Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Strategic Communication and Cyber Attacks

When reporting on cyber-attacks, articles and media frequently (if not exclusively) focus on the damage or immediate result: how many machines were impacted, how much data was compromised, or what (if any) physical consequences emerged from the event. The latter is especially the case with ICS-focused attacks, from Stuxnet to CRASHOVERRIDE to TRISIS. While this emphasis is understandable and obvious, it also obscures or ignores an important aspect that serves as either a significant secondary Read more

By Joe, ago

CRASHOVERRIDE: When “Advanced” Actors Look Like Amateurs

The CRASHOVERRIDE event is significant for many reasons: it represents the first-known malware-directed attack on civilian power systems; and it represents a worrying escalation in operations against Ukrainian critical infrastructure. Yet for all its conceptual boldness in expanding cyber attack operations within industrial control systems (ICS), at a technical, practical level the attack in many respects exhibited many mistakes, errors, and outright failures in execution. When examining the event, those interested in ICS security should Read more

By Joe, ago

Speculation and Judgment

Recently I engaged in conversation with Dale Peterson dealing with the gas explosion events in Massachusetts. For background, following the event in question there were multiple unfounded claims of a “cyber” cause behind these events followed by significant pushback from various ICS security experts. Where Dale and I enter the picture and disagree concerns reported comments from the American Gas Association (AGA) via Blake Sobczak: “…the information we have seen reported in the media is Read more

By Joe, ago

Threat Profiling and Adversary Attribution

Recently I was part of a Twitter conversation that started with excellent points on profiling and managing threats that led to some good comments on the value of “who-based” attribution. If you’ve followed this blog and my related works, you will know that I already have strong feelings on the concept of threat profiling and really enjoy discussing the subject – to the point where I’m building a two-day class on the idea applied to Read more

By Joe, ago

YARA for Hunting

YARA – or “yet another regex alternative” – is a pattern matching tool with multiple uses but extensive application in malware analysis and alerting. The framework itself is simple, relatively easy to understand (especially on basic string matching), and incredibly flexible. Yet in application and advertised use, YARA is often limited to a signature-like use after very specific examples of malicious software. While this is not a “bad” use per se, it is artificially circumscribed Read more

By Joe, ago

Semi-Controlled Chaos

Black Hat/DEF CON week is upon us again. While many poke fun at RSAC (an issue I addressed earlier this year), the annual “Hacker Summer Camp” in Las Vegas is rapidly approaching (or eclipsing) the size of RSA while also becoming more “commercial” and “marketing-oriented” with each passing year. While the technical content at these events – in terms of talks, workshops, and demos – far exceeds any other huge event in North America, there Read more

By Joe, ago

Making the Case and Its Implications

The United States Department of Justice (DOJ) released a powerful – and incredibly detailed – indictment of 12 named individuals working for the Russian GRU. While many will see this as similar to the indictment of several Chinese nationals for spying in 2014, the cases seem far different in my opinion. For one, the sheer level of released technical and operational detail serves not just a “name and shame” function but also broadcasts quite clearly Read more

By Joe, ago

The Impermanence of Things and Attribution

I had the pleasure to engage some really smart people on the subject of threat attribution and naming conventions via Twitter recently. I think the linked thread is useful as an example not only of some of the issues the cyber security community still has around terminology and definitions, but also a really great example of how to disagree in a civil and constructive way on a topic that usually spirals quickly into unpleasant discussion. Read more

By Joe, ago

Perception is Reality

Nate Beach-Westmoreland wrote a Tweet recently that piqued my interest, as it aligned very closely to one of my major concerns in a former IR position: how does one ensure that sensitive data isn’t manipulated? Typically, cyber defense focuses on two key impacts: the loss or theft of sensitive (or otherwise valuable) information, or the inability to access such information (via ransomware or a destructive wiper). Less often discussed – but in certain environments potentially Read more

By Joe, ago

Sources and Methods to the Madness

The term “sources and methods” brings passionate, sometimes pained reactions within the information security community. On the one hand, there are those engaged in traditional intelligence operations for whom “sources and methods” are vital resources, to be maintained and preserved at almost any cost to ensure continuous collection. Contrary to this, those engaged in operations and active, day-to-day defense, find “sources and methods” to be immaterial if they prevent or inhibit sharing information that could Read more

By Joe, ago