DarkTrace: A Controversial View
January 6, 2021
I spotted that a post about Darktrace had been removed from Reddit. I became curious because the comment thread was on Reddit when I checked today (January 4, 2021). I located the original Darktrace post on the Archive.org site at this link. This content may be disappeared, and some of the points run counter to the rah rah write ups about the company. Here are some of the factoids and assertions which caught my attention:
- A Darktrace initial public offering is likely to take place in the near future
- 10 members of the Darktrace executive team allegedly had ties to Autonomy, the search and content management vendor acquired by HP
- Michael Lynch is part of an investment firm which funded Darktrace
- Goldman Sachs snubbed the Darktrace float.
None of the information in the Reddit post struck me as controversial. The data appear to come from a variety of open sources, including the Darktrace Web site, news reports, LinkedIn biographies, and public documents.
Why did I chase down the original post? The removal of the information from the threat sparked a number of interesting Reddit comments about Darktrace, the company’s business tactics, and the cyber security sector.
With the SolarWinds’ misstep still in the news cycle, it strikes me that cyber security related posts provide additional color about the products and services some of the higher profile vendors are offering.
Reddit obviously does not agree.
Stephen E Arnold, January 6, 2021
Greed, Security, and MBAs: Compromising Security for Yachts, Snazzy Cars, and Big Houses?
January 5, 2021
I read “How to Get Rich Sabotaging Nuclear Weapons Facilities.” The title is snappy. The blend of sabotage, nuclear weapons, and money is a spicy blend. I have been critical of cyber security firms’ marketing. I’ve mentioned their lingo, the nifty exhibits at law enforcement and intelligence conferences, and the endless reports about data for sale on the Dark Web.
I admit that I have focused on the flashier side of the business. I leave the specifics of repurposing open source software wrapped in scripts to others. I also have not linked obvious financial plays like the sale of 4iQ to Alto Analytics or the Recorded Future tie up with Insight Partners or any of the other mergers and roll ups emerging from the cyber security gold rush.
Why? I have been commenting about the craziness of MBAs for years, and — guess what? — no one cares. When I worked for some archetypal MBAs at assorted financial institutions, to a person the individuals agreed. I recall one flashy MBA as saying to me, “That’s right. I want money. Lots of money.” That fine individual asked me to pay for lunch because he left his wallet in his desk.
The write up about sabotage and nuclear weapons seems to be getting traction. In the aftermath of the SolarWinds’ misstep, this passage has more meaning to the average thumb typer and social media maven:
Cybersecurity is a very weird area, mostly out of sight yet potentially very deadly. Anonymous groups can turn off power plants, telecom grids, or disrupt weapons labs, as Israel did when it used a cyber-weapon to cripple Iranian nuclear facilities in 2010. Bank regulators have to now consult with top military leaders about whether deposit insurance covers incidents where hackers destroy all bank records, and what that would mean operationally. It’s not obvious whether this stuff is war or run-of-the-mill espionage, but everyone knows that the next war will be chock full of new tactics based on hacking the systems of one’s adversary, perhaps using code placed in those systems during peacetime.
The high-flying SolarWinds sparked this comment:
SolarWinds didn’t bother to hire a senior official to focus on security until 2017, and then only after it was forced to do so by European regulations. Even then, SolarWinds CEO, Kevin Thompson, ignored the risk. As the New York Times noted, one security “adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.”
What was the root cause? The write up points the finger at a roll up specialist called Bravo. I learned:
After its IPO, SolarWinds followed Ellison’s advice, became a merger machine, buying a dozen companies from 2011-2014, including Pingdom, Confio and N-Able Technologies. In 2015, Thoma Bravo Partners (along with Silver Lake) bought the company, and loaded it up with $2 billion of debt to finance the purchase. (Yes, this was one of those purchases in which the private equity buyer bought the company with the company’s own money.) Under Bravo’s control, SolarWinds engaged in more mergers, buying companies who made threat monitoring software, email security, database performance monitoring, and IT support firms. SolarWinds sought to become a one-stop-shop in its niche, not particular good at quality, but with everything a customer might need. Of course, the Federal Trade Commission and the European Competition Commission allowed these deals; just a month before the hack was revealed, the FTC approved yet another acquisition by SolarWinds.
What happened?
The misstep. The write up points out:
But in some ways it’s not that complex; the problem isn’t that Russians are good at hacking and U.S. defenses are weak, it’s that financiers in America make more money by sabotaging key infrastructure than by building it.
The root cause, therefore, is that which generates revenue in an environment in which regulators are asleep at the switch, MBAs plot their next big deal, and those who assume that whiz bang, smart security systems actually work.
Stephen E Arnold, January 5, 2021
SolarWinds Are Gusting and Blowing Hard
January 5, 2021
Many pundits have reacted to the New York Times’ story “As Understanding of Russian Hacking Grows, So Does Alarm.” Work through those analyses. What’s missing? Quite a lot, but in this short blog post I want to address one issue that has mostly ignored.
At one time, there was a list on the SolarWinds’ Web site of the outfits which had been compromised. That list disappeared. I posted “Sun Spotting in the Solar Wind” on December 23, 2020. In that post, I reported three outfits which had been allegedly compromised by the SolarWinds’ misstep (and some of the information I used as a source remains online):
City of Barrie (Canada)
Newton Public Schools (US)
Regina Public Schools (Canada).
The question is, “Why are outfits like a municipality known as part of the Greater Golden Horseshoe, Newton’s public schools, and the Regina public schools? (I’ve been to Regina in the winter. Unforgettable is it.)
My research team and I discussed the alleged exploits taking up residence in these organizations; that is, allegedly, of course, of course.
Here’s what my team offered:
- A launch pad for secondary attacks. The idea is that the original compromise was like a rat carrying fleas infected with the bubonic plague (arguably more problematic than the Rona)
- A mechanism for placing malicious code on the computing devices of administrators, instructors, and students. As these individuals thumb typed away, these high trust individuals were infecting others in their social circle. If the infections were activated, downloads of tertiary malware could take place.
- Institutions like these would connect to other networks. Malware could be placed in server nodes serving other institutions; for example, big outfits like Rogers Communications, a government ministry or two, and possibly the cloud customers of the beloved Rogers as well as BCE (Bell Canada’s parent) and Telus.
The odd ducks in the list of compromised organization, just might not be so odd after all.
That’s the problem, isn’t it? No one knows exactly when the misstep took place, what primary and downstream actions were triggered, and where subsequent rats with fleas infected with bubonic plague have go to.
Net net: It’s great to read so many words about a misstep and not have signals that the issue is understood, not even by the Gray Lady herself.
Stephen E Arnold, January 6, 2020
Microsoft: Information Released Like a Gentle Solar Wind
December 31, 2020
I read the New Year’s Eve missive from Microsoft, a company which tries to be “transparent, “Microsoft Internal Solorigate Investigation Update.” I am not sure, but I think the Microsoft Word spell checker does not know that SolarWinds is not spelled Solarigate. Maybe Microsoft is writing about some other security breach or prefers a neologism to end the fine year 2020?
Here’s a passage I found interesting:
Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated. [Bold added to highlight intriguing statements]
To me, an old person who lives in rural Kentucky, it sure sounds as if Microsoft is downplaying:
- Malicious code within Microsoft’s systems
- The code performed “unusual activity” whatever this actually means I don’t know
- The malicious code made it to MSFT source code repositories
- Whatever happened has allegedly been fixed up.
What’s that unknown unknowns idea? Microsoft may be writing as if there are no unknown unknowns related to the SolarWinds misstep.
If you want more timely Solarigate misstep info, here’s what Microsoft suggests as a New Year’s Eve diversion:
For the up-to-date information and guidance, please visit our resource center at https://aka.ms/solorigate.
Stephen E Arnold, December 31, 2020
Smart Software and Cyber Security
December 30, 2020
Smart software appears to be the solution to escalating cyber security woes. An unusual article (actually more of a collection of dot points) provides some insight into the challenges makers of smart security software have to overcome. Navigate to “What is the Impact of Artificial Intelligence on Cyber Security?” and scroll to the section titled “Why Did Artificial Intelligence Fail?” Here are three of the 10 reasons:
- When you stuck in a never-ending development loop
- Most AI models decay overtime
- Optimizing for the wrong thing.
Before I read the article, I had been operating on a simple principle: Smart cyber security software is an oxymoron. Yikes. I did not know I was stuck in a never ending development loop or optimizing for the wrong thing.
The article offers a number of statements which, I assume, are intended to be factoids. In reality, the collection of information is a gathering of jargon and sales babble.
The write up reveals how to get rid of security smart software failures. There are seven items on this list. Here’s one: Statistical Methodology.
Several observations:
- Smart software works when knowns are trimmed to a manageable “space”.
- The “space” is unfortunately dynamic, so the AI has to be able to change. It usually needs the help of humans and an often expensive retraining cycle.
- The known space is what the best of the bad actors use in order to attack in new ways.
Net net: The SolarWinds’ misstep illustrates that exactly zero of the classified systems used to monitor adversaries’ cyber attacks rang the klaxon. To make matters more embarrassing, exactly zero of the commercial threat intelligence and cyber monitoring systems punched a buzzer either.
Conclusion: Lists and marketing hoo had are not delivering. The answer to the question What is the impact of artificial intelligence on security? is an opportunity to over promise and under deliver perhaps?
Stephen E Arnold, December 30, 2020
DarkCyber for December 29, 2020, Is Now Available
December 29, 2020
DarkCyber for December 29, 2020, is now available on YouTube at this link or on the Beyond Search blog at this link. This week’s program includes seven stories. These are:
A Chinese consulting firm publishes a report about the low profile companies indexing the Dark Web. The report is about 114 pages long and does not include Chinese companies engaged in this business.
A Dark Web site easily accessible with a standard Internet browser promises something that DarkCyber finds difficult to believe. The Web site contains what are called “always” links to Dark Web sites; that is, those with Dot Onion addresses.
Some pundits have criticized the FBI and Interpol for their alleged failure to take down Jokerstash. This Dark Web site sells access to “live” credit cards and other financial data. Among those suggesting that the two law enforcement organizations are falling short of the mark are four cyber security firms. DarkCyber explains one reason for this alleged failure.
NSO Group, a specialized services company, has been identified as the company providing technology to “operators” surveilling dozens of Al Jazeera journalists. DarkCyber points out that a commercial firm is not in a position to approve or disapprove the use of its technology by the countries which license the Pegasus platform.
Facebook has escalated its dispute with Apple regarding tracking. Now the social media company has alleged that contractors to the French military are using Facebook in Africa via false accounts. What’s interesting is that Russia is allegedly engaged in a disinformation campaign in Africa as well.
The drone news this week contaisn two DJI items. DJI is one of the world’s largest vendors of consumer and commercial drones. The US government has told DJI that it may no longer sell its drones in the US. DJI products remain available in the US. DJI drones have been equipped with flame throwers to destroy wasp nests. The flame throwing drones appear formidable.
DarkCyber is a twice a month video news program reporting on the Dark Web, lesser known Internet services, and cyber crime. The program is produced by Stephen E Arnold and does not accept advertising or sponsorships.
Kenny Toth, December 29, 2020
SolarWinds: One Interesting Message
December 28, 2020
I read “Wave of Cyberattacks Exposes the Powerlessness of IT Security Chiefs.” With all the hoohah about cyber superiority from government officials and commercial enterprises, one troubling fact is clear: If the advanced systems could not detect the attack nor could top secret security systems monitoring possible bad actors, the defensive and alerting methods are broken. The write up points out security focuses on a wide spread weak link:
Splunk, a U.S. company, publishes an annual list of “10 things that keeps CISOs up at night,” and this year’s includes the expanded “attack surface” created by the growing use of the internet of things (web-connected devices) and the growing use of cloud computing, “malicious insiders” and the “alert fatigue” resulting from so many layers of data security inside a big organization. But apart from that, Splunk notes the lack of money to ensure data security. “CISOs continue to face challenges in securing substantial budgets, largely because they have difficulty forecasting threats and achieving measurable results from security investments…
He said 66% of CISOs surveyed said they didn’t have adequate staff. Others cited increasingly onerous regulations and their lack of access to top management.
Something in the cyber security establishment enables breaches.
Stephen E Arnold, December 28, 2020
China Write Up Includes a Juicy Factoid
December 24, 2020
“Beijing Ransacked Data as US Sources Went Dark in China” is a political write up. However, the article contains one interesting factoid. Keep in mind that a “factoid” can be a chunk of the alternative reality in which some thumbtypers thrive.
Here’s the passage I noted:
“Chinese officials became much more reluctant to talk after [the WikiLeaks cables], because they didn’t believe we could keep it a secret,” recalled a current State Department official with extensive experience in China.
The “we” is US government officials.
Why would a Chinese professional perceive the US as unable to keep a secret? One possible explanation is that access to online systems was in hand. Therefore, information in a US government system would be available to other entities with a Chinese-style intelligence system.
I understand that there are only a couple of countries with Chinese style resources. But when it comes to security technology, even smaller outfits with a small number of skilled engineers and programmers can accomplish some surprising exploits.
The write up puts some color into the somewhat lifeless quote. In my opinion, the quote makes clear that at least one US government official appears to have acknowledged that “lights out” may a persistent characteristic for some US government entities.
Stephen E Arnold, December 24, 2020
Sun Spotting in the Solar Wind
December 23, 2020
I read “Partial Lists of Organizations Infected with Sunburst Malware Released Online.” The information in the write up, which I assume is sun spot on, makes it possible to do some solar observations. For example, here are some alleged victims of the ever-so-slight sun burn from the estimable firm SolarWinds. I have created a value score to indicate how much informational goodness can be sucked from the alleged targets. Our first solar flare consists of:
City of Barrie (Canada)
Newton Public Schools (US)
Regina Public Schools (Canada).
Granted these are likely to deliver a low payout for actors looking for really good stuff via the misstep. Score: 1 on a scale of 1 to 5 with 5 being an intel target of note.
How about these victims of the misstep? Let’s get rolling in data for carder sites.
BancCentral Financial Services Corp.
Stearns Bank
Signature Bank
Yes, better. Personally identifiable information, credit cards, debit cards, online bank account codes and passwords. Score 3.5
What about this group?
Cisco
Deloitte
Intel
Stratus Networks
Here I award a value score of 4.5.
But where are the other 17,991 names? Oh, probably just trivial outfits. A misstep that’s all. A misstep missed by the cyber security systems protecting most of these outfits.
And today (December 21), the share prices of most cyber security firms are rising. (We don’t do news, so the date of authorship, the date of our source, and the date of publication are likely to be different. Beyond Search is confident that spectacular metadata systems from Smartlogic and other firms can figure out mere dating conventions, right?)
Stephen E Arnold, December 23, 2020
4iQ: Smarter and Maybe Profitable with Alto Analytics?
December 23, 2020
The cyber intelligence firm has merged with Alto Analytics. The new outfit will be called Constella Intelligence. The two companies’ technologies will allow organizations to “anticipate and defeat digital risk.” You can read about this tie up in “4iQ and Alto Analytics Merge and Rebrand as Constella Intelligence.” The new firm is in the cyber security business. According to the announcement the company
… will empower organizations and intelligence professionals with comprehensive digital risk protection that covers brand, executive, fraud, geopolitical and identity threats.
One phrase struck me as particularly interesting; specifically:
“Through successful 4iQ Series C funding and the powerful combination of two market-leading organizations, Constella has incredible tools and resources to tackle the fast-evolving security landscape…
The “market leading” adjectival appears to position 4iQ and Alto among the luminaries of cyber intelligence. However, 4iQ’s quirky name and its similarity to other Dark Web and social media indexing tools did not capture the same market buzz as Shadowdragon, for example. Alto Analytics competes in a the crowded data analytics space.
The two entities apparently will join to justify this description:
Constella Intelligence is a leading global Digital Risk Protection business that works in partnership with some of the world’s largest organizations to safeguard what matters most and defeat digital risk. Its solutions are broad, collaborative and scalable, powered by a unique combination of proprietary data, technology and human expertise—including the largest breach data collection on the planet, with over 100 billion attributes and 45 billion curated identity records spanning 125 countries and 53 languages.
The merger is almost coincident with the revelations about the failure of cyber security vendors’ products to detect the SolarWinds breach. More firms will be seeking ways to rebrand, reposition, and reinvigorate their sales of products and services. Will 1 + 1 = 3?
Sure in the marketing department. Those art history majors are optimists.
Stephen E Arnold, December 22, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
