Chimera: Know The Targets

In today's digital landscape, threats are expanding and your intellectual property and trade secrets are their targets. You may not know the threat actor, but you can know what they're targeting.

CHIMERA will launch in the summer of 2013.

Add to Cart View detail

Closing the Loop: Part of an Assumption of Breach Security Paradigm

Tim O'Reilly gave a talk recently at Stanford University on the importance for startup companies to "close the loop" with their customers. Uber was used to demonstrate the concept. Both the Uber driver and the Uber customer know a lot about each other. They can track each other's location. The customer knows what the driver looks like as well as his license plate number. They can communicate with each other prior to the vehicle arriving. There's immediate feedback required on the customer's experience with the driver. There's almost no uncertainty in the entire service chain of an Uber hire. Uber has closed the loop with its customers.

As I listened to Tim speak, I immediately related it to the uncertain world of cyber security. Think of Uber as a U.S. corporation or government agency. Think of the Uber customer as the adversary state or non-state actor who's breaking in to steal valuable data. What cyber security tools "close the loop" between the two?

If you adopt an "Assumption of Breach" paradigm, then you've accepted that attackers may already be active in your network. Any tool which provides you with information on their movements in real-time "closes the loop". Then it just becomes a question of weighing cost against effectiveness and spending your dollars wisely on those tools.

Another way to close the loop with an adversary who's targeting your company or agency is to know what they want. This article in The Telegraph describes how MI-5 has issued a warning to British universities that their research on graphene and quantum computing is being stolen by Russia and China and, eventually, informing those countries' patent development work:

Researchers have already warned that work on graphene is moving abroad, with Britain funding extra research by our own academics but seeing their 54 patents outstripped by 2,204 from China.
Overall, cyber crime costs the UK £27billion per year, official figures suggest, with universities now identified as targets.
Researchers from Manchester, for instance, including academics Andre Geim and Konstantin Novoselov who won the 2010 Nobel Prize, have been warned that their servers could be targets. Graphene is a kind of two-dimensional carbon which is one of the thinnest, lightest, strongest and most conductive materials known to man. Identified only in 2004, it is harder than diamond, just a single molecule thick and conducts electricity.
Threats are posed both by hackers infiltrating UK university computers and from the theft of data from computers used by academics travelling abroad. 

My company, Taia Global, with financial support from our angel investors, is currently in development on a product which knows what the research priorities are in potential adversary states and can predict what will be stolen from our customers; thereby closing the loop between the victim and the thief and giving the victim time to take the necessary steps to protect those targeted documents. This is particularly useful when a company has millions of files, cannot protect all of them, and doesn't have a reliable way to classify those which are of value to an adversary or competitor.

Our product development cycle is currently in early Alpha. If you'd like to receive more information about this product as we get closer to beta, please contact us.

Add to Cart View detail

Who Are The Players in China's Targeting of Foreign Technology IP?

The release of Mandiant's APT1 report claimed that the PLA's Third Directorate (3PLA) is the responsible State organization behind Comment Crew (aka APT1). One of the things that the report's authors didn't do was demonstrate how the other State agencies who engage in this type of activity were excluded in their analysis. For future reference, here's a more complete list of the possible organizations who conduct intelligence activities (including cyber) to consider or rule out in terms of possible Chinese attribution.

Traditional Channels

Civilian

• The Ministry of State Security (MSS) - Counterespionage and Counterintelligence; Foreign Intelligence; Domestic Intelligence
• Ministry of Public Security (MPS) - National Police; Domestic Intelligence

Military

• Second Department of the People's Liberation Army (PLA) General Staff Department (2PLA): engages in foreign intelligence, imagery intelligence, and tactical reconnaissance
• Third Department of the PLA General Staff Department (3PLA); engages in signals intelligence
• Fourth Department of the PLA General Staff Department (4PLA); engages in computer network operations
• Liaison Office of the PLA General Political Department
• Intelligence departments of the PLA Navy, PLA Air Force, and Second Artillery
• State Secrecy Bureau

Non-Traditional Channels

• Commission of Science, Technology and Industry for National Defense (COSTIND)
• Research Institutes
• PRC Military-Industrial Companies
• Organized Chinese hacker groups

Guidelines:

Failed operations. In Amy Elizabeth Brown's paper "Directed or diffuse?: Chinese human intelligence targeting of US defense technology", she makes the same point that I have made multiple times; e.g., that much of the information we have about Chinese espionage cases (cyber and otherwise) comes solely from failed operations - meaning covert operations that have been discovered. Therefore, we have to acknowledge the possibility that China also runs successful covert operations using more effective tradecraft but we don't know the scope or scale.
3PLA's distributed offices. It's important to note that 3PLA, which was identified in the Mandiant APT1 report has, according to Mattis, offices and technical reconnaissance bureaus in each of China’s seven military regions and several major cities (not only Shanghai).
OSINT is insufficient. Another important statement in Mattis' conclusions is that open sources are insufficient to understand the inner workings of these various intelligence agencies.
Lack of sound tradecraft. "One of the defining characteristics of China’s non-traditional techniques for obtaining technology, as observed in many of the cases noted here, is the lack of clandestine tradecraft, or even the most basic elements of operational security, involved in obtaining the information.  In general, it appears that little or no care is used to ensure that the operation goes undetected." - Amy Brown's "Directed or Diffuse" paper as referenced below.
Giving amateur operatives too much credit. "A belief that the Chinese rely on amateur operatives risks leading CI professionals to dismiss or be inattentive to the threat posed by China’s professional services." - Peter Mattis "The Analytic Challenge" paper as referenced below.
Distinguishing economic espionage from Chinese intelligence. "When economic espionage with no connection to the Chinese intelligence services is interpreted as “Chinese intelligence,” less attention will be paid to what those organizations actually do. The Chinese intelligence services and the Chinese defense industries are distinct entities, although they may sometimes work for mutual benefit." - Peter Mattis (Ibid)

Readers of the Mandiant report or any report that purports to reveal the inner workings of Chinese cyber espionage cases are encouraged to familiarize themselves with the papers referenced below as well as the above guidelines that I've extracted from them. 

For example, the lack of tradecraft by the three individuals mentioned in the Mandiant report is palpable, and was pointed out by the report's authors: "These actors have made poor operational security choices, facilitating our research and allowing us to track their activities. They are some of the authors of APT1's digital weapons and the registrants of APT1 FQDNs and email accounts. These actors have expressed interest in China's cyber warfare efforts, disclosed their locations to be the Pudong New Area of Shanghai, and have even used a Shanghai mobile phone number to register email accounts used in spear phishing campaigns." - Mandiant APT1 report, p. 51

Even if one assumes that the Chinese government is the customer for APT1's cyber espionage activities, it's important to consider all of the options before attempting to assign attribution. Such a lack of tradecraft involved deserves at least a mention in the report that non-traditional channels as defined above were considered. As this article points out, those options are plentiful within China, but also include other foreign intelligence services and professional hacker crews who run their operations from China and/or from Chinese servers in order to confound any efforts at attribution.

Reference Material:

The Analytic Challenge of Understanding Chinese Intelligence Services

Directed or diffuse?: Chinese human intelligence targeting of US defense technology

PRC Intelligence Apparatus - Implications for Foreign Firms

Related Posts:

"Mandiant APT1 Report has critical analytic flaws"

Add to Cart View detail

New Direction for Taia Global

UPDATE (2/19/2013): Our press release is out with details on the start of development of our data classification engine called Chimera.
--------------------------------------------------------
For the last two years, Taia Global (my startup security consultancy) has been a services-focused business. We've been privileged to have been able to provide counsel on improving security operations center practices, identifying supply chain weaknesses and generally helping executives understand their threat landscape and how to shrink it at some very large defense, telecommunications, and entertainment companies as well as smaller sized firms.

Thanks to that diverse set of experiences, I've been able to identify a problem and a solution which is scalable and unique in the information security marketplace and have begun a second angel round to raise capital for product development.

I'm grateful to my angel investors from 2010 who have continued to support me in this latest round as well as for a new investor that has just come aboard. 2013 will be the year that Taia Global moves from being services-based to services with a product. Watch this blog and my Twitter feed for more details in the weeks and months to come.

Add to Cart View detail

Intelligence on Russian Information Warfare Activities

Threat Intelligence and Cyber Intelligence are phrases that are tossed around both frequently and casually these days. Threat intelligence as it's used by the information security community has to do with malware and malicious IPs. Cyber intelligence is used even more loosely and may cover everything from Threat Intelligence to discovering who the members of Anonymous are. My company Taia Global Inc. has been providing highly targeted open source intelligence reports on foreign corporations' government connections as well as the information warfare activities of individual nation states since 2009. Since most of our foreign government clients are interested in the IW activities of the Russian Federation, we focus a lot of attention there. Here is what we've produced in the last few months alone:

• Center for Computer Emergency Response of the Russian Federation (RU-CERT)
• Roskomnadzor and the Cyber Vigilantes
• Russian Federal Security Service Center for Electronic Surveillance of Communications - Military Unit (Vch) 71330
• Russian Federation Security Council and the Evolution of Russia’s Information Security Doctrine
• Federal State Unitary Enterprise Scientific Research Institute Kvant (Federal Security Service)
• Federal Security Service (FSB) Internet Monitoring Vendors
• Federal Security Service (FSB) Administrative Centers for Information Security

Apart from these specialized reports, we also produced the 2011 Russian Federation Information Security Reference.

If Russia is an important piece of your organization's business or security plans and you'd like more information about our intelligence services for the Russian Federation or other countries in Asia, the EU or elsewhere, you can contact us via the Taia Global website.

Add to Cart View detail

My Top 5 Tips for "Cyber" Startups

1. Pick a hard problem and throw yourself into solving it. In 2005 I was inspired by the InfoSec Research Council's Hard Problems List (.pdf) while I was at Microsoft even though it had little to do with my actual job there. You need to find a problem that you can get passionate about or you'll never survive the difficult road ahead of you.

2. Start a blog about the problem that you've selected. Once I found what I thought would be a solution for one of the problems on that list, I presented it to Microsoft's Greenhouse. When they rejected it, I started a blog (IntelFusion.net - no longer active) as a way of continuing my research and building a network of like-minded folks who were interested in the same sorts of things that I was.

3. Get Published. You don't have to write a book, although that's a great experience to have but you do need to create a body of work that can be reviewed and critiqued by your peers. Submitting papers for conferences is one of the best ways to do this. Go to as many conferences as a presenter as you can. That's key. Go as a presenter, not as an attendee. As a presenter, you'll get your expenses covered while meeting decision makers who may become customers, mentors, employees, or partners later on.

4. Build a Network. There's a reason why predators thrive in pack environments rather than on their own. You won't make it as a one-man show. In fact, if you've done the first three things on this list, you'll already have a collection of business cards and LinkedIn contacts for people who either want to help you or use you. You'll figure out which is which soon enough.

5. Find a Mentor. Or hopefully, more than one, to help get you past some of the hurdles you'll encounter in starting a new business. For example, I used to think that I could start a company which offered a product or service that the government needed and which no one else offered and I'd be in business! After a year of failing, it took a mentor to educate me about the fact that it takes a startup company 3 years on average to win its first government contract. I also used to think that I could go after an Army or Air Force SBIR grant and that my application would stand an equal chance at getting selected. After three rejections, it took a mentor to tell me that the Army already knows the company that it plans to award the SBIR grant to beforehand. Both of those experiences, among others, helped me understand that I don't want the government as a customer; that I should focus instead on providing a product or service needed by corporations.

These 5 things helped me leave Microsoft and start my own company (Taia Global, Inc.) with no money at the height of the financial crisis in 2009. It was and remains an arduous journey but it has been the best experience of my life and my company is doing better than ever. I'm confident that if you can find your passion in trying to solve some of the hard challenges that governments and companies face today, that you'll have the same end result that I've had - experiencing daily joy in building a company that makes a difference in peoples' lives. It doesn't get any better than that.

Add to Cart View detail

WaPo's "extreme" precautions for travel to China? Hardly.

Today's Washington Post article "In China, Business travelers take extreme precautions to avoid cyberespionage" barely cracks the surface of what occurs in China and other nation states who engage in cyber-espionage. I founded a company on that very premise in 2010 and am still amazed at how easily state actors can obtain exactly what they want from visiting C-level executives without anyone knowing it. In fact, I've had this very conversation with Joel Brenner just recently (Brenner is extensively quoted in the WaPo article).
A standard travel kit for Taia Global clients includes a pre-paid cell phone and an iPad or a hardened laptop with no documents stored on the hard drive. Instead, everything that the executive needs to work on is stored on an encrypted IronKey flash drive. We provide a variety of e-mail alternatives for executives to choose from which keep them from directly communicating with their home network. Access to free WiFi hotspots at the airport, the hotel, or anywhere else in-country is heavily discouraged. And no device ever re-connects with the corporate network after a trip.

These are realistic, not extreme, precautions and they're based upon real-life incidents that happen on a daily basis; not only in the PRC, but in many developed and developing countries including the EU. The risk factor isn't the same for everyone. Part of our work for our clients is to tell them what their CRI (Cyber Risk Index) is when they travel. The CRI varies according to what industry an executive is in, his position at his company, and which country he's visiting. Just like in network security, there is never a one-size-fits-all solution.

Add to Cart View detail