Tuesday, March 7, 2023

Artificial Intelligence Opportunities

I'm an Artificial Intelligence (AI) and technology (in general) optimist. That means I believe the positive outcomes will outweigh the negatives. AI is a type of new tech with significant potential to reduce or eliminate mundane (or even interesting) human operations such as checking out products purchased in person shopping, driving a car, working in a warehouse, identifying skin conditions, and many more. Since my last blog post we've seen Dall-E 2, Stable Diffusion, self driving cars and ChatGPT moving from experimental phases into real world operations.

I'm not naive, with any significant advancement of society we have seen associated downsides and AI will not be without valid detractors. I'm still waiting for an AI company to drastically address the challenges we see in cyber security from hiring/training, automating data analysis, detecting threats, remediating systems, or conducting investigation. It's happening slowly, although the marketers have been hyping it for almost a decade now. 

Some people are afraid of Artificial Intelligence (AI) and losing jobs or worse, some sort of digitally induced Armageddon. There's lots of reasons for this, we have centuries of history where people claim we will run out of food, or assembly lines mean humans are not needed anymore. And while technology has meant many orders of magnitude improvements in productivity and quality of life, it has also yielded weapons and digital addictions.

As an investor I'm investing in AI focused or enabled companies more often now (firms like Piction Health and Spiky). I love how the field is automating the mundane, unlocking new capabilities and has transformative potential to address challenges in society. From enabling first time entrepreneurs to rapidly build a no-code system, or software engineers to produce more code in the same time (and be happier!), or people to be productive while their car drives themselves (and reducing fatalities at the same time!) there is a lot to love. 

There are numerous areas of application with significant potential to improve the human condition. I've decided to focus all my efforts on one area that is less impactful to humanity but nonetheless an exciting opportunity: Sports. By using AI to automate the mundane tasks of collecting stats, recording video of games, editing highlight clips, and analyzing performance we can democratize access to many tools restricted to the wealthy or elite. I've played basketball for over 30 years and all of my children play (and played other sports like Soccer), so my wife and I have served as parents and I've coached for almost 15 years. There is massive potential to improve players, save money, have more fun, and help poorer players get better tools and exposure applying AI (and a specialty/subset field called computer vision.) 

In 2021 I founded SportsVisio, an Sports Technology company using AI/Computer Vision to automatically create stats, highlights and analytics for sporting events. We are starting with Basketball and expanding to other sports over time. I'm excited about our potential to help players, parents and coaches, but for me the goal is really more about building a great company that allows us to drive financial resources to high impact charities. After selling Siege Technologies my wife and I set up a foundation to find and support charities having a tremendous, cost effective impact on the marginalized in society. It's an incredible blessing to get to do so, and motivated me to get "get off the couch" and get back into the game as an entrepreneur to try to grow what we're able to distribute over time. There are still so many needs in the world and a thousand dollars can have massive impact (especially in third world countries.)

It's been fun to work in an area that non-computer science majors like my kids can understand! And wonderful to not have to sell to the 500 overworked Fortune 500 CSOs who are bombarded by sales pitches from cyber security firms around the world. Working in an area with virtually no high-tech competition is different and excited to feel like you're charting new ground. There are many industries that have done things the same way for decades or even centuries that will be disrupted by the rapid advances in AI, I'm looking forward to being in one of them.

Tuesday, April 27, 2021

Getting into Cybersecurity


A common question hackers or security professionals get asked by others is "how do I learn how to hack" or "how do I get into cyber security". It's a complicated question because everyone has different skills, expectations, goals, motivations, and the field has more than one "right answer". 

I was asked that again recently by a young man who is studying computer science and interested in cryptography and protocols so I gave him a more low-level, technically focused answer. But there are many paths into the field and not everyone does 0-day exploits or zero-trust systems! Hopefully this list is useful to those looking for resources and how to get into the field though.

One thing I'd share for a more general audience, is the number of support groups that exist to help different communities. There are 35+ initiatives to assist women entering the field. Ten organizations centered around diversity in cybersecurity. Teaching kids to code. Resources to train veterans in cybersecurity

My email is below:

It's hard to provide useful advice without context of what you're looking for in security. Given you're a CS major who likes crypto and protocol design, I'll focus my advice on the technical aspect of security (which was my focus.) But many choose to focus on the IT/Devops side, training, analyst, infrastructure, development, etc. I liked the hacking/crypto/reverse engineering/exploit/research portions, and my advice below will be slanted that way:

I'd encourage you to learn as much low level stuff as you can (assembly, exploits, reverse engineering (tools like IDA Pro, Ghidra, and my personal favorite, Binary Ninja), protocol analysis, fuzzing, memory analysis/forensics, etc.) The more of that you know the better equipped you will be to tackle the hardest/most valuable problems in cyber security (and the more interesting/fun/lucrative it is IMHO!) 
 
For news, I used to get the SANS Newsbites email which was solid. There's a great Twitter account/email I get now called TLDR Security which is mostly focused around vulnerability research and application/cloud security but includes lots of other good content and is well written. There are a number of lists on Twitter for security too by category. (Infosec, appsec, pentesting, etc.) Personally I just started following some people I knew and leaders in the field and seeing who they shared/followed and built it from there. Had to prune (still do) as some of them are jerks or just rant about politics or whatever, but some great ones out there too. Here's a decent starter list, but I'd add a ton (@DinoDaiZovi, @HalvarFlake, @DaveAitel, me (@jsyversen), @ErrataRob, etc.) There are Slack groups set up around particular topics you want to learn about... for example, if you are getting into reverse engineering and using Binary Ninja, they have an excellent Slack that's very active and informational.

Capture the Flag competitions (CTFs) are a great way to learn the offensive/defensive side of the domain, there are a ton of online/virtual ones as well as ones in person you can attend. And of course Blackhat and other conferences (there's probably over a thousand at this point) are good places to learn and meet others in the field. This site claims to offer a spreadsheet listing them, there's 51 listed here.

There are tons of reverse engineering challenges online too. Here's a great site that has puzzles around reverse engineering to solve that you can download and try out, they get progressively harder.

This is a helpful site with information on how to get started in hacking (mindset, resources, places to go, networking, etc.)

This wasn't around when I was learning, but now you can watch Youtube channels or Twitch streams from people talking about hacking:  (Twitch stream example)

Here's a random list of resources on red teaming, lots of good stuff in there.

There's even an entire genre of people now developing games to help teach cybersecurity concepts. 6 games here, 10 games here, and Immersive Labs, but there are many others out there and more coming. My personal favorite is Pwnie Island, which is an FPS you can only beat by learning how to hack the game itself to beat certain challenges that are otherwise unbeatable.

Once you get decent at it, you can start focusing your energy around legally hacking certain products, submitting the bugs you find, and getting paid! Some people make $50-100k+ doing this as a side fun project. Sites that enable you to do that include Hackerone and there's a full list of bug bounty programs from BugCrowd too.

Forbes Global CyberSecurity Spend
Hope this is helpful, let me know if you have other, specific questions. As you get further along I can definitely point you toward more resources as you dig deeper.
 
There are tons of jobs out there for sharp people who are motivated, they estimate there are supposedly 3.5 million unfilled cybersecurity jobs in 2021 and the field has been growing and is expected to continue doing so for quite a while as shown in the graphic. 
 
Good luck!
 


[Edit] I posted this and asked for some feedback. Got some good suggestions I wanted to include below. First, here's another person's approach to answering this same question with more effort spent on the "getting a job" portion. He seems to have more of an IT/sysadmin perspective versus my path/interest (more of the hacker/0-day researcher side) but honestly that's probably more useful for more people. 

Along that line, David Brumley suggested describing ways to engage the community. While this is helpful for building up your reputation/network, you also learn a lot by just doing and helping teach others. Possible ways to get involved range from volunteering to help at a security conference (there are tons and virtually all of them don't make money for the organizers), helping contribute to organizing a CTF, releasing tools you write open source or helping improve other people's tools, mentoring younger people who are earlier in their journey than you are (particularly people from disadvantaged backgrounds!), finding meetups in your area, etc. I'm sure there are tons of other ways!

Erik Cabetas is a big fan of Over The Wire games, as they offer a ton of free online games to teach tools and hacking techniques. He also pointed out there are huge communities of people interested in security on Reddit you can connect to. 

Clint Gibler from TLDR Security (an excellent newsletter you should totally get) had some great career tips in his last one that I thought I'd include below as well:

How To Start Bug Bounty For Beginners
A number of talks and resources by @securibee.

How to land your first job as a bootcamp grad
By Netflix Senior Engineer Scott Moss.

How I Would Get My First Cybersecurity Job If I Had Zero Experience Or Education!
By Cybersecurity Meg.

Remote Hunt
Find remote jobs.

tadwhitaker/Security_Engineer_Interview_Questions
By Tad Whitaker: A deduplicated list of questions asked during security engineer interviews based on Glassdoor.com, covering: encryption and authentication, networking and logging, OWASP Top 10 and AppSec, databases, tools and games, programming and code, and compliance.

 

Tuesday, September 15, 2020

Engineer -> Cyber -> Startup -> ... Politics?

 

Bloomberg photo of me looking serious in front of computers.

As I wrote in my last post, I've decided that despite spending my entire career in technology (and almost all of it in cyber security), to run for public office. It's not a typical path, and it's not one I suspect is permanent. I outlined some of the reasons how I decided to run in my earlier post, so I won't outline them again here. What I did want to do, is spell out some of the things I think an engineer/nerd/tech-person/hacker/etc. brings to the table from a skill set/perspective point of view and some tech-focused goals. You can see my specific career trajectory at Linkedin, and although I've been fortunate to have a really cool career I honestly believe that many of the technical people I've worked with share most if not all of the aptitudes I describe below. A few of them are unique to cyber folks, and a few are also specific to hackers, but most I think apply across members of the engineering/technology fields.

Aptitudes

  • Analytical mindset
  • Ability to work with numbers/large data sets/statistics/budgets/finances
  • Ability (love?) of reading specs, protocol docs, legal documents, prior art, etc.
  • Ability to focus on facts and not just the emotional component to complex issues
  • Strategic mindset looking at long term implications and not just short term
  • Understanding of computers and technology and software
    • How they're built and how to build them
    • How to use them effectively
    • How to hack/exploit them. And how to (mostly) secure them
    • How to communicate about technical topics to non technical people
    • How and when to apply technology and when to focus on people/process
  • Importance of STEM education
  • How technology drives jobs, education, economic growth, and organizational efficiency
  • Ability to deal with people who passionately take a position and focus on common ground and how to bridge the communication divide. (Linux vs. Windows, Emacs/Vim, SW or HW problem, etc.!)
  • How cyber security affects policy (voting, privacy, corporate liability, government IT spending, etc.)
  • Strong work ethic
  • Seeing new ways of doing things, inventing new ideas.
  • Love of learning, digging into complicated topics and not looking for easy answers
  • Dissatisfaction with the status quo, finding ways to improve processes.
  • Ability to multi-task (I've been told ADHD is common in hackers, I know I have it!)
  • Rational decision making, processes driven by facts/logic/data and not rhetoric/rumor/etc. 

 There are plenty of things engineers ALSO need to have to be an effective politician. A love of people. Good interpersonal/writing/presenting skills. Empathy/compassion. These came from genetics (my extroverted non-engineering mother complemented my Norwegian engineering father nicely!), faith (hard to say you love God if you can't love the people in front of you!) and life (you grow in compassion and empathy as you walk with people who are suffering, experience trauma/difficulties yourself, have children, etc.!)

Tech-Oriented Goals

  • Help secure funding to increase broadband and 5G access across New Hampshire
  • Review and enhance state policies, procedures and technical posture around cyber security, computerized voting, remote education, internal and citizen-facing government software, government networks/systems
  • Ensure the state government works closely with federal agencies to receive and share cyber security threat information and develop policies/procedures for the state and support towns/county-level cyber security posture and programs
  • Pursue right-to-repair legislation that ensures that citizens and companies who purchase products are allowed to repair/maintain those products
  • Increase government transparency and electronic records access to the public
  • Increase the implementation and security around electronic medical records
  • Accelerate the digitization of legacy paper/analog based processes and procedures, such as requesting legal documents
  • Support initiatives to develop enhanced technical literacy in young people (computer science, IT, science/math curriculum) and retraining programs to provide upward/lateral mobility, particularly with under-represented/minority groups
  • Balanced, data driven approach to the increasing use of physical and online surveillance technologies and the inherent tradeoffs between increased security and decreased privacy
  • Analysis of data-ownership models and the application of privacy-preserving technologies to encrypt/anonymize citizen data wherever possible
  • Embrace of digital currency options and new technologies to enhance business/citizen experiences in the state (electronic tolling, online registration, etc.)
  • Support robust, reliable, high quality online learning options Kindergarten through adult educational levels for accredited and unaccredited programs

I'm sure there are plenty of other things that will come up, and of course my focus isn't purely on technical topics. (Low taxes is one I'm fond of!) But that's a good list of things I think about and a unique POV to bring to the capital leveraging my tech background.

Would love to see others in the tech/security community also get involved in public service, either serving in government or even better volunteering for roles such as poll workers, running for local/state office and supporting good people in your communities who do run. If anyone has questions for me about the process, the campaign, issues, etc. feel free to reach out. Easiest way is email or Twitter.

If anyone wants to volunteer or donate to my campaign, I need a ton of support! From my last post: 

"I discovered that the senator currently representing the district (who by all accounts is a very nice guy) is receiving almost $140k a year from a special interest group, lists government "lobbying" and "representation" among his official duties, doesn't recuse himself from matters related to the special interest and in fact puts out press releases bragging about the millions of dollars in benefits that flow back to the special interest. Not coincidentally, the special interest also contributed over $75k to his campaign"

 

Wednesday, August 26, 2020

Latest initiative


In 2016 I fulfilled my dream of starting and selling a successful high tech firm. We built a great team where we treated customers and employees with respect and a high performance culture. Siege Technologies built awesome technologies and made a difference in the world which was very rewarding.

I left the company in 2019 to focus on investing, advising startups, and philanthropy work full time. By 2020 I was the managing partner at 10X Venture Partners, GP of a small fund (both at 10X and the fund I'm investing for charitable benefit), advising a number of tech firms and serving on numerous charitable boards doing inspiring things like fighting sexual exploitation, poverty, and addiction (and volunteering/advising a few others.) It was/is rewarding work and seemed like a great place to be for a while going forward. 

But in the summer of 2020, I read a paper arguing that government policies were far more impactful to help the poor than individual philanthropic programs. Minutes after finishing it, two random strangers suggested running for state Senate, coincidentally within 5-10 minutes of each other! Like most people, I didn't have a positive view of politics or politicians and wasn't enthusiastic about the idea at first. Or after a second glance. But after further reflection and numerous discussions, I realized that:

  1. The state Senate is a place that you can make a difference. Numerous important bills came down to a single Senate vote in the last session, and each senator plays a critical role in the direction of the state. NH has over 1.36M people and a budget of over $13B so the impact you can have is much larger than regional charities serving dozens or even hundreds of people. 
  2. If all the good/moral people avoid politics, what can we say if we don't like the people who are in office? Despite the negative views of politicians, there are some good people who serve for the right reasons and not more base drivers like money, career advancement, or pride. And while some may be motivated by greed/anger/extreme ideological reasons or even boredom, there are some who run because they genuinely care and want to give back.
  3. While I've never considered myself a political type, many of the skills I've developed and my strengths and weaknesses will transfer well to a campaign. The campaign trail is much like running a startup and days are consumed with raising funds from "investors", meeting with various stakeholders, learning the regulatory framework, managing operations, building a team, planning and executing a budget, marketing, and trying to attract a large group of people who believe in what you're offering. While serving as a senator will be very different, things like people skills, textual/policy/logical/budget analysis, public speaking, integrity, work ethic, ability to focus on creating "win-win" scenarios, love of others, and conflict resolution will be valuable.
  4. I discovered that the senator currently representing the district (who by all accounts is a very nice guy) is receiving almost $140k a year from a special interest group, lists government "lobbying" and "representation" among his official duties, doesn't recuse himself from matters related to the special interest and in fact puts out press releases bragging about the millions of dollars in benefits that flow back to the special interest. Not coincidentally, the special interest also contributed over $75k to his campaign. 😒 And it's all legal in NH, since senators only make $100/year and we have very lax laws around how elected officials are compensated. When I worked at DARPA, I wasn't usually allowed to accept a free lunch (there were limited exceptions) because of the concern that that free $10 ham sandwich might unduly influence your next contract award... but in NH it's OK to accept 6 digits in personal compensation from groups that lobby for government money while serving as a senator. That's wrong and needs to be fixed.

Filing to run at the state house

As a result of these considerations I decided to run for Senate. I've really enjoyed getting to meet people from around the state and learn more about the challenges and issues facing the state (like COVID-19 and the opioid crisis) and some the unique aspects of our state/government that make New Hampshire unique and such a great place to live.

I don't plan to put the campaign stuff on this blog, will keep it to tech/entrepreneur content. But as a result of the campaign (and hopefully winning/serving!) I suspect that means I won't be posting as much here for a while as I'll be posted on the campaign site at syversen4senate.com, and on socials on FB and Twitter.

Tuesday, September 24, 2019

Sexy versus common cyber problems



Many people in the cyber security/defense/IT community are fascinated by the "sexy" work of high-end vulnerability researchers. Often the word "hacker" and someone who can break into any hardened system become confused in modern culture. The people who find so-called 0-day vulnerabilities (vulnerabilities in software that the vendor doesn't yet know about or have a fix for) and turn them into exploits are often looked at the top of the pyramid of hackers due to the incredibly challenging technical obstacles that must be overcome, the deep and arcane knowledge of system semantics and architectures and the obvious intelligence of many of the practitioners of this domain.

The Google P0 team is probably the preeminent public global team researching and publishing novel attacks against hardened systems such as Windows, Chrome, iOS and other software systems critical to the secure usage and survival of the Internet. They are impacting the gray market for vulnerabilities. Other teams conduct this research as a PR function for their product or services firms. Many high end teams are restricted to secretive government (or government funded) laboratories or government agencies to support law enforcement or national security objectives. And a small amount support themselves or a larger criminal syndicate through the development and use of these capabilities. When I did a Google search for vulnerability research, I also found Brene Brown which made me chuckle. (Different kind of vulnerability research!)

http://heartbleed.com/http://heartbleed.com/Blackhat and many conferences were built around a platform to share the latest and most interesting "hacks" that these researchers have developed. News stories and books are built around the challenging accomplishments of the individuals and research teams. Vulnerabilities come with their own logos and web sites now.

Some members of the community watch admiringly and wish they could do the same. Some enjoy reading/learning about it and admire the technical accomplishments. Others leverage the research  to raise awareness around theoretical or ever-real threats to their company/products. While others use it to spread FUD (fear, uncertainty, or doubt) to sell more product or further a political agenda. Many companies benefit from the free research and Q&A that is performed on their products by third parties for no cost that allow them to leverage these discoveries to secure their products without paying for it. (To their credit, many are seeking ways to better engage these third parties and compensate them for those valuable contributions.)

https://www.f5.com/content/dam/f5/downloads/F5_Labs_Lessons_Learned_from_a_Decade_of_Data_Breaches_rev.pdf
Graphic from F5 Decade of breaches lessons learned report.
An increasing portion of the community is spending time pushing back on this so-called "sexy" part of the community. They rail that it gets too much attention, that it's pointless to try to find/fix super complex vulnerabilities because you'll never find them all. That high end talent is wasted on this problem. Their argument is built around the (strong) empirical evidence that the vast majority of security compromises aren't done using super-fancy 0-day attacks but rather password re-use, phishing attacks, outdated code that has known exploits in Metaspoloit, misconfigured systems, open cloud repositories, etc. 27% of companies state that they've been breached because they didn't patch KNOWN vulnerabilities, so why spend so much time/energy finding unknown ones?

While I haven't heard the counter argument made publicly (that one should exclusively focus or at least massively increase attention on 0-day vulnerability research) there are certainly individuals and organizations who make this their exclusive focus and have no interest in addressing the human/configuration side of the problem for various reasons. And I have seen individuals in those groups who have denigrated the work of those working on social engineering attacks, auditing systems for compliance and/or rolling out patches.

The problem is that like most complex domains, it is not a boolean problem or a boolean answer. It's complicated and requires a nuanced perspective which is often missing in online rants.  In this post, I'll address some of these complexities and explain why we need to address the human/configuration side of the problem while not neglecting the "high end" technical security risks that remain.

Attackers target the human or misconfigured/unpatched systems for numerous reasons:
  1. It has a low barrier to entry, meaning significantly high portions of the attacker community have access to these techniques (ie, script kiddies, starting out criminal/national state teams, etc.)
  2. It does not burn valuable capabilities in the event of later compromise. Why spend your 0-day if you don't have to!?
  3. It is often more reliable. (In the modern era many 0-days rely on probabilistic techniques like heap spraying which fail a portion of the time depending on the usage/configuration of memory in the target.) 
But if these attacks don't work, or the attacker is concerned that using well-known techniques may trigger enhanced monitoring/scrutiny of their actions they will often choose to use more complex advanced techniques such as 0-day exploits (software exploits that are built around the knowledge of an unknown (0-day) vulnerability in a piece of software. For a great read on the topic check out this RAND report.) Only a subset of attackers even have the resources to buy or build their own 0-day exploits.

Decades ago this was commonly performed by individual hackers who found vulnerabilities and didn't share them but used them to poke around and "explore" the Internet. Reporting a discovered vulnerability to a vendor could result in the police being called or lawsuits and many hackers were young and didn't think they were "causing any harm" or even wrong for using what they'd found for their own entertainment.

But today many firms have vulnerability reporting programs and policies of working with third party researchers. Most of the top software companies in the world even offer some sort of compensation (cash, prizes, or recognition) to these third party researchers through the use of internal or external bug bounty programs (A great list is here.) The combination of maturing software development practices, productive pathways to reporting third party discovered vulnerabilities and anti-exploitation mitigating techniques available in modern operating systems and hardware means that finding useful 0-days and exploiting them typically requires a significant effort by an advanced individual or team of individuals.

Attacks are conducted using BOTH approaches on a daily basis around the world. While reports and news stories getting attention focus on breaches that utilized one or more 0-day attacks, the vast majority are done using human/system mistakes. 0-day attacks tend to be utilized in the highest value or extremely targeted cases by nation states conducting intelligence operations although in less frequent cases by law enforcement, or "defense" operations. A non-negligible portion of 0-days are deployed by criminal groups (although in an era when North Korea employs large teams of hackers to raise billions to bypass national sanctions and fund weapons/missile research,Russian Business Network as long as they target other countries, drawing the line between criminal group and nation state operations becomes increasingly difficult!)
or Russia explicitly refuses to shut down criminal operations out of the

Attackers will use the path of least resistance to accomplish their objective. In a perfect world humans would not be susceptible to manipulation and sharing passwords or other sensitive data. And software would be free of bugs and vulnerabilities. Systems and networks would always be properly configured. But that world is far away and I would argue theoretically unachievable. (Although I have yet to gather the methodology for a proof, I'm working on it!)

As a result, we are faced with a world with vulnerable software, systems/networks and humans. And attackers who spend the minimal amount of resources to accomplish their objectives. In that environment, defenders should focus their efforts on ways of increasing the cost to an attacker that is consistent with their threat model. If you're an individual or small/medium sized business (SMB) not in a high-risk class, you don't need to worry about targeted 0-day attacks and should focus more on phishing-style threats, reducing your threat surface and patching. If you're an elite government agency or global Internet powerhouse, you should invest in the full panoply of security measures including internal/external red teaming, vulnerability research programs, human testing, secure coding programs, multi-tiered security layers, robust secure operations centers with visibility into each layer, deception measures in the network, customized locked-down software stacks,  investments into new architectures and mitigations, etc.

Individuals and specialized research shops will continue to exist and advance the objectives of these groups. If someone is a vulnerability researcher (VR) they aren't going to suddenly start offering phishing training to individuals, even if that was the highest payoff security measure for the organization who employs them because the role wouldn't be interesting to them and would squander their abilities. They'll just change employers or take a mundane position and do this as an evening hobby. Similarly, we shouldn't force phishing training experts to become VR experts just because there is a need if staring at hexadecimal and decoding heap structures isn't something that fascinates them and they have an aptitude for.

To state more succinctly, attackers will continue to exploit BOTH classes of vulnerability (software vulnerabilities and human weaknesses/system configuration) as required for their objectives, and improving the security of BOTH while properly understanding our risk is critical. Doing that in a quantitatively robust way is currently impossible since we're still grappling with how to quantify both classes of risk, but heuristics and other measures are appearing so we can at least approximate it. (Example papers on quantifying phishing, vulnerabilities) Researchers continue to publish papers looking at trying to quantify/model these actors as game theoretic problems using things like attack graphs with limited practical success. (Random example)

The larger question about the allocation of resources (People, money, etc.) needs to be addressed at the policy level. As long as companies can knowingly sell software that has known vulnerabilities in it and is insecure by default configuration, we will have massive security breaches. As long as enterprises build/buy solutions that depend on everyone in their organization never making a bad security decision and having to analyze false web sites or phone callers to detect falsehoods, we will have humans being exploited. As long as we have millions of job openings for security professionals, we will remain understaffed and dependent on untrained operators and insecure code.

To see security postures change significantly requires measures across the entire spectrum. Changing the hardware and underlying software our platforms run on. Writing more secure code. Shipping systems securely by default. Automating testing and management. Training more users and security professionals. Buying security products that don't suck and work together to provide a complete picture. Embracing creative defensive approaches like dynamic defense (and "defending forward", whatever that means?) Quantifying everything and making rational decisions. To date we keep spending more money each year but still haven't seen a reduction in breaches... and we aren't going to by denigrating people in the community plugging different holes in the dike than we are.

Wednesday, November 28, 2018

Crowd-sourcing and bounties for defense

A little different post than I've done in the past, but I thought it would be interesting to the larger offensive/defensive cyber communities and too long form for Linkedin or Twitter. I'm an advisor to a company called 418 Intelligence, which is run by a friend of mine named Mark Jaster. They are trying to provide a platform that allows companies to move beyond bug bounties and actually crowd sourcing threat hunting/anomaly detection. They're just now opening up the platform to the community, I think it's worth checking out as I think there's upside for the individuals and for companies and room to grow/expand. I'd love to hear what people think of their approach, and would incorporate any positive or negative feedback you have back to them.

Here's the invitation:

If you have skills in analyzing logs and pcap files here is an opportunity to join the first cyber professionals testing a new community platform, supported by DHS, designed to incentivize and crowdsource better defense and insights on what methods are working. If testing and shaping this vision sounds interesting, sign-up to participate as a tester of the alpha release of the FOURSight DEF3NSE cyber defense crowdsourcing platform from FOUR18 Intelligence. This release operates a three-round live simulation game of an intrusion where you analyze artifacts and bet points with other players on what is happening and how to defend against it. It then transitions into crowdsourcing countermeasures against a known attacker group executing the same attack playbook in the real world.  The sign up form can be found here: FOURSight DEF3NSE Pre-registration Form.

FOURSight DEF3NSE is the first online community and marketplace for cyber defenders and decision makers to directly connect and incentivize crowdsourcing better defense and network resilience against cyberattacks. The system uses a unique, gamified and incentivized "wisdom-of-the-crowd" betting experience to crowdsource fast and accurate assessments of cyber risks and countermeasures, and it is designed to pay-off participants by creating a market for this information, including what will be the first-ever bounties for breach hunting. If the vision of bounty-hunting for attackers, or of testing what you know and winning pay-offs by predicting how successfully a countermeasure will perform against an attack sounds interesting, please join others in testing the platform and helping the designers make it great.

Once you register you will receive orientation materials explaining the system further, and an update on the testing schedule, but if you have any questions you can contact the team at admin@def3nse.net.

Thursday, June 21, 2018

@War review

I finished Shane Harris' book on Cyber Warfare recently and felt obligated to write a review about it on GoodReads. Given I spent the time writing it up, thought it might be worth sharing here for those following my blog who share an interest in the cyber security/warfare communities.


A thorough introduction to the world of cyber warfare from the perspective of a journalist surveying published media from mid 2005-2015 time frame. Some sampled private discussions and insights into behind the scenes discussions and classified projects. A good read for someone new to the field to catch up quickly. 

Unfortunately the author spends a significant amount of time pontificating on concerns that have been excessively debated elsewhere and attempting to seem moderate while making clear his opinions where the concerns lie... and unfortunately basing his conclusions on rumors he heard from self-proclaimed "experts". One example is the "thousands of exploits" the NSA is hoarding. This claim appears to be based on a single unquoted individual, and appears inconsistent to the other information in his book. (Pointing to a budget of $25M to acquire exploits, and price tags of $50,000-$1,000,000 would imply a catalog of 25-500 (dozens or hundreds, not thousands)) Much hand wringing is spent on NSA surveillance, defense-industrial relations, foreign government spying, and other topics that have been extensively discussed in the media over the last decade and a half.

Speculation is rampant in the book regarding what's happening behind closed doors and allegations are made without the editorial self-control that a reputable paper would employ. As someone with two decades of experience in this community, this reviewer recalls numerous relevant events that were not included and significant portions of the book devoted to commonly discussed events from various media sources (with a few interesting exceptions). In fact, the acknowledgements section credits many of the content writers of those stories from the news sources covering cybersecurity/cyber warfare (Michael Riley, Nicole Perlroth, Kim Zetter, etc.)  who actually interviewed the original sources and wrote about the events as they happened (or as they were uncovered!)

Books such as "Countdown to Zero-Day" by Kim Zetter provide a much deeper look that is more technically accurate and better sourced and represent a good alternative for a reader looking to gain insight into the technical and political aspects of the cyber warfare complex through a single (large) operational lens. 

@War is a good option if one has no prior exposure and views it as a breathless description of the events of the last 10-15 years in the US cyber warfare community from a non-technical observer doing his best to share what he's read about and been told as an outsider.