Sunday, May 20, 2018

Memorial Day 2018: The Risk of Service is Understood...

Memorial Day weekend will soon be upon us in the U.S. and on the final Monday of May 2018, we reflect on this remembrance.

In order to put it all in context, we looked back 5 years to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was also one of the 22 that day in early May, that could not defeat the legacy of demons he fought each night, as he fell deep asleep.

On Memorial Day 2018, we again honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have sacrificed and defended our freedoms for 242 years. Simultaneously, we do the same for the people behind the "Stars" on a wall in Langley, Va for those officers who have done the same.

Together we are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from a UAS.  We are all the same, in that we share the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this Memorial Day weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

Sunday, May 13, 2018

InTP: Insider Threat Via Critical Infrastructure...

The private sector organizations of the United States are vital to the protection and security of the Homeland.  The private sector owns a majority of our assets and Critical Infrastructure Protection (CIP) remains a priority as a result of the latest asymmetric threats.  Securing Critical Infrastructure sectors includes:
  • Chemical:
  • Commercial Facilities:
  • Communications:
  • Critical Manufacturing:
  • Dams:
  • Defense Industrial Base:
  • Emergency Services:
  • Energy:
  • Financial Services:
  • Food and Agriculture:
  • Government Facilities:
  • Healthcare and Public Health:
  • Information Technology:
  • Nuclear Reactors, Materials, and Waste:
  • Transportation Systems:
  • Water and Wastewater Systems:
The National Strategy to Secure Cyberspace, emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security.
Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry.

The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held.  Further, the networks of our global super-infrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others.

Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than most human managers can respond.

We realize that there are many facets of CIP, yet where should we be allocating resources?  The vigilance within our organizations has not changed and is based upon previous studies done by CERT and the US Secret Service:
"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees." U.S Secret Service and CERT Coordination Center/SEI Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.

• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).

Most insiders were either previously or currently employed full-time in a technical position within the organization.

• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.


Making sure that you have a robust workplace awareness program is yet one key component in addressing the "Insider Threat" and our resilience.

More importantly, the timing may have been the perfect launch point for other malfeasance from non-state actors who lie in their "Lone Wolf" mode, waiting to strike.

And while the scenario could be well contained, the timing could create opportunities for the "Black Swan" outlier inside your enterprise.

It's never to early to plan for the unimaginable, all happening in the same geography and the same time frame.  Revisit your "Insider Threat Program" (InTP) and Critical Infrastructure Resilience today...

Sunday, May 06, 2018

IO Convergence: Cyber Warfare Unified Taxonomy...

Information Operations (IO) is an Operational Risk Management priority in both the public and private sector these days. Is it lawful for a U.S. company and U.S. citizens to train and perform cyber warfare activities on behalf of a foreign country?

Flashback to 2012, The Washington Post reports:

By Ellen Nakashima, Published: November 22
"In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center. He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, then a Senior Vice-President at Booz Allen and former Director of National Intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it.”
A common taxonomy was developed years ago for the cyber terms of the computer and network incident domain. Now we need to make sure we all understand what we mean when we say Information Operations policy as it pertains to the digital world.

As an example, in the context of the digital attacker we have Sandia Labs Taxonomy:
  • Hacker
  • Spies
  • Terrorists
  • Corporate Raiders
  • Professional Criminals
  • Vandals
  • Voyeurs
Each is unique and has its own domain or category. We are sure that the same could be used for the context of attackers in the non-digital world, possibly with the exception of Hacker. However, the definition of corporate raider in the off line domains may not be synonymous with the on line domain of cyber incidents.

If we look at the categories that make up the entire "Incident" that Sandia Labs has utilized, we see the following:
  • Attackers
  • Tool
  • Vulnerability
  • Action
  • Target
  • Unauthorized Results
  • Objectives
Without combining the context under each category, we lose the impact of what we are trying to make contextual with regard to an "Incident". We need to make sure that the anti-terrorism taxonomies of the off line and on line domains can be utilized together to describe the attributes of an "Incident". We need to break down the sub-categories as well. For instance, in the Sandia Labs Taxonomy for the Objectives category we have:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
When we move to the off line domain and are doing risk mitigation and preparedness exercises for anti-terrorism we utilize another set of words to describe and evaluate infrastructure threats and hazards.  Here are Five factors:
  • Existence addresses the question of who is hostile to the assets of concern?
  • Capability addresses the question of what weapons have been used in carrying out past attacks?
  • History addresses the question of what has the potential threat element (aggressor) done in the past and how many times?
  • Intention addresses the question of what does the potential threat element hope to achieve?
  • Targeting addresses the question of do we know if an aggressor is performing surveillance on our assets?
Two years later, the Washington Post reports:

By Ellen Nakashima, Published: November 14
President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October. The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.
The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
We believe that as our cultures, countries, agencies and professionals work together on Information Operations (IO) and online counter-terrorism initiatives, we are going to have to develop a solid taxonomy. It will provide the foundation for our clear and accurate risk management methodologies and incident management systems, being developed by relevant organizations in mutual collaboration.

Once we have accomplished this fundamental understanding, then true Critical Infrastructure Protection (CIP) cooperation and coordination will occur.