Hack The Planet

I have a theory. I believe it is shared by many others, and I have probably written on it before, but just in case, here it is. The more someone says they know, the less they do, and the opposite. This is my Imposter Syndrome thesis. There are many blogs on this phenomenon, and we discuss it regularly as a community. That is not what this post is about though.

There are also many people trying to help new people get into the information security industry despite this feeling. While we work to recruit more people, one of the things I try to make sure they understand is that this is not a static field. You can not learn something once and feel confident that it will not change as soon as tomorrow.

So how do you keep up with all of the changes and advances in Information Security and our adversaries tactics and techniques? There are many approaches to this, but here is mine.

I find that I have to use multiple technologies and communities to keep myself abreast of what is going on, and where I need to spend more time and focus. I use RSS, Twitter, online groups and in-person meetups, with each providing different things to my overall understanding of what is going on.

For those unfamiliar with RSS, it is basically a way to compile updates from websites you are interested in. There are different RSS readers or applications you can use to bring your feeds together, and after the death of Google Reader I don’t know that any one is better than another. I have everything from corporate sites/blogs, personal InfoSec blogs, to news sites, so I don’t have to go to each one to see if there is anything new for me to see. There are a ton of sites out there, so having one dashboard to view them all in saves me a lot of time.

I also use Twitter pretty heavily to find updates that aren’t on my RSS, and also for things that are more current. It is kind of like email (RSS) versus text message (Twitter). Find people that are part of the community and start following. You will find more and more people and companies to follow that can help you keep up with the latest in vulnerabilities, data breaches and adversary techniques.

I also am a big believer in IRL (In Real Life) meetups, and community sharing. As you build up your relationships and friendships you may find that you join slack or keybase groups that share your interests. These can be incredibly helpful in helping you learn and stay current in Information Security, or whatever field you are interested in.

If you have a Defcon group, or other InfoSec group near you, attend the meetups. I have not been to an InfoSec meetup yet that was full of great people who were willing to help out people they had just met. Attending conferences helps with this as well. The BSides conferences are run across the planet and we are at a point where it is harder to find conferences not to go to, because there are so many available.

To wrap this up, there are so many ways to keep yourself up to date and learning everyday that you don’t have to pick just one. Find what works for you and don’t forget to engage with the community. There is no shortage of people willing to mentor and help others grow and learn.

It wasn’t very long ago that I was reading a report from Cylance researchers that there was a new nation-state APT group that they had dubbed, White Company. The researchers commented on how the group was located in the Middle East, but had tendencies, or tactics, that led the researchers to believe they were ex-US Intel. It is concerning to think that the Tactics, Techniques and Procedures (TTPs) that have been created inside the US Intel community were being used for a foreign power.

The White Company was caught using an unwitting Belgian locksmiths website (and I am assuming other sites) to go after the Pakistani Air Force. Some of the TTPs the group use are adding anti-debugging code to their shellcode, using publicly available malware, and preprogrammed dates for discovery by antivirus software to distract analysts. All of these together show a level of sophistication not common outside of specific nation-state actors.

It was a few weeks later that Reuters published reports on Project Raven, a group of ex-US Intel operatives that worked with the UAE to engage in surveillance of militants, human rights activists, and other governments. This revelation should have been more shocking, but with the previous report from Cylance it just solidified the evidence that ex-US cyber warriors were going to work for the highest bidders. This is very sad news as Bob Anderson, exec assistant director of the FBI, is quoted in the Reuters report as saying, “There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government.”

One of the tools that Project Raven used was detail in another Reuters investigation, named Karma, helped the operatives hack into iPhones of diplomats and foreign leaders for the benefit of the UAE. This tool is special in that it did not require the targets to click on phishing links to gain access.

With the knowledge that US Intel operatives and analysts have it is no wonder that those outside the US would target them for recruitment. What is surprising is how many allow themselves to be recruited. As Tawakkol Karman said in the report, these people should “not be a tool in the hands of tyrannies to spy on activists and to enable them to oppress their peoples.”

We all need to take a look at ourselves and ask if the work we are doing is helping others, and at the very least not hurting them.