Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Extracting Community from the Communitarian

Many public discussions on information security tend to identify or claim the existence of an “information security community”. On its face, this seems a rather innocuous term that merely designates a collective of individuals dedicated toward relatively similar goals or ends – yet when delving a bit deeper, the term brings with it a host of additional considerations that make the flippant referrals to such a construct seem either misguided or profoundly misunderstood. Before proceeding, Read more

By Joe, ago

A XENOTIME to Remember: Veles in the Wild

“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean—neither more nor less.” – Through the Looking Glass, Lewis Carroll FireEye recently published a blog covering the tactics, techniques, and procedures (TTPs) for the “TRITON actor” when preparing to deploy the TRITON/TRISIS malware framework in 2017. Overall, the post does a commendable job in making public findings previously only privately shared (presumably by Read more

By Joe, ago

Adversary Attribution: It’s ‘Complicated’

Recently Juan Andreas Guerrero-Saade and Silas Cutler presented new research on the cluster of activity encompassing Stuxnet, Duqu, and Flame at the Kaspersky Lab-sponsored Security Analyst Summit. (Note for those reading this from US, Canadian, and related government networks: accessing the research link previously will display potentially leaked, non-public information which could be construed as a spillage event, so click with caution depending on where you are.) The technical analysis accompanying this work is quite Read more

By Joe, ago

The Peril of the Mittelstand and the Possibilities of Competitive Advantage

In Germany (as well as Austria), there is a type of company referred to as the “Mittelstand”. Generally speaking, these are small- to medium-sized companies, non-public and typically family-owned, providing technical expertise (if not excellence) in a specific niche, usually manufacturing or engineering oriented. Although small, such organizations have outsized influence on much larger organizations by providing critical technical capability in very specific areas such as tool and die work, specialty manufacturing, machine tool production, Read more

By Joe, ago

The Devil’s in the Algorithm

I attended an interesting presentation at the EnergySec Pacific Rim summit discussing the role of machine learning and artificial intelligence (ML/AI) in network security and ICS operations. The talk was mostly an overview of potential applications and niches for ML/AI within these spaces, which in itself is refreshing as ML/AI is frequently touted as a dramatic, overall solution for numerous security problems as opposed to just another tool in the information security toolbox. More importantly, Read more

By Joe, ago

Network Security is Like an Ogre – It Has Layers

A common statement heard in information security circles these days is “the perimeter is dead.” The concept behind the statement is simple and seemingly obvious. Historically, security professionals only dealt with two networks: the “home” network (which was managed, safe, and trusted) and the “outside” or “external” network (regarded as risky, if not outright dangerous, and uncontrolled). Separating these two was the “perimeter” – the classic example of a firewall governing what traffic is permitted Read more

By Joe, ago

Moral Responsibility, Weakness of the Will, and the Information Security Profession

The concept of praise and blame – or moral responsibility more generally – is a central concept in ethics that features many responses. Of note in evaluating various approaches to the problem is the concept of human fallibility in the face of ethical decision-making. For Aristotle, humanity is intrinsically flawed due to the experience of emotion and feeling, resulting in a “weakness of the will” (akrasia) – thus an individual may very well know or Read more

By Joe, ago

Electric Sector Targeting in Context

As we move into late December (I started writing this on 23 December 2018), all eyes in the information security and especially the industrial control system (ICS) security space typically turn to Ukraine. In 2015 and again in 2016, malicious entities – likely Russian in origin – gained access to and successfully manipulated Ukrainian electric distribution and transmission (in 2015 and 2016, respectively) to create outages within the greater Kiev/Kyiv region. The last two years Read more

By Joe, ago

A Tale of Two Attributions

19 and 20 December 2018 will likely blend into the overall insanity of the entire year, especially when considered from a US/UK political perspective. Yet these dates, aside from being consecutive, also featured an interesting juxtaposition in the world of cybersecurity threat intelligence. On 19 December 2018, the company Area1 Security in conjunction with the New York Times (NYT) released a report blaming the People’s Republic of China (PRC) for intrusions into European Union diplomatic Read more

By Joe, ago

CozyBear – In from the Cold?

On 15 November, something long-awaited (and presumably expected) came to pass in the information security community – CozyBear/APT29/CozyDuke/”The Dukes”/”Office Monkeys” were (or seemed to be) back. Subsequent reporting defined the scope of the event: a large phishing campaign on 14 November targeting multiple organizations spanning “military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies,” among other entities. The campaign itself offered a number of items that screamed attribution to CozyBear – reuse of Read more

By Joe, ago