to sell a report as a means to an end to sell HP services in the near future. I am also willing to bet that this report was a deliberate drop for RSAC and they had a kiosk somewhere where they were hawking their new “Threat Intelligence” services to anyone who might want to pay for them.
In the case of this threat intelligence report ask yourself just who the client is here. Who is indeed really under threat by the alleged Iranian hackers that are listed. What sectors of industry are we talking about and who are their primary targets of choice thus far? In the case of Iran there has been also a great deal of supposition as to these actors and their motives. The report makes allusions to state actor intentions but only lists known Iranian hacker groups that may or may not have affiliations with the government. The same can be said for their TTP’s and other alleged data within the report. The important bit about threat intelligence in the world of information security is that you need hard data to model the threats and the actors for your specific company and this report generates none of this. This fact makes the report not really threat intelligence at all, not in the aspect of either true intelligence nor corporate intelligence.
The collection of intelligence is an arduous process that should be carried out by trained individuals. There are so many pitfalls that can happen to an untrained analyst that could make the product of the report bias or useless in the end and these things should be avoided. In the case of corporate intelligence reporting and threat intelligence the same is true. Just carrying out some OSINT on some individuals and outputting what you find by stringing together assumptions is not a valid way of carrying out intelligence reporting nor is it the correct way to gather intelligence. The collection of intelligence in the information security spectrum should also include direct data on telemetry and known instances of attack against the organization in question to determine if they are in fact subject to the interests of the threat actor such as Iran or SEA. The HP report lacks this context and thus is not much more than some suppositions about how you might be under threat from an amorphous threat actor, and thus is little more than FUD.
If you are going to collect intelligence I suggest that you get trained individuals to start or if you are interested in the subject yourself you can easily locate materials online to read on how to do so properly and avoid the common pitfalls like bias and group think. Intelligence collection is comprised of many facets. You need to be collecting information from a vast array of sources and methods before you attempt to analyze it and create any kind of cogent reporting for a client. In the case of the HP report you only have histrionic data from news reports and light analysis of websites owned by alleged hackers or state actors. True collection though for a client would also include detailed data or knowledge of their business, their technical measures, and their history to create a cogent picture of their business and the threats that they may face from the actors out there who may have interest in them. The HP report lacks this and that is unfortunate.
The analysis of intelligence is as I said above, a learned skill that must be honed in order to perform it correctly. Analysis in and of itself takes all of the data out there and generates a report on the entirety of the data for an against, positive and negative. Anything short of this kind of holistic analysis of information in a report of this kind only serves to mislead the client and usually be quite incorrect. An example of this would be the White House Iraq Group’s (WHIG) assessment of Iraq’s WMD’s and intentions pre Gulf War II. In this case however it was even worse because the intelligence was fit to the political desire of the administration and thus was not really analysis nor intelligence product. In the case of the HP report there is a narrow swath of data that was alleged to be collected (presented in footnotes or screen shots) in addition to snippets of news media as intelligence.
To analyze intelligence one must first have proficiency in the disciplines of intelligence gathering, analysis, and the particular subject matter. In the case of the HP report, there is a lack of comprehension of the politics of Iran which might be drivers for the alleged hackers or state actors. There is also a lack of rigorous interrogation of the data presented as intelligence to test whether or not there may be a disinformation campaign or deception operations at play as well. Put simply, the analyst for HP did not take into account that this is in fact a nation state and that they may in fact be leading such analysts down the primrose path to obfuscate the real actors. This was not even considered in the report and just paints the alleged hacker groups as more than likely linked to nation state activities. This is poor analysis even if there may be some truth to it, but without a rigorous investigation and questioning there can be no real solid assumptions made. The net net here is that analysis of intelligence is not just looking at websites and making assumptions.
Reporting intelligence is a key part to the overall process within all types of intelligence activities. A report as stated above, must have a client and in the case of the HP report I would once again ask who is the client here? What type of business should be worried that they may fall into the targeting of the nation state of Iran or these Iranian hackers? What sectors of business should be more worried than others here? In the case of the HP report I suspect there was no real client here but it should never be forgotten why one is carrying out the intelligence cycle and just who your client is in order to tailor the report so they can use the information in a productive way. Form and formats change but the aegis of the report is to apprise your client of the five W’s (Who, What, Why, Where, and When) and should be paramount in your efforts at collection and reporting of any kind of intelligence.
My analysis here is this; “Buyer beware” Threat Intelligence may be all the rage out there as services go but really think about what you are getting as product. Ask yourselves just what you are looking for when you consider buying into threat intelligence services and how you may be getting it. If you are looking to see what your current threats are your analyst should be asking you to provide intelligence on you first in order to see who might be attacking you. The technical means of log analysis and telemetry is an integral part of the process here for threat intel for corporate bodies and should never not be a part of the process. Any other reporting on threat actors without defined and direct matrices to your org is nothing more than news reports on possible terrorists who may or may not be attacking in the near future somewhere near you. This is not threat intelligence nor is it giving you a true picture of the threats you may face.