Three Suits and Spooks Courses taught by 3 World-Renowned Experts: Limited Enrollment and Savings!

At Suits and Spooks events, we always have world-class speakers. But for 2014, I wanted to offer world-class training as well. For example, in January we're featuring:

CARMEN MEDINA: Specialist leader at Deloitte Consulting LLP after retiring from an almost 32 years-career at the Central Intelligence Agency where her roles included Director of the Center for the Study of Intelligence (CSI); the Deputy Director for Intelligence, and Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

Course title: "Analytic Methodology and Critical Thinking for Cyber Intelligence and Information Security"

LANCE COTTRELL: Chief Scientist at Ntrepid Corp. and the founder and principal at Obscura Security. He founded Anonymizer Inc. in 1995, and is an internationally recognized expert in cryptography‚ online privacy‚ and Internet security.

Course title: "Tools, Techniques, and Pitfalls in Internet Anonymity and Pseudonymity"

ROB DUBOIS: Security advisor, smart power authority and retired U.S. Navy SEAL with experience in more than thirty nations. He recently served as the operations manager for the Department of Defense Red Team where his innovative tactics earned him the reputation of the U.S.’s “top terrorist”. Rob has provided his “Think like the Adversary” workshop to elite military units in combat zones, Fortune 500 companies, and agencies including the National Counterterrorism Center.

Course title: "Better Red than Dead: Learn to build your own full-spectrum Red Team with a veteran Red Team leader"

Originally, in order to attend a workshop you needed to also register for the conference. I've changed that policy so now you can take the training without having to register for Suits and Spooks DC, or you can register for both. Basically, it's now your choice.

Finally, in order to help us fill up these courses so as to have a more effective test on whether this is something that we continue to offer at Suits and Spooks events, I've lowered the tuition by 33% on all 3 courses until December 20th.

You can get complete details on each course by clicking on the course title, or call us with any questions you may have. Please help spread the word about this unique opportunity to learn from these highly esteemed professionals. Depending on our enrollment numbers, it may be the only time that we offer it.

Add to Cart View detail

In OSINT, All Sources Aren't Created Equal

"In evaluating open-source documents, collectors and analysts must be careful to determine the origin of the document and the possibilities of inherent biases contained within the document."
- FM2-22.3: Human Intelligence Collector Operations, p. I-10

"Source and information evaluation is identified as being a critical element of the analytical process and production of intelligence products. However there is concern that in reality evaluation is being carried out in a cursory fashion involving limited intellectual rigour. Poor evaluation is also thought to be a causal factor in the failure of intelligence."
- John Joseph and Jeff Corkill "Information Evaluation: How one group of Intelligence Analysts go about the Task"

These two quotes illustrate the long-running problem that has plagued commercial cyber security reporting for many years. There are very few unclassified OSINT standards of source evaluation and even less for cyber threat intelligence; at least that I could find while doing research for this article. 

The field of cyber intelligence is fairly new and fortunately, thanks to the Software Engineering Institute at Carnegie Mellon and the work of Jay McAllister and Troy Townsend, we can take a credible look at the state of the practice of this field:

"Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
- McAllister and Townsend, The Cyber Intelligence Tradecraft Project

The one thing that isn't covered in their report is the issue of source validation and how that contributes to the validity or value of the intelligence data received. However they did write a follow-up white paper with Troy Mattern entitled "Implementation Framework - Collection Management (.pdf)" 

Please take some time to study the framework and read the white paper. It's an ambitious and very thorough approach to helping companies understand how to get the most value from their cyber intelligence products. Unfortunately, while it specifies data evaluation and source validation, it doesn't provide any specific guidelines on how to implement those two processes.

Fortunately, there has been some great work done on source analysis for Human Intelligence (HUMINT) that I believe can be applied to Cyber intelligence and OSINT in general. It's a paper written by Pat Noble, an FBI intel analyst who did his Masters work at Mercyhurst University's Institute for Intelligence Studies: "Diagnosing Distortion In Source Reporting: Lessons For HUMINT Reliability From Other Fields"

A PowerPoint version of Noble's paper is also available. Here are a few of the slides from that presentation:

We recognize these failings when it comes to human intelligence collection but for some reason we don't recognize them or watch for them when it comes to OSINT. The crossover application seems obvious to me and could probably be easily implemented. 

I started this article with a quote from the Army Field Manual FM2-22.3: Human Intelligence Collector Operations (.pdf). Appendix B in that manual contains a Source and Information Reliability Matrix which I think is also applicable to Cyber intelligence or any analytic work that relies upon open sources.

I think a graph like this could be applied with very little customization to sources referenced in cyber intelligence reports or security assessments produced by cyber security companies. 

The West Australian Police Force study by John Joseph and Jeff Corkill "Information Evaluation: How one group of Intelligence Analysts go about the Task" recommended the use of the Admiralty Scale which is identical to the Army's matrix shown above:

Again, these scales were developed to evaluate human sources, not published content, but they certainly seem applicable with some minor tweaking. 

It's important to note that only part of the problem lies in the lack of source evaluation methods. Another very large contributing problem is the lack of standardized cyber intelligence tradecraft pointed out by McAllister and Townsend in their Cyber Intelligence Tradecraft paper:

"Tradecraft: Many government organizations have adopted the intelligence community standard of consistently caveating threat analysis with estimative language and source validation based on the quality of the sources, reporting history, and independent verification of corroborating sources. Numerous individuals with varying levels of this skillset have transitioned to cyber intelligence roles in industry and academia, but the practice of assessing credibility remains largely absent. The numerous analytical products reviewed for the CITP either did not contain estimative or source validation language, or relied on the third-party intelligence service providing the information to do the necessary credibility assessment." (p.11)

And of course due to the newness of the field there's no standard yet for Cyber Intelligence training (McAllister and Townsend, p. 13). 

IN SUMMARY

There are numerous examples of cyber security reports produced by commercial and government agencies where conclusions were drawn based upon less than hard data, including ones that I or my company wrote. Unless you're working in a scientific laboratory, source material related to cyber threats is rarely 100% reliable. Since no one is above criticism when it comes to this problem, it won't be hard for you to find a report to critique. In fact, it seems like a different information security company is issuing a new report at least once a month if not once a week so feel free to pick one at random and validate the sources using any of the resources that I compiled for this article. 

If you know of other source evaluation resources, please reference them in the comments section. 

If you're a consumer of cyber intelligence reports or threat intelligence feeds, please ask your vendor how his company validates the data that he's selling you, and then run it through your own validation process using one of the tools provided above. 

I'd love to hear from any readers who implement these suggestions and have experiences to share, either in confidence via email or in the comments section below.

UPDATE (11/24/13): A reader just recommended another excellent resource: Army Techniques Publication 2.22-9 "Open Source Intelligence". It discusses deception bias and content credibility, both of which must be accounted for in source validation.

Add to Cart View detail

Call for Papers: Suits and Spooks DC 2014 and Suits and Spooks Singapore 2014

Suits and Spooks DC is coming up on January 20-21, 2014 and Suits and Spooks Singapore will be March 20-21, 2014. The theme for both conferences will be on how companies can safely conduct business when they operate in what is essentially a digital battlefield. U.S. multinational firms not only have to contend with hacktivists targeting their websites and hacker groups stealing and selling their intellectual property. Their communications are being collected and monitored by most foreign intelligence services and insiders seem to be able to gain access to whatever they want.

If you've got an idea for a topic that fits this theme, please shoot me an email with a title and an abstract. Preliminary information on both events is available at the SuitsandSpooks.com website.

Add to Cart View detail

Challenges with Threat Intelligence, Attribution, and Active Defense are on the Agenda at Suits and Spooks La Jolla

We've got a tremendous speaker line-up including John Caruthers, the head of the FBI's National Security Cyber Program at the San Diego field office, while on intelligence matters, we have RADM Andy Singer (USN ret) who, among his many accomplishments, was the Director of Intelligence for PACCOM. Lance Cottrell, the founder of Anonymizer, will speak on Operational Anonymity & Misattribution: Why you need it, how they track you, how to do it, how it fails, and best practices.

Additional topics and panels include:

• Projecting Geopolitically Relevant Cyber Hot-Spots by Ali-Reza Anghaie
• Threat Intelligence for the Enterprise on a Shoestring Budget by Shane MacDougall
• The State of National Cyber Intelligence by Troy Townsend and Jay McAllister
• HUMINT Factor: How HUMINT Influences Attribution of Threat Actors and Whether or Not It’s Necessary
• Can Data Analytics and Incident Response Scale Down? by Stephen Cobb
• Is there a place on Special Operations teams for Cyber Warriors? (Panel moderator Jim Butterworth; Speakers – Thomas Dzieran, Rob DuBois, RADM Andy Singer (USN ret))
• The importance of international collaboration in identifying and interdicting non-state hacker groups (Panel moderator Christopher Burgess; Speakers – John Caruthers, Kenneth Geers, Michael Jaeger)
• Advanced Technologies for Detecting the Insider Threat by John Sipple
• Vulnerability Disclosure and ‘Cyberwar’: The Cost of Offensive Cyber Weapons by Ryan Ellis
• Kenneth Geers: Technical expert for the “Tallinn Manual on the International Law applicable to Cyber Warfare” will speak and take questions on this very important document.

This two day conference (Saturday, June 15 and Sunday, June 16) will be held at the San Diego Marriott La Jolla hotel and consist of a combination of plenary and break-out sessions. A continental breakfast and lunch will be served on both days. Attendance will be limited to no more than 100 people to allow attendees to interact more closely with our speakers during the event.

The following Early Bird rates apply through May 10, 2013.

• Early Bird $395
• Securing our eCity Foundation member or affiliate $345
• Government/Military/Academia rate $295

Register via PayPal or by telephone (1-855-777-8242)

After May 10, our discounted rates will revert to the standard $595.

Rates

Early bird $395.00 USD Securing our eCity Foundation $345.00 USD Military/Gov/Academia $295.00 USD

Add to Cart View detail

Kaspersky Labs Researcher to Present Operation Red October at Suits and Spooks DC

I'm very pleased to announce that Kaspersky Labs researcher Roel Schouwenberg, a senior malware researcher with Kaspersky Lab's Global Research & Analysis Team, will be presenting at Suits and Spooks DC on February 8-9, 2013. His presentation will cover:

• Earliest variants of the malware (2007)
• Victim profiles
• C&C domains and servers
• Mobile malware components: known and unknown
• An overview of +1000 malware plugins discovered during the research
• Possible links with other campaigns

I've suggested in the past that Red October may have been run by a NATO member country, which makes it an ideal topic for the Suits and Spooks conference. I'm particularly happy that with the inclusion of Kaspersky Labs to our other international speakers, that Suits and Spooks is rapidly acquiring a global reputation as a unique, security event that's not to be missed. We are rapidly approaching standing-room only capacity so register today.

Add to Cart View detail

Has a Foreign Intelligence Service Been Targeting Russian Embassies?

Yesterday I posed the theory that the Russian Business Network (RBN) was behind the Red October attacks however in the interest of alternative analysis, I'd like to propose a different theory that also fits the facts contained in Kaspersky's report; that a Foreign Intelligence Service has been targeting Russian and CIS embassies.

Kaspersky's FAQ on ROCRA says that it was brought to their attention by a "partner" who prefers to remain anonymous. Considering that the primary target of ROCRA were Russian embassies and government agencies, that un-named partner was most likely the FSB. After all, Kaspersky Labs does significant business with the Russian government according to Noah Shachtman's Wired profile on Eugene Kaspersky:

One of GREAT’s frequent partners in fighting cybercrime, however, is the FSB. Kaspersky staffers serve as an outsourced, unofficial geek squad to Russia’s security service. They’ve trained FSB agents in digital forensic techniques, and they’re sometimes asked to assist on important cases.

The Red October report listed many embassies in multiple countries as victims but didn't identify whether those were Russian embassies or those of other nation states. Since the malware was looking for Cyrillic characters in documents, it makes sense to assume that the target was Russia's embassies in foreign countries. It would be nice if GREAT would confirm or deny whether that was the case.

Many of ROCRA's command and control servers were registered with Russian registrars. However, Russian law and regulations require the registrant to provide accurate contact information and to confirm that information with an authoritative document (something that we in the U.S. should also require, but don't).  Normally this would be a Russian citizen’s internal passport. So the perpetrator was either using compromised documents (Russian passport numbers and tax IDs have been posted on Runet) to obtain domain names or the websites themselves were compromised bots.

As far as which FIS might be responsible, there's no way to say but there's certainly no lack of suspects. The use of Acid Cryptofiler suggests that it might be a NATO or EU member country. 

Add to Cart View detail

Justice Wins. Bin Laden is Dead.

It took 10 years, a new President, and the stellar collaborative work of the U.S. Intelligence Community to enable the success of the military operation against Osama bin Laden. Congratulations to all of the people whose names we'll never know that led to this momentous event of justice and vindication. We're so quick to judge intelligence failures that become public knowledge while the successes rarely make the news. Not only is this an intelligence success for CIA, NSA, and other agencies, it's vindication for President Obama's strategy to re-focus on capturing or killing Osama bin Laden in spite of political pressure to quit. I'm proud of everyone involved, and hugely grateful.

Related Links:

Timeline: The Intelligence Work Behind Bin Laden's Death
Latest on the Osama Raid: Tricked-Out Choppers, Live Tweets, Possible Pakistani Casualties
The Secret Team That Killed bin Laden

Add to Cart View detail