Bloomberg reports on Deloitte hiring EUROPOL Executive Director Rob Wainwright to run their cyber security business:

The 50-year-old MI5 veteran will join the Amsterdam-based unit in June, according to Deloitte, which shared an advanced copy of its announcement. Deloitte is planning to add 500 people to its European cyber practice to meet growing demand from corporate clients anxious to prevent hacks.

“I spent a lot of the last few years encouraging private-sector leaders to take cybersecurity more seriously, to invest more,” Wainwright said in an interview at Europol’s headquarters in The Hague on Tuesday. “So now I will go directly in there and try to help them do it myself.”

Wainwright has spent 28 years working for the U.K. government, including more than a decade at the MI5 domestic intelligence service, where he specialized in counter-terrorism and organized crime. After stints as head of the U.K. liaison bureau for Europol and running the international department of what is now called the National Crime Agency, he returned to Europol as director in 2009.

During his time at Europol, which acts as an intermediary for 1,000 global law enforcement bodies and coordinates major investigations involving terrorism and money laundering, Wainwright helped oversee a number of high-profile stings. He played a key role in last year’s takedown of AlphaBay and Hansa, dark-web markets that sold everything from drugs to hacking tools. AlphaBay was more than 10 times the size of Silk Road, which the U.S. closed in 2013.

Sounds like a major win for Deloitte and a huge hire. It will be interesting to see if Wainwright is capable of developing additional business, and strengthening existing projects, based on his expertise and experience.

Dark Reading tracking bitcoin wallet addresses as indicators of compromise (IOCs) as a valuable defense data point:

By tracking bitcoin wallet addresses as an IOC, we’ve been able to connect the dots between ransomware, wallet addresses, and shared infrastructure, TTPs (tactics, techniques, and procedures), and attribution.

Here is an example of how bitcoin is used in a ransomware campaign: A new piece of ransomware gives you a bitcoin address for payment. You can then make correlations that connect across sectors, like retail, energy, or technology groups based on the blockchain and/or reuse of the same address. With WannaCry, there were hard-coded bitcoin addresses that made it easy to correlate what you are dealing with and which sectors were being affected. The more bitcoin addresses are shared, the more you can identify addresses to which bitcoins are forwarded.

The ability to track transactions through the blockchain allows you to connect different ransomware campaigns. Cybercriminals don’t typically share bitcoin wallets as they might share the same exploit kit, but by tracking blockchain transactions, analysts have another investigation point from which they can pivot and dig for more.

I doubt there are many organizations using this technique. It is both valuable, and forward-thinking, and should be considered based on an organization’s cyber defense capabilities maturity level. If threat intelligence is already being consumed, adding this should be fairly straight-forward.

Politico reports about an upcoming leadership change to National Security Agency thanks to ADM Mike Rogers impending retirement:

Picking Nakasone — who took the reins at Army Cyber Command in late 2016 — would place someone deeply versed in cyberspace operations atop the country’s premier intelligence-gathering service. As NSA head, Nakasone would also lead U.S. Cyber Command, the Pentagon’s digital warfare organization.

It’s unclear when the administration might formally announce the choice, but it’s believed the announcement could come in the next week or two, which means the Senate Armed Services Committee would hold a confirmation hearing in early March. The Senate Intelligence Committee may also hold a hearing, given the job’s heavy surveillance focus.

Nakasone sounds like a reasonable choice to lead the NSA considering his background and recent assignments. If selected, it will be interesting to see in what way the agency changes to adapt with the growing cyber threat, and more importantly, to the fallout from the still-unsolved Shadow Brokers breach.

Deloitte has partnered with Sqrrl to provide a managed threat hunting service to EMEA customers:

Deloitte CyberSOC EMEA Center, SL. closed a strategic agreement with Sqrrl to provide Managed Threat Hunting Services to clients in the EMEA region using Sqrrl’s threat hunting platform.

Armed with Sqrrl’s threat hunting technology, Deloitte will perform a careful inspection of their clients’ IT environment to identify the presence of compromises and threat actors via Deloitte’s new Threat Hunting-As-A-Service offering.

“Sqrrl’s Platform is purpose-built for threat hunting, and enables our threat analysts to conduct hunts more effectively,” said Cesar Martín Lara, Deloitte Spain Cyber Risk Services partner.

“The flexibility of our platform enables Deloitte to easily create new analytics and data models and embed their world-class cyber intelligence into our Threat Hunting Platform.”

In addition to Managed Threat Hunting, Deloitte will resell Sqrrl’s Threat Hunting Platform to clients who wish to deploy the platform in their own on-premises or cloud environments.

This sounds like an interesting service, but I wonder about the specifics of Sqrrl’s technological capabilities.

The New York Times has done an incredibly in-depth report on how the various Shadow Brokers breaches and leaked NSA tools have really disturbed the organization like never before:

Like cops studying a burglar’s operating style and stash of stolen goods, N.S.A. analysts have tried to figure out what the Shadow Brokers took. None of the leaked files date from later than 2013 — a relief to agency officials assessing the damage. But they include a large share of T.A.O.’s collection, including three so-called ops disks — T.A.O.’s term for tool kits — containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.

Evidence shows that the Shadow Brokers obtained the entire tool kits intact, suggesting that an insider might have simply pocketed a thumb drive and walked out.

But other files obtained by the Shadow Brokers bore no relation to the ops disks and seem to have been grabbed at different times. Some were designed for a compromise by the N.S.A. of Swift, a global financial messaging system, allowing the agency to track bank transfers. There was a manual for an old system code-named UNITEDRAKE, used to attack Windows. There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.

This is one of the most fascinating cyber security and intelligence community stories of our time.

This is a lot of political maneuvering taking place in Washington as Trump’s new government begins to take shape. Defense Secretary Ash Carter and DNI James Clapper are urging President Obama to fire NSA Director ADM Rogers, ostensibly because he met President-elect Donald Trump about potentially taking over as the next DNI:

The news comes as Rogers is being considered by President-elect Donald Trump to be his nominee for director of national intelligence to replace Clapper as the official who oversees all 17 U.S. intelligence agencies. In a move apparently unprecedented for a military officer, Rogers, without notifying superiors, traveled to New York to meet with Trump on Thursday at Trump Tower. That caused consternation at senior levels of the administration, according to the officials, who spoke on the condition of anonymity to discuss internal personnel matters.

The White House, Pentagon and Office of the Director of National Intelligence declined to comment. The NSA did not respond to requests for comment. Carter has concerns with Rogers’s performance, officials said. The driving force for Clapper, meanwhile, was the separation of leadership roles at the NSA and U.S. Cyber Command, and his stance that the NSA should be headed by a civilian.

Personally, I find the idea of separating the NSA and US Cyber Command smart. The NSA is too secretive to truly allow Cyber Command to pursue its mission of adequately defending the US military networks. NSA is far more interested in observing nation state breaches, and allowing the compromise to continue while they collect intelligence on actor TTP’s, than they are in helping prevent the same attacks.

It is a tough position to be in because both intelligence collection and cyber defense are important. However, the latter is far more important in ensuring our sensitive data is not stolen by our adversaries.

Potent essay in favor of strong encryption even though the US intelligence apparatus would like Americans to believe terrorists use it to hide their communications from law enforcement (demonstrably false in certain circumstances, such as Paris):

People who protect liberty have to take care not to imply, much less acknowledge, that the draconian anti-liberty measures advocated by the surveillance state crowd are justified, tactically or morally, no matter what the circumstances. Someday a terrorist will be known to have used strong encryption, and the right response will be: “Yes, they did, and we still have to protect strong encryption, because weakening it will make things worse.”

Why? Because encryption is actually a straightforward matter, no matter how much fear-mongering law enforcement officials and craven, willfully ignorant politicians spout about the need for a backdoor into protected communications. The choice is genuinely binary, according to an assortment of experts in the field. You can’t tamper this way with strong encryption without making us all less secure, because the bad guys will exploit the vulnerabilities you introduce in the process. This isn’t about security versus privacy; as experts have explained again and again, it’s about security versus security.

Moreover, as current and former law enforcement officials lead a PR parade for the surveillance-industrial complex, pushing again for pervasive surveillance, they ignore not just the practical problems with a “collect it all” regime — it drowns the spies in too much information to vet properly — but also the fundamental violation of liberty that it represents. These powers are always abused, and a society under surveillance all the time is a deadened one, as history amply shows.

Of course we need some surveillance, but in targeted ways. We want government to spy on enemies and criminal suspects, but with the checks and balances of specific judicial approval, not rubber stamps for collect-it-all by courts and Congress. The government already has lots of intrusive tools at its disposal when it wants to know what specific people are doing. But our Constitution has never given the government carte blanche to know everything or force people to testify against themselves, among other limits it establishes on power.

These eight new cyber threat intelligence products will help strengthen your network defenses:

LogRhythm claims to reduce the amount of time it takes organizations to detect cyberintruders before they get a foothold and do any real damage. Its Holistic Threat Analytics Suite purports to detect behavioral anomalies by analyzing a number of potential entryways – users, networks and endpoints – allowing their software to identify a variety of system compromises that originate from advanced cyberthreats. The Holistic Suite is comprised of three different modules: The newest, Endpoint Threat Analytics Module, joins LogRhythm’s User Threat Analytics Module and Network Threat Analytics Module, and, combined, should allow customers to detect intrusions earlier, regardless of where those intrusions originate.

LogRhythm also incorporates real-time threat intelligence data from leading commercial vendors and an array of open source intelligence feeds, which allows them to help their customers connect the cybersecurity dots to the data they’re already collecting, processing and analyzing, which, in turn, should help them take whatever countermeasures they need to protect themselves from a major breach.

I have heard of most of these products but am unsure of their veracity. They are likely worth demoing just to get a good feel to see if they are a worthwhile to your organizations cyber defense strategy.

Disclosure: I work for Intel Security.