In light of APT, a new Cyber Intelligence model is called for

Last Updated on Monday, 1 February 2010 03:43 Written by Jeffreycarr Monday, 1 February 2010 03:43

The Computer Network Exploitation (CNE) process which Mandiant has identified as “Advanced Persistent Threat” has helped open more than a few eyes in Government and private industry. This is both distressing and heartening. It’s distressing because there is nothing new in APT except awareness on the part of the organizations who didn’t know it was happening to them. It’s heartening because that awareness is freeing up time and resources to address the problem in a serious way, which brings me to the point of this post.

Around the same time that Mandiant released M-Trends: Advanced Persistent Threat, Deloitte issued its report “Cyber Crime: A Clear and Present Danger“. It sheds light on the same methodology that Mandiant addresses – “persistent and sustained access” – although it doesn’t use the term APT to do it. What Deloitte does do, however, is dedicate a section to “Developing Actionable Cyber Threat Intelligence“. In it, Deloitte discusses the need for “a cyber risk management process prioritizes threats, analyzes threats, detects a threat before, during, or after actual occurrence, and specifies the proper response.” This diagram shows Deloitte’s “cyber intelligence acquisition and analysis” model. The graphic below is a blow-up of the left side of the diagram which identifies a comprehensive list of open sources for intelligence gathering:

Intelligence is only as good as the raw data an analyst can extract it from. So what’s missing from Deloitte’s model? Quite a bit if you’re concerned about State and Non-State actors getting access to your critical information. Why? Because they won’t be holding strategy sessions on hacker forums that can be accessed by law enforcement or intelligence agencies. And if they were stupid enough to do that, it wouldn’t be in English. Instead, you need a patient, persistent, and sustained effort to find the private forums, IRC channels and other places where these conversations do take place. Think of it as a reverse-APT.

A second major flaw with this collection effort is that it completely ignores State-sponsored R&D projects. If you know what widget a State is interested in (because they are investing in research to develop it), and your company makes that widget, you know where to focus your protection efforts.

This is actionable intelligence, and even better, it has a fast “time on target”; meaning you aren’t collecting a tsunami of data, most of which only results in slowing down your intelligence gathering efforts. You cannot protect everything, therefore, you need to identify your critical data, identify who outside of your agency or company wants that data, and focus your intelligence assets on identifying and researching those potential adversaries.

Contact me for a consultation on how to implement this for your company or agency if you’d like more information. In addition, I’ll be offering a two-day course at the IO Institute called “OSINT Hacks for Mining the Russian Internet” following InfoWarCon on May 17 and 18th. A separate course is in development which focuses on the Chinese Internet. More information will be forthcoming as the date gets closer but feel free to shoot me an email if you’d like to attend.

The Grey Balloons Project FAQ

Last Updated on Tuesday, 12 January 2010 09:30 Written by Jeffreycarr Tuesday, 12 January 2010 09:30

It’s been about 48 hrs since I launched this initiative and the response from people who want to get involved has been fantastic. There has been a lot of questions so this FAQ is a start on providing some answers. More info will be coming soon.

1. BRIDGE and UGOV have both been canceled by the ODNI. What makes you think this project will fare any better?

My understanding is that both of those services have been canceled to improve the ability of the IC to collaborate with other parties via a better channel (yet to be named) that integrates with A-Space, so there’s still hope!

2. What do you hope to accomplish?

My goal for Grey Balloons is to create a talent bank that the Intelligence Community can tap at any time, for any purpose, without charge, and which is composed entirely of volunteers from private industry and academia who want to serve their country in a completely new way – with their intellectual and creative capital.

3. So no one gets paid for this?

That’s correct, up to a point. Each volunteer will commit to a specific number of free hours per period (day/week/month). If an agency or service wants to engage the volunteer for longer than the specified period, then they’ll have to pay the volunteer for their time at a pre-specified rate.

4. Can companies get involved or is it only for individuals?

Companies are welcome to offer free services too, and in a similar manner as outlined above for individuals. Additionally, my hope is that in the near future, a company will commit to reimburse the employee who volunteers for this service in a similar manner to Microsoft, which pays its employees for a day of volunteer work each year.

5. I noticed that you are asking people to sign up via Twitter. I’m not on Twitter. Can I still participate?

Sure. Just send me an email.

6. How will the Intelligence Community be able to access the Grey Balloons talent bank?

Good question. I’m looking for online resources that might be leveraged quickly which would enable each volunteer to enter their identifying data and then have that entire database searchable by name, expertise, company, etc. by whoever needs to access it. Suggestions for how best to do this are certainly welcome and should be posted in the comments.

7. Is it only open to U.S. citizens?

No. Anyone can volunteer their services, regardless of their nationality. Collaboration between allies is a key part of combating global threats, so Grey Balloons will be a resource with an international talent base serving the U.S. Intelligence Community.

8. What’s the time frame for getting this project off the ground?

ASAP.

What if DARPA’s Red Balloons Were Dots That Needed Connecting?

Last Updated on Wednesday, 13 January 2010 05:53 Written by Jeffreycarr Sunday, 10 January 2010 11:04

“Our goal in entering this (DARPA) challenge is to understand how to mobilize the vast resources of the human network to face challenges and explore the opportunities that come with living in such a connected world.”

- Riley Crane, Post-doctorate Fellow, MIT Media Lab team

In sum, the U.S. government had the information — scattered throughout the system — to potentially uncover this plot and disrupt the attack.  Rather than a failure to collect or share intelligence, this was a failure to connect and understand the intelligence that we already had.

- Barack H. Obama, President, United States of America

I know that a lot of you feel the same way I do. You’re thinking how can I help fix this problem? And, let’s face it, it’s a pretty big friggin’ problem; not only in terms of what’s at stake but also in its longevity as a thorn in the side of intelligence analysts since…, well, forever. I’ve been thinking about this off and on ever since the President’s remarks and today, on my way home from seeing a movie with my wife, I thought about those red balloons and what might be possible if we leveraged Twitter to harness some of the best creative minds in the country to volunteer their particular skill set to help solve this problem on an as-needed basis.

Just from my work with Project Grey Goose, I’ve come to know lots of talented individuals in varying disciplines who I’m sure would be happy to join an on-call list to volunteer at least some of their work week if their specialty was needed. Perhaps their employers would even agree to pay them for the effort, similar to what Microsoft does for its annual Day of Caring.

I don’t think there’s a larger pool of intellectual talent anywhere in the world than in the United States. Let’s follow MIT’s lead and mobilize via the Social Web, organize it via a wiki, sketch out possibilities on a virtual white board, bring in talent as-needed, and come up with some solutions for the ODNI to apply. Let’s make it a permanent revolving resource so support is always available. And best of all, there are no budgetary issues, no bureaucratic obstacles, no BAAs that take two years to go from white paper to Phase II trials, etc. Just the work, and the best people in the country to do it – now, and for free.

Follow @greyballoons on Twitter to show your willingness to participate, and spread the word. If the idea catches on (let’s say a minimum of 1000 follows), then perhaps DNI Blair will give his endorsement and a new resource will become available to the hard-working individuals inside the IC that are tasked with the day-to-day challenge of meeting the President’s order to fix what has contributed to this intelligence failure.

Update: 11 Jan 2010 - As of 1026 Pacific time, over 50 exceptionally talented individuals have signed on via Twitter and e-mail. If you aren’t on Twitter but want to offer your services to the @greyballoons project, feel free to use email instead.

Update: 12 Jan 2010; 0400 Pacific: 101 participants and counting. 86 from Twitter and 15 via email. Thanks everybody. Please keep spreading the word.

Update: 13 Jan 2010; 0452 Pacific: 146 participants and counting. 103 from Twitter and 43 via email.