Active Response

Always A Bad Day For Adversaries

Category: News

Comments on US-CERT Grizzly Steppe Enhanced Analysis Report

On 10 February 2017, US-CERT released “Enhanced Analysis of GRIZZLY STEPPE Activity” (AR-17-20045).

Overall Quality

This report differs from the first (GRIZZLY STEPPE – Russian Malicious Cyber Activity) and is not as much an update but, rather a companion.  This report does not suffer from the same problems in the first release.   The first release tried to satisfy a poorly executed joint statement and satisfy a range of audiences (e.g., mixing geopolitical topics with technical details).  This report does not suffer from the same flaw.  Instead, it focuses on network defenders using a layout and language common to that community.   The lack of any press release around this report is likely because of its lack of applicability to a broader audience – and no earlier joint statement.

The quality of this report is much higher, potentially illustrating more care and learning the lessons from the first reports.  Second, it does not suffer from the same overbearing editing and joint agency review process which was clear in the earlier releases.

Network Defense Value

Technically, the most valuable addition is a well-documented kill chain narration allowing defenders to better understand the behaviors of these adversaries and develop proper detection and mitigation tailored to their own environments.  As always, deploying the detection rules of others is a danger and each org will have to assess those included.

The mitigation recommendations are general but match up well with the described adversary behavior – and an organization including these adversaries in their threat model should take them seriously.  Other organizations should probably continue following Australia’s “Strategies to Mitigate Cybersecurity Incidents” especially the “top 4” and “essential eight.”

Leaving Microsoft After 3 Years

After over three years I’ve left Microsoft to pursue two amazing opportunities.

Some Words About Microsoft

Sergio on Microsoft campus in Summer 2016

When I started at Microsoft my mother said to me, “Microsoft?!  I thought you hated them.”  She was right – pre-2003 Microsoft didn’t have their security act together and it frustrated me forming a poor opinion of the company.  However, not only has that changed but they are one of the most advanced and important companies in the security space.  Many people still talk down about Microsoft security, but I can tell you – that crew contains some of the smartest and hardest working security professionals I know – and become just as frustrated when things don’t go perfectly.

When considering joining in the first place a good friend, John Lambert, sold me easily on Microsoft – “Microsoft controls the physics.”  Controlling the physics means that for a large part of the world’s computers, adversaries only operate within the parameters of Microsoft products and services. Microsoft can and does make it harder for adversaries to operate at a global level.  Very few other companies can. This is powerful.  As a security professional within Microsoft, you can influence the security of billions of customers.

I’ve come away from Microsoft learning how to ship product, met hundreds of C-suite executives and learned their perspectives and challenges, learned approaches for security analytics in REALLY BIG DATA, and made the internet just a little safer for billions.  I cannot recommend the company enough for security professionals.  They have big-company challenges, but their family-friendly and mission-focused culture is unique.  You can do big things and also enjoy a life outside of work.

Why I left – Where I’m Going

I’m driven by simple motivation: do as much good as possible.  Obviously, at Microsoft, I affected the security of billions.  But, other problems abound.  Currently, I see two major threats to humanity requiring my attention: threats to critical infrastructure and threats to human life from human trafficking. I’m now working part-time on both problems.

Global Emancipation Network

In March 2016 I began serving as Technical Director for the non-governmental organization (NGO) non-profit Global Emancipation Network.  Human trafficking is a massive human rights issue.  At least 20 million and as many as 50 million are enslaved globally but only 77,000 rescued per year.  This devastating gap that must close.  But, there is an opportunity.   Like any other business, human traffickers use the internet to increase their effectiveness and efficiency – as well as a vulnerability we can leverage against them.

The NGO collects global data on human trafficking on the internet and leveraging analytics and big-data approaches enable intelligence and operations to stop traffickers and rescue victims.  Interestingly, combating traffickers on the internet and hunting hackers are very similar and we’re using many of the same techniques in both domains.  I’m excited to have the opportunity to spend more time on this problem and save millions of lives.


Sergio next to Dragos ICS equipment

My second, equally amazing, opportunity began on 1 January 2017.  I joined Dragos, Inc. as Director of Threat Intelligence and Analytics.  Dragos develops solutions to secure industrial control systems.  A heavily underserved but massively important domain.  Industrial control systems underpin all of the networks and systems running the most critical functions such as power, water, and sewer, not to mention the many hundreds of important domains such as pharmaceutical manufacturing.  These networks and systems enable civil society and are usually classed as life/safety critical systems.  When they fail, people die, services cease, chaos abounds.

I’m proud to join Dragos working to safeguard civilization.  I’m hunting threats targeting and affecting critical infrastructure while delivering the intelligence necessary to enable good decision making.  I’ll work to cut through the FUD surrounding critical infrastructure threats and empower the ICS operator and security community with fact-based knowledge and perspective.

What It Takes to Fight the Hackers

Future WarriorsI’ve practiced cyber security for 10 years.  Not as long as some, but longer than most.  I don’t consider myself an expert because I don’t believe the field is mature enough to identify an expert.  But I’ve fought many battles with the adversary.  I’ve felt elated success and stinging failure.  I have my share of war stories.  I struggle regularly with ethics and moral dilemmas.  I try to stay true to the simple promise I made to myself many years ago: always use my powers for good.

I read a very well written article, “What it Takes to Fight the Terrorists,” on the psychological impact of working counter-terrorism for years.  The toll of the long hours.  The moral dilemmas they face daily and the stress imposed by the cost of failure.

I am not going to sit here and preach that the stress of an intrusion analyst and network defense operator is the same – it is not.  At the moment there are real costs to our failure but none as great as that caused by terrorists.  We don’t have to wake up and see the results of thousands of innocents dead and question why we could not stop it.

futurewarstoriesBut I’m afraid that one day we will.  As our systems become even more interconnected and a greater number of life-safety and community-critical systems become connected, it is a high possibility that a hacker, intentional or not, will cause large-scale loss of life.  See my earlier article as an example.  Instead of the smell of the site of a terrorist bombing, maybe we will instead be ingrained with an image of an exploded power plant caused by someone behind a computer half a-world away.

Maybe one day there will be a cyber equivalent to 9/11 and those of us who could have stopped it will plumb the depths of our being to answer why we did not stop it.  On that day, as with 9/11, the world will change.

They call cyber security the new counter-terrorism.  The new nuclear threat for the next 20 years.  I’m afraid that one day this article will be written about us.  But until that time, we must learn from our counter-terrorists colleagues – from their courage, fortitude, successes, and failures.

Two Computer Security Experts Jailed for Failure to Prevent Hospital Hack

Washington DC – After a major computer attack on a hospital network by a relatively unknown hacker caused the death of three patients there were many questions.  Why did the hacker do it?  Was the hospital doing enough protect its patients?  Why wasn’t the security good enough to prevent the attack?

Now that the trial has concluded we have some more answers, but still many questions remain.  First, we know that the hacker did not intend to attack a hospital.  He thought he was attacking a bank network as part of a protest movement.  He was relatively unskilled, using complicated but effective tools downloaded from the Internet.  He successfully survailed the bank network, but when it was time for the attack he mistakenly typed in a wrong number for his target unknowingly sending his tools to attack a hospital network.

The computers which were managing the newly installed electronic patient records, which included the medication and dosage, went down causing confusion throughout the hospital.  The records which normally hold critical information about a patient’s medical history, allergies, and current state were now gone.  Doctors and nurses who were on shift during the day did not know the correct dosage or even the correct drug to administer which were prescribed during the night shift.  This led to three patients either being given an overdose or another drug entirely causing a serious, and fatal, reaction.

The hacker was sentenced last month to a life for criminally negligent manslaughter of the three patients.  However, in a turn of events, two network security experts were charged with the protection of the hospital’s network are now in jail facing 10 years for their failure to prevent the attack.

Prosecutors argued that the security experts should have detected and prevented the attack well before the damage to the hospital record system.  They were specifically trained to do so and in the best position of anyone to detect the hacker and judge the risk.  Yet, their failure to do so put the lives of every patient in the hospital at risk and eventually caused the death of three.

The defendants argued that the network was far to large and complicated to be effectively defended and they could not have predicted every possible attack and it’s consequence.

In the end the jury agreed more with the prosecution than defendants.  What long-term consequences this holds is still unknown.

This is, of course, a fictitious story based on a real case of the jailed Italian scientists who were convicted of failing to effectively communicate the risk of a major earthquake.  300 people died in that earthquake.  As they say, hindsight is 20/20.  Looking back one could easily say that the earthquake was imminent given the signs.  But then those signs occur in many places around the world daily without the devastating effects of a large earthquake immediately following.

After reading the story of the earthquake scientists, I could not help but think of many scenarios where, as a security professionals, we are asked to assess the risk and ultimately prevent damage to life,safety, and national security critical networks and systems.  What if we were wrong and people died?  Let alone the guilt I could imagine feeling, would society at large hold us responsible?  Should we be held responsible?

I think back to my time studying computer ethics and the various ethical codes I have signed in my life agreeing to act responsibly, take responsibility for risk, and make good decisions.  Yet bad things happen.  And I cannot say whether society would judge my work good enough in such a situation.

We are the experts.  We are being paid to make the right decision in the protection of our networks.  There is nobody in a better position than us to make those decisions.  We know the network.  We know the systems.  We know the threat.  Yet we still fail.

Will our failure become so great one day that we are held to account for the death of innocents based on our faulty risk assessments and ineffective defenses?

Let us hope not.

Powered by WordPress & Theme by Anders Norén