Friday, April 24, 2015

Signature-based Intelligence Resulted In Tragedy: A Lesson For Cyber Intel Consumers

The New York Times reported yesterday that a drone strike mean't to kill four Al Qaeda terrorists also killed two hostages that no one knew were there. This tragedy also revealed that drone operators rely upon signatures to form a "guesstimate" of the target.
In Pakistan, unlike elsewhere in the world, the White House permits the C.I.A. to carry out drone strikes without knowing the identities of the people the agency is trying to kill. These “signature strikes,” based on patterns of behavior rather than intelligence about specific people, have been criticized in the past as generating a higher number of civilian deaths.
I've written before about the problems that stem from our over-reliance on signals intelligence versus human intelligence in the world of cyber security. The commercial cyber security intelligence sector relies almost exclusively upon technical indicators, and those that claim they don't usually confuse collecting data from forum postings in public hacker forums with actually building relationships with blackhat hackers (the latter is human intelligence, the former isn't).

Fortunately, the worst that can happen to consumers of bad cyber intelligence is that they'll mis-allocate resources and/or develop terrible foreign policy initiatives. It's unlikely that any lives will be lost, thank goodness.

However this news story by the New York Times serves as an apt and timely reminder that cyber threat intelligence based upon "signatures" alone must be subjected to vetting by other sources and always treated with a high degree of skepticism. Bad things happen when your intelligence is unreliable, and for many of today's cyber intelligence purveyors - it frequently is.

Friday, April 17, 2015

AEI - Norse: Subverting Cyber Security Research For Political Fear-Mongering

"I was recently invited to participate in a cyber security dinner discussion by a few members of a well-known Washington D.C. think tank. The idea was that we could enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about this “cyber warfare stuff.” It seems that the new threatscape emerging in cyberspace has caught them unprepared and they were hoping we could help them grasp some of the essentials in a couple of hours. By the time we had finished dinner and two bottles of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his hands, and it wasn’t because of the wine." - Jeffrey Carr from the Preface of "Inside Cyber Warfare" (2009)
The think tank that I wrote about in 2009 was none other than the American Enterprise Institute (AEI). They were ill-equipped to provide insight into this domain back then and nothing has changed in the 5 years since.

Fred Kagan and his father Donald Kagan published a book in 2000 "While America Sleeps" which advocated for a strong military in the face of U.S. complacency about threats - especially Iraq's WMDs which, of course, never existed. Today's release of "The Growing Cyberthreat From Iran", authored by Fred Kagan (AEI) and Tommy Stiansen (Norse Corp) promotes the same fear-mongering, slanted analysis that Fred is known for. AEI has simply moved from Iraq's WMDs to Iran's cyberweapons. Unfortunately, he found a cyber security company (Norse) willing to partner with him and provide the technical data which AEI is incapable of generating on its own.

The Growing Cyber Threat From Iran: Project Pistachio Harvest

Un-abashed Confirmation Bias
AEI approached Norse Corp to co-author a report about Iran as a growing cyber threat actor. It's important to note that the genesis of this report was to start with an assumption and then find proof that supported the assumption, which is the worst type of analytic methodology and the very definition of confirmation bias. The authors even acknowledge that normal standards of proof shouldn't apply when it comes to Iran:
"We assert, therefore, that the typical standards of proof for attributing malicious traffic to a specific source are unnecessarily high when we examine traffic from Iranian IP addresses." (p. 12)
Furthering a Political Agenda
AEI's political agenda for this report was clearly the current multilateral agreement with Iran to curb its nuclear weapons program. AEI has published 14 articles critical of that agreement since April 3, 2015. That's more than one per day. And the first paragraph of the Introduction in the Pistachio Harvest report reads:
"The framework for an agreement on Iran’s nuclear program announced April 2, 2015, may significantly increase the cyberthreat the Islamic Republic poses to the US and the West." (p. 1)
The report's conclusion reiterates that sanctions against Iran must not be lifted as part of the nuclear framework agreement because of Iran's role as a cyber threat actor. Bottom line - this report is all about politics, not cyber security.

Blaming AEI for having a political agenda is like blaming the scorpion for stinging the frog - it's the nature of the beast. However, for security research to be valuable it must be objective and verifiable. Norse Corporation's decision to team up with AEI and supply them with their data for use in a politically motivated report was a terrible decision that taints both the research and the company. Imagine if Kaspersky Lab, who was recently lambasted in the media for merely being a Russian company with Russian government contracts, co-authored a report with Gleb Pavlovsky's Foundation for Effective Politics. It would kill the credibility of Kaspersky Lab forever.

Questionable Attribution
The Introduction lists three examples of "malicious Iranian cyber activity". None of the three have been positively attributed to the Iranian government. All represent guess-work on the part of investigators (including myself) and at least one (Saudi Armco) has been completely mis-represented in terms of the malware's "complexity". In reality, Shamoon was a half-assed, reverse-engineered piece of malware that was only 50% functional.

Even worse is this paragraph allegedly "proving" Iran's targeting of critical infrastructure:
"Telvent was the victim of a significant attack attributed to Chinese hackers in September 2012.105 This attack breached Telvent’s “internal firewall and security systems . . . and stole project files related to” OASyS SCADA."

"It is possible that the Chinese were at it again two years later using compromised Iranian systems, but it is unlikely. The Iranian IP hosts no visible infrastruc- ture and is apparently owned directly by the Telecom- munications Company of Iran, running on AS12880. There has never been any public system identified with this IP, or with any of the IPs on this subnetwork, so there has not been any visible server to try to hack. Nor have the Chinese changed their methods from operating openly from their own infrastructure to using that of third parties."
In other words, it must have been Iran because the Chinese government only sends out attacks from its own IP blocks.  This is a great example of the idiocy that's prevalent in what passes for attribution today. No government is stupid enough to engage in cyber attacks which can be easily traced back to them. That kind of stupidity only resides with security researchers who have a vested interest - often a monetary interest - in placing the blame for an attack on a given nation state.

A Reprehensible Decision by Norse
As a cyber security professional and the founder and CEO of a cyber security company, I'm offended and disgusted that the CEO and CTO of Norse Corporation supported this type of heinous fear-mongering by getting into bed with Fred Kagan and the American Enterprise Institute. I've never seen this type of collaboration before and I hope that I'll never see it again.


"Four Fatal Flaws in Cyber Threat Intelligence Reports"