Cyber Security Intelligence

Twitter< Follow on Twitter>

March Newsletter #1 2015

Who Owns Your Big Data?

One of the key questions for big data is who owns the data. Is it the division that collects the data, the business as a whole, or the customer whose data is collected? Forrester believes that for data analytics to unfold its true potential and gain end-user acceptance, the users themselves must remain the ultimate owner of their own data.

The development of control mechanisms that allow end users to control their data is a major task for CIOs. One possible approach could be dashboard portals that allow end users to specify which businesses can use which data sets and for what purpose. is trying to develop such a mechanism. It provides servers to which individual's information is distributed and run by non-profit organizations. Data anonymisation is another approach that many businesses are working on, despite the fact that there are limits to data anonymisation as a means to ensure true privacy.

Ultimately, the producer of the data or the consumer need to feel that they get true value-add and a better user experience in exchange for allowing companies to collect their data. Otherwise, many big data initiative will not take off and may even backfire.

The Spy Cables: A glimpse into Espionage

A digital leak to Al Jazeera of hundreds of secret intelligence documents from the world's spy agencies has offered an unprecedented insight into operational dealings of the shadowy and highly politicized realm of global espionage.

Spanning a period from 2006 until December 2014, they include detailed briefings and internal analyses written by operatives of South Africa's State Security Agency (SSA). They also reveal the South Africans' secret correspondence with the US intelligence agency, the CIA, Britain's MI6, Israel's Mossad, Russia's FSB and Iran's operatives, as well as dozens of other services from Asia to the Middle East and Africa.

Among the revelations, the Spy Cables disclose are how:

Israel's Mossad told its allies that Iran was not working to produce nuclear weapons just a month after Prime Minister Benjamin Netanyahu warned it was barely a year from being able to do so;

The CIA made attempts to contact Hamas directly despite the US government listing the Palestinian group as a "terrorist organisation";

Britain's MI6 sought South African help in an operation to recruit a North Korean official who had previously refused their cash; and South African and Ethiopian spies struggled to "neutralise" an assassination plot targeting a leading African diplomat.

The files unveil details of how, as the post-apartheid South African state grappled with the challenges of forging new security services, the country became vulnerable to foreign espionage and inundated with warnings related to the US "War on Terror".

Following the 9/11 attacks, South African spies were flooded with requests related to al-Qaeda, despite their own intelligence gathering and analysis telling them that they faced minimal direct threats from such groups, and that the main threat of violence on South African soil came from domestic far-right groups.

The South Africans' focus on Iran was largely a result of pressure from other nations, and the leaked documents also report in depth on alleged efforts by Iran to defeat international sanctions and even its use of Persian rug stores as front companies for spying activity.

Unlike the Edward Snowden documents that focus on electronic signals intelligence, commonly referred to in intelligence circles as "SIGINT", the Spy Cables deal with human intelligence, or "HUMINT".

Rather than chronicling spy-movie style tales of ruthless efficiency of intelligence agencies, they offer an unprecedented glimpse into the daily working lives of people whose jobs are kept secret from the public.

Kasperky Identify The 'Equation Group'

Kaspersky Lab has uncovered an advanced hacking group, allegedly within the US National Security Agency (NSA), that has been arming the US with offensive cyberwarfare capabilities.
Similar to the original Manhattan Project, which gathered the best scientists around and saw the western superpower develop the world's first ever atomic bomb at the close of WWII, the US is working behind the scenes to strengthen it's defences by increasing its attacking capabilities.
Kaspersky last week reported on a whole suite of advanced Trojans linked back to the 'Equation Group' – which could be a wing of NSA –far more sophisticated than anyone could have expected.

Tracing its origins back as far as 2001 (and alluding that it could go as far back as 1996), Kaspersky found numerous pieces of malware, some powerful enough to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM.

The Equation Group's suite of tools can begin to infect machines in very clandestine ways. In the first stage the agency might compromise a web forum or an ad network and use it to serve a simple 'validator' backdoor to potential targets.

From here the Trojan establishes if the machine is of interest or not. Then a more sophisticated piece of malware comes into play, and it's incredibly advanced.

Cyber Insurance Market Boosting Cyber Security

The insurance industry sits squarely at the intersection of cyber risk management and market solutions. Because the threat is so broad and the world we live in is so interconnected, one common thread throughout the discussions was the need to scale cybersecurity services and the sharing of threat intelligence across all industries.

However just hours after Anthem, the second-largest US health insurer, announced it had suffered a massive security breach, the largest Lloyd's of London insurer said cyber attacks are now too big for private insurance companies to handle.

Insurance companies have previously pointed out that traditional risks, such as natural catastrophes, are more contained than cyberthreats. Earthquakes in Japan do not cause hurricanes in Florida, the FT noted, but a vulnerability in widely-used software or Internet architecture — both of which are turning up more and more frequently in cyberattacks — can bring down systems globally. That could leave insurers faced with simultaneous multibillion-dollar claims.

While that's not a completely unfamiliar scenario for both insurance companies and insured businesses — it's exactly what the Y2K "millennium bug" threatened — the Y2K risk was specific, technically well understood, and had a firm deadline of Dec. 31, 1999. Security vulnerabilities in widely used software are typically unknown until a breach occurs, and attackers frequently hit a few targets at a time, leaving many companies unaware that they too are at risk. In the case of Anthem, for example, the breach came after a series of attacks on smaller health insurance companies.

Some insurers offer cyberattack policies to help companies meet the costs of forensic investigations and lawsuits if they are attacked. But those policies come with high premiums and serious coverage restrictions.

The insurance industry sits squarely at the intersection of cyber risk management and market solutions, and because we have a unique view into the rapidly evolving set of cyber risk. The insurance industry is well-positioned to drive improved public-private partnerships and should support access to threat information for organizations so they can better protect themselves. So, as the various stakeholders focus on scaling cyber security measures, it will be important too for the cyber insurance marketplace to continue to scale insurance market solutions and risk management services across the all industries and segments.

You've been hacked. Now what?

What should a company do after it's been hacked? It's a question Target, Home Depot, Sony Pictures Entertainment and others have had to ask over the past year or so. And it's likely that other organizations will be facing the same question over the coming months.

Here are six key things to do after your company has suffered a security breach by a hacker.

1. Keep cool and implement a coherent response plan.

The first thing to after you are hacked is to implement your well-thought-out incident response plan. Assuming you have one. If not, you need to quickly put one together.

The plan of attack needs to include who should be in charge of the overall response effort, who else should be involved, what actions should be taken by which groups, which technology tools are needed for timely detection and rapid response, etc.

The plan should include determining the extent of the breach, identifying what data was compromised, deciding how best to work with the legal department to determine if disclosure to law enforcement and other authorities is required, figuring out how the attack compromised the organization as a whole, and performing damage assessment.

Typically, organizations should try to isolate or control traffic flow to minimize any further damage from the attack. If an adversary breaks in once, they will break in a second time if you don't take the time to fix the problems. Once the exposures that were used to compromise the system are fixed, the focus turns to recovering the data and getting the systems back up and running and verify the systems before they going live. Once the systems are verified, monitor them to make sure the attacker does not get back in.

2. Pull together the incident response team.

The team should include IT, business leadership, human resources, public relations, legal and operations.

You may wish to retain a breach coach, a lawyer with experience in security and privacy compliance issues, to assist in your defense and the interpretation of various state and federal regulations that may have been triggered following a data breach event.

3. Work with vendors and security experts as needed.

Many times companies will need the help of key vendors and security consultant firms to identify the cause of the breach and ensure that further attacks are stopped before they can do damage.

4. Deal effectively with legal concerns.

After there's been a hacking incident, IT, security and other senior executives should meet with corporate and external legal teams to discuss the potential implications.

Remediation of the problem might take a while because the root cause of the hack might not always be readily apparent, and companies need to take care to preserve any evidence.
The legal concerns are centered around potential government investigation, whether on a federal or state level; and making sure that under the relevant breach notification statutes stakeholders are informed, as well as business partners.

5. Cover your insurance bases.

Following a breach, notify your agent and claims representative as soon as possible. Data should be categorized to understand whether personally identifiable information such as Social Security numbers or medical records; financial information or other confidential data was compromised.

6. Keep the lines of communication open.

It's important to keep employees, customers, business partners and other interested parties up to date on what's happening with regard to the attack, its impact and the organization's response. Silence can imply incompetence, confusion or worse.

Along with effectively communicating, companies need to consider the psychological impact of a hack attack on employees and customers, especially if it involves a violation of emails or personally identifiable information.

FBI Close to Finding Anthem Health Hackers

The FBI said it's close to finding the hackers responsible for the attack on health-insurance company Anthem Inc. that exposed personal data on about 80 million customers. Federal Bureau of Investigation officials are still deciding whether to publicly reveal information about the attackers in one of the biggest thefts of medical-related customer data in US history, Robert Anderson, the bureau's executive assistant director for cybersecurity, said Tuesday.

Investigators have found some evidence in the breach of Social Security numbers and other personal information that potentially points to Chinese state-sponsored hackers.

Anderson said he didn't know yet whether the Chinese government carried out the attack. The FBI is tracking 60 hacking groups backed by foreign governments, the majority of which come from China, Demarest told reporters. He also said that the Islamic State terrorist group in Syria and Iraq lacks the capability to carry out hacking attacks, although the FBI is concerned the group will acquire more sophisticated skills and tools.

In another case, the FBI and other US agencies were able to determine within weeks that the North Korean government attacked Sony Pictures Entertainment. Anderson said there will be more cases like Sony in which the attackers are publicly named.

Demarest also said the FBI would lose the ability to search phone records for cybersecurity investigations if Congress doesn't renew Section 215 of the USA Patriot Act, which expires June 1.

New weapons offer hope against advanced cyber-attacks

One of the most frightening things about modern cyber-attacks is that a breach can remain undetected within networks for weeks, months or even years. This time gives hackers the luxury of lateral movement within a network, meaning they can acquire better credentials, compromise more systems and search for the most profitable and most damaging information. And perimeter defense tools are almost worthless once hackers are quietly rampaging behind the lines. But malware has to communicate back to the hackers somehow, and new monitoring tools have emerged that can identify that traffic.

As such, traffic monitoring tools could very well be the next big thing in network security, protecting networks against cyber-attacks and helping even if a breach has already happened.
We evaluated security programs from Damballa, Lancope and LightCyber with traffic monitoring at their core. Because these programs require real-world traffic, the topography of which in some cases must be predefined, each was evaluated using a production environment provided by the companies. Each program was evaluated based on ease of use, accuracy, how quickly the program could be deployed and what level of customization and automation could be implemented.

While all three programs worked extremely well at identifying malware based on its communications, the Damballa Failsafe product was the easiest to use, had the best user interface and would be the quickest to deploy, an important consideration if an organization suspects that their network has already been compromised.

Lancope StealthWatch provided the most details about the communications going on within a network and the relationships between groups and devices, making it a useful tool for other things beyond security, such as network optimization or even capital planning.

And LightCyber Magna proved a perfect tool for detecting hidden threats that are trying to find specific data inside a network or elevate its privileges. It can also be useful in identifying insider threats.

Cybersecurity that thinks

Until recently, using the terms "data science" and "cybersecurity" in the same sentence would have seemed odd. Cybersecurity solutions have traditionally been based on signatures – relying on matches to patterns identified with previously identified malware to capture attacks in real time. In this context, the use of advanced analytical techniques, big data and all the traditional components that have become representative of "data science" have not been at the center of cybersecurity solutions focused on identification and prevention of cyber attacks.

This is not surprising. In a signature-based solution, any given malware or new flavor of it needs to be identified, sometimes reverse-engineered and have a matching signature deployed in an update of the product in order to be "detectable." For this reason, signature-based solutions are not able to prevent zero-day attacks and provide very limited benefit compared to the predictive power offered by data science.

Among the many definitions of data science that have emerged in the last few years, "gaining knowledge from data using a scientific approach" best captures some of the different components that characterize it.

An unprecedented number of companies that have reported breaches in 2014; evidence that existing cybersecurity solutions are not effective at identifying malware or detecting attackers inside an organization's network.

Three technological advances enable data science to deliver new innovative cybersecurity solutions:

Storage – the ease of collecting and storing large amount of data on which analytics techniques can be applied (distributed systems as cluster deployments).

Computing – the prompt availability of large computing power allows easy use of sophisticated machine learning techniques to build models for malware identification.

Behavior – the fundamental transition from identifying malware with signatures to identifying the particular behaviors an infected computer will exhibit.

Let's discuss more in depth how each of the items above can be used for a rigorous application of data science techniques to solve today's cybersecurity problems.

Having a large amount of data is of paramount importance in building analytical models that identify cyber attacks. For either a heuristic or refined model based on machine learning, large numbers of data samples need to be analyzed to identify the relevant set of characteristics and aspects that will be part of the model – this is usually referred to as "feature engineering". Then data needs to be used to cross check and evaluate the performance of the model – this should be thought of as a process of training, cross validation and testing a given "machine learning" approach.

One of the reasons for the recent increase in machine learning's popularity is the prompt availability of large computing resources: Moore's law holds that the processing power and storage capacity of computer chips double approximately every 24 months.

These advances have enabled the introduction of many off-the-shelf 'machine learning' packages that allow training and testing of machine learning algorithms of increasing complexity on large data samples. These two factors make the use of machine learning practical for use in cybersecurity solutions.

There is a distinction between data science and machine learning, and we will discuss in a dedicated post how machine learning can be used in cybersecurity solutions, and how it fits into the more generic solution of applying data science in malware identification and attack detection.

The fundamental transition from signatures to behavior for malware identification is the most important enabler of applying data science to cybersecurity. Intrusion Prevention System (IPS) and Next-generation Firewall (NGFW) perimeter security solutions inspect network traffic for matches with a signature that has been created in response to analysis of specific malware samples. Minor changes to malware reduce the IPS and NGFW efficacy. However, machines infected with malware can be identified through the observation of their abnormal, post-infection, behavior. Identifying abnormal behavior requires primarily the capability of first identifying what's normal and the use rigorous analytical methods – data science – to identify anomalies.

CAUSE: Predictive Software to Counter Cyber Attacks

The intelligence community is holding a contest to design software that combs open source data to predict cyber attacks before they occur.

Imagine if IBM's Watson — the "Jeopardy!" champion supercomputer — could answer not only trivia questions and forecast the weather, but also predict data breaches days before they occur. That is the ambitious, long-term goal of a contest being held by the US intelligence community.

Academics and industry scientists are teaming up to build software that can analyze publicly available data and a specific organization's network activity to find patterns suggesting the likelihood of an imminent hack.

The dream of the future: A White House supercomputer spitting out forecasts on the probability that, say, China will try to intercept situation room video that day, or that Russia will eavesdrop on Secretary of State John Kerry's phone conversations with German Chancellor Angela Merkel.

IBM has even expressed interest in the "Cyber-attack Automated Unconventional Sensor Environment," or CAUSE, project. Big Blue officials presented a basic approach at a Jan. 21 proposers' day.

CAUSE is the brainchild of the Office for Anticipating Surprise under the director of national intelligence. Current plans call for a four-year race to develop a totally new way of detecting cyber incidents — hours to weeks earlier than intrusion-detection systems, according to the Intelligence Advanced Research Projects Activity.

The project's cyber-psychic bots will estimate when an intruder might attempt to break into a system or install malicious code. Forecasts also will report when a hacker might flood a network with bogus traffic that freezes operations – a so-called Denial-of-Service attack.
Such computer-driven predictions have worked for anticipating the spread of Ebola, other disease outbreaks and political uprisings. But few researchers have used such technology for cyberattack forecasts.

About 150 would-be participants from the private sector and academia showed up for the January informational workshop. Rahmer was tight-lipped about the size of the prize pot, which will be announced later this year. Teams will have to meet various minigoals to pass on to the next round of competition, such as picking data feeds, creating probability formulas and forecasting cyberattacks across multiple organizations.

It's not an exact science. There will be false alarms. And the human brain must provide some support after the machines do their thing.

Clues might be found on Twitter, Facebook and other social media, as well as online discussions, news feeds, Web searches and many other online platforms. Unconventional sources tapped could include black market storefronts that peddle malware and hacker group-behavior models. AI will do all this work, not people. Machines will try to infer motivations and intentions. Then mathematical formulas, or algorithms, will parse these streams of data to generate likely hits.

How the US Military will fight ISIS on the Dark Web

The Dark Web is not so much a place as it is a method of achieving a level of anonymity online. It refers to web sites that mask the IP addresses of the servers on which they reside, making it impossible to know who or what is behind the site or sites. They don't show up on search engines like Google so, unless you know exactly how to reach them, they're effectively invisible.

Activists and dissidents in countries like China and Iran use the Dark Web to get around state surveillance; journalists use it to reach sources and whistleblowers rely on it to spread the word about institutional abuse or malpractices. New evidence suggests that the Islamic State, or ISIS, or at least ISIS supporting groups, are seeking the Dark Web's anonymity for operations beyond simple propaganda. Thus yet another challenge for law enforcement and the military: to track users on the Dark Web in a way that's effective against ISIS but that doesn't violate privacy.

First, while the Dark Web is incredibly valuable as a tool for dissident action, it also has some real dark spots. Ido Wulkan, the senior analyst at S2T, a Singapore-based technology company that develops Dark Web harvesting technologies, recently revealed to Israeli newspaper Haaretz that his company has found a number of websites raising funds for ISIS through bitcoin donations.

Some Dark Web content is accessible only via special software like Tor, a package that encrypts a user's IP address and routes Internet traffic through a series of volunteer servers around the world (so-called onion routing.) Like the Internet itself, Tor was a product of the military, originally designed by the Office of Naval Research to give sailors a secure means of communication.

Today, an explosion of Tor usage in a specific place or among a certain group is one indicator of increased secret communication activity. That could mean different things in different places. In June 2014, when the government of Iraq blocked Twitter and Facebook as part of its response to the growing ISIS situation, Tor usage in that country exploded, according to Tor metrics data. Usage has since calmed down in Iraq significantly.

Recently, the Chertoff Group put out a new paper detailing some of the methodologies that they advise law enforcement to use to monitor Tor users and sites. Since it was co-written by former DHS director and Jeb Bush national security team member Michael Chertoff, it's safe to say it provides a good indication of current law enforcement thinking. The name of the paper is the Impact of the Dark Web on Internet Governance and Cyber Security, co-written with Toby Smith.

Mapping the hidden service directory presents a technical challenge that's a bit more unique. Tor uses a domain database built on what's called a distributed hash table. If Tor were a city, the distributed hash table, DHT, would be the architectural plans for the structures in it. Each node in a DHT can store information that, in turn, is retrievable if the user knows the exact address of that node. Mapping the DHT can reveal how those nodes relate to one another, providing a sense of shape for the broader network.

Recently disclosed court documents show that the FBI has used some code from a software product called the Metasploit Decloaking Engine for Dark Web investigations.

As the Dark Web evolves, people will begin to organize within it in order to make it more useful. That's inevitable. As any organism grows it becomes complex; and as it becomes complex it seeks organization as a means to grow efficiently and minimize cost. It is in that organization that the hidden Web is revealing itself both to individuals who would seek to give funds to groups like ISIS and to spies who would seek out those people.

Document show Escalating Cyberwar between Iran and US

A newly disclosed National Security Agency document illustrates the striking acceleration of the use of Cyber weapons by the United States and Iran against each other, both for spying and sabotage.

The release comes even as Secretary of State John Kerry and his Iranian counterpart met in Geneva to try to break a stalemate in the talks over Iran's disputed nuclear program.

The document, which was written in April 2013 for Gen. Keith B. Alexander, then director of the NSA, described how Iranian officials had discovered new evidence the year before that the United States was preparing computer surveillance or cyberattacks on their networks.

It detailed how the US and Britain had worked together to contain the damage from "Iran's discovery of computer network exploitation tools" - the building blocks of cyber weapons.
That was more than two years after the Stuxnet worm attack by the US and Israel severely damaged the computer networks at Tehran's nuclear enrichment plant.

The document, which was first reported by The Intercept, an online publication that grew out of the disclosures by Edward J. Snowden, the former NSA contractor, did not describe the targets.
But for the first time, the surveillance agency acknowledged that its attacks on Iran's nuclear infrastructure, a George W. Bush administration program, kicked off the cycle of retaliation and escalation that has come to mark the computer competition between the United States and Iran.
The document suggested that even while the high-stakes nuclear negotiations played out in Europe, day-to-day hostilities between the United States and Iran had moved decisively into cyberspace.

A former senior intelligence official who looked at the two-page document said it provided "more evidence of how far behind we are in figuring out how to deter attacks, and how to retaliate when we figured out who was behind them."

The document declares that American intercepts of voice or computer communications showed that three waves of attacks against US banks that began in August 2012 were launched by Iran "in retaliation to Western activities against Iran's nuclear sector," and added that "senior officials in the Iranian government are aware of these attacks."

The main targets were the websites of Bank of America and JPMorgan Chase. By 2015 standards, those were relatively unsophisticated "denial of service" strikes that flooded the banks with data, so overloading them it was impossible for a time for customers to access their accounts.

More recently, the Obama administration, in an effort to deter attacks, has grown less reticent about naming countries that the administration believes are responsible for such attacks. In May, five members of the Chinese People's Liberation Army were indicted on a charge of stealing intellectual property from American companies.

And in December, President Barack Obama said he had evidence that North Korea's leadership was behind an attack on Sony Pictures Entertainment, though he did not provide details. The New York Times later reported that the NSA had gathered the evidence from implants it had placed in North Korean computers beginning in 2010.

Google Cloud offers security scanning for customer apps

Google Cloud Security Scanner, now available as a free beta for Google App Engine users, is designed to overcome a number of limitations often found in commercial Web application security scanners.

Commercials scanners can be difficult to set up. They can over-report issues, leading to too many false positives. They are designed more for security professionals than developers. Google's scanner was designed to be easier to use, Mann said. The service is designed to spot errors in code that could be exploited through XSS (cross side scripting) or mixed content attacks, two common attack methods.

The scanner inspects a Web application in multiple steps. First, it quickly reviews the application's HTML code, which renders the front-end interface for users. Then it digs more deeply into the JavaScript code that runs the business logic for the site.

XSS attacks occur in sites that allow users to submit their own content, such as a discussion forum. If the Web server does not properly vet the submitted materials, attackers can add malicious code that executes when other users visit the site.

Mixed content attacks take advantage of sites that mix secure HTTPS pages with unsecured regular HTTP pages. Such sites can fool users into thinking that data is secure, when in fact it is not. The scanning service does not cover all types of vulnerabilities, so Mann recommended customers still get manual security reviews by professionals. As time goes on, Google will expand the service to cover a wider range of vulnerabilities.

Google is not charging for the scanner, though its use may incur fees on the Google App Engine services deployed by the Web application being scanned.

Oxford Cyber Risk for Leaders Programme

Any organisation that relies on computer networks, digital information, the Internet or an Intranet is vulnerable to cyber security risks. Sabotage, hacking, malware, even uncontrolled use of social media: all these can lead to financial loss, disruption of your operations or service, and, inevitably, reputational damage. The threats are real, and they are changing all the time.
Managing these risks is not the sole responsibility of the IT department, or even of your Chief Information Security Officer (if you have one). As a leader, it is your job to understand and oversee your organisation's response to cyber risk.

This programme will enable you develop leadership skills in the cyber arena, and to take effective action when dealing with an incident. It will help you build an awareness of the kinds of threat your business is likely to be facing, the operational dilemmas you will need to address, and, crucially, what questions you should be asking of your security advisors.

Building on world-leading research into cyber-security, and drawing on cross-disciplinary expertise from throughout the University of Oxford, the programme combines interactive lectures with simulations and discussions based on real, current cases. You need no background in cyber security: the focus is on general managers and directors.