Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

A Tale of Two Attributions

19 and 20 December 2018 will likely blend into the overall insanity of the entire year, especially when considered from a US/UK political perspective. Yet these dates, aside from being consecutive, also featured an interesting juxtaposition in the world of cybersecurity threat intelligence. On 19 December 2018, the company Area1 Security in conjunction with the New York Times (NYT) released a report blaming the People’s Republic of China (PRC) for intrusions into European Union diplomatic Read more

By Joe, ago

CozyBear – In from the Cold?

On 15 November, something long-awaited (and presumably expected) came to pass in the information security community – CozyBear/APT29/CozyDuke/”The Dukes”/”Office Monkeys” were (or seemed to be) back. Subsequent reporting defined the scope of the event: a large phishing campaign on 14 November targeting multiple organizations spanning “military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies,” among other entities. The campaign itself offered a number of items that screamed attribution to CozyBear – reuse of Read more

By Joe, ago

Strategic Communication and Cyber Attacks

When reporting on cyber-attacks, articles and media frequently (if not exclusively) focus on the damage or immediate result: how many machines were impacted, how much data was compromised, or what (if any) physical consequences emerged from the event. The latter is especially the case with ICS-focused attacks, from Stuxnet to CRASHOVERRIDE to TRISIS. While this emphasis is understandable and obvious, it also obscures or ignores an important aspect that serves as either a significant secondary Read more

By Joe, ago

CRASHOVERRIDE: When “Advanced” Actors Look Like Amateurs

The CRASHOVERRIDE event is significant for many reasons: it represents the first-known malware-directed attack on civilian power systems; and it represents a worrying escalation in operations against Ukrainian critical infrastructure. Yet for all its conceptual boldness in expanding cyber attack operations within industrial control systems (ICS), at a technical, practical level the attack in many respects exhibited many mistakes, errors, and outright failures in execution. When examining the event, those interested in ICS security should Read more

By Joe, ago

Speculation and Judgment

Recently I engaged in conversation with Dale Peterson dealing with the gas explosion events in Massachusetts. For background, following the event in question there were multiple unfounded claims of a “cyber” cause behind these events followed by significant pushback from various ICS security experts. Where Dale and I enter the picture and disagree concerns reported comments from the American Gas Association (AGA) via Blake Sobczak: “…the information we have seen reported in the media is Read more

By Joe, ago

Threat Profiling and Adversary Attribution

Recently I was part of a Twitter conversation that started with excellent points on profiling and managing threats that led to some good comments on the value of “who-based” attribution. If you’ve followed this blog and my related works, you will know that I already have strong feelings on the concept of threat profiling and really enjoy discussing the subject – to the point where I’m building a two-day class on the idea applied to Read more

By Joe, ago

YARA for Hunting

YARA – or “yet another regex alternative” – is a pattern matching tool with multiple uses but extensive application in malware analysis and alerting. The framework itself is simple, relatively easy to understand (especially on basic string matching), and incredibly flexible. Yet in application and advertised use, YARA is often limited to a signature-like use after very specific examples of malicious software. While this is not a “bad” use per se, it is artificially circumscribed Read more

By Joe, ago

Semi-Controlled Chaos

Black Hat/DEF CON week is upon us again. While many poke fun at RSAC (an issue I addressed earlier this year), the annual “Hacker Summer Camp” in Las Vegas is rapidly approaching (or eclipsing) the size of RSA while also becoming more “commercial” and “marketing-oriented” with each passing year. While the technical content at these events – in terms of talks, workshops, and demos – far exceeds any other huge event in North America, there Read more

By Joe, ago

Making the Case and Its Implications

The United States Department of Justice (DOJ) released a powerful – and incredibly detailed – indictment of 12 named individuals working for the Russian GRU. While many will see this as similar to the indictment of several Chinese nationals for spying in 2014, the cases seem far different in my opinion. For one, the sheer level of released technical and operational detail serves not just a “name and shame” function but also broadcasts quite clearly Read more

By Joe, ago

The Impermanence of Things and Attribution

I had the pleasure to engage some really smart people on the subject of threat attribution and naming conventions via Twitter recently. I think the linked thread is useful as an example not only of some of the issues the cyber security community still has around terminology and definitions, but also a really great example of how to disagree in a civil and constructive way on a topic that usually spirals quickly into unpleasant discussion. Read more

By Joe, ago