It Really Was the Lazarus Group, in North Korea with SWIFT

swift

Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.

kimbo

Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.

sectorslide

The ABC’s of APTs: Shamoon

sham35Welcome to the grey zone where politics and cyber meet. APTs or advanced persistent threats, are one of my favourite acronyms (but then you know how I am intrigued by Stuxnet and cartels), and essentially are how nation states get their digital digs at each other. Usually the intention is to get information, because knowledge is power. Cyberespionage can give a competing nation a real competitive advantage in the world economy, among other things. But sometimes, there is a need to control more, and that is where weaponizing code takes on a whole new nasty.

The keyword here is “persistence.”  First, attackers must find their way into the networks of the target. Usually, they employ targeted spear phishing, painstakingly staking out the right victim to receive that loaded email.  The investment of time and money at this point is essential, so as not to tip anyone off. And the emails are crafted so carefully, picking up on points tailored to that recipient so that they will open it, and launch the attachment that will create an entry point for the attacker. There is a reason why phishing is at the heart of so many breaches.

Now, imagine a video game, where you must progressively meet the challenges of each level to go higher. That is the attacker moving through the network, acquiring credentials to gain access to the crown jewels. The strategy is to find someone lower level, then work your way up. Hence, persistence, because this is an investment of both time and patience. Expect the key executives or decision makers to be well-guarded, with access and authorization controls in place. Not the case for someone lower on the food chain. All an attacker needs is to gain access. As proven repeatedly, once in, they can take all the time they need to find what they want. Case in point: the attack on the Ukraine power grid in December 2016.  The attackers were in that system for over nine months, collecting what they needed, notably credentials for the Virtual Private Network, that enabled them to jump the security gap onto the restricted side. As Stuxnet taught us, there is no such thing as air-gapped security.

shamoonattackgraphic

We know the Russians hacked the US; we know China hacked the US and Canada; and yes, the US has hacked someone too. These are the games nations play. The trick, of course, is not to get caught before you have the prize. And when you do get caught?  Well, as we’ve seen play out, nothing really bad happens. Just expect that your victim will be in your systems. Unless information isn’t the endgame and control is. Then, be prepared for something to go bump in the night.

Shamoon is devastating wiper malware that took out a massive swath of Saudi Aramco when it first debuted in 2012.  Linked to Iran, and an ongoing feud in the region between key players, it was a targeted attack against the oil giant, damaging or destroying 35,000 computers. Sec Def at the time, Leon Panetta, described it as “probably the most destructive cyber attack on a business.”

Wiper malware was used against business targets in  December 2014 destroying the systems in a Vegas casino, The Sands, after owner Sheldon Adelson advocated using nuclear weapons against Iran. The US “publicly cited Iran as the culprit”.   Then Disstrack was used again in December 2015, in the attack that brought Sony to its knees.  These aren’t gangs using cybercrime for monetary gain. These are the equivalent of acts of war, given the level of damage done.

Fast forward to late 2016. Two major attacks happened in Saudi: November 17 taking out systems at the airport and other Saudi government agencies, and then again on November 29. Then, on January 23 there was another attack. The malware used was almost identical to the original Shamoon, aka Disstrack.  Except there were a few key enhancements.  According to Andrew Plato, CEO of Anitian Enterprise Security

 “What is really worrisome about this is it’s just outright destructive. It isn’t really trying to steal anything. It’s the closest things we’re going to get to a cyber bomb”.

The new version, dubbed Shamoon 2, spread through the local network using legitimate counts belonging to users and administrators, with complex passwords likely obtained from an earlier attack. Remember what I said about persistence?  This new version, however went on to attack VDIs, or Virtual Desktops, which previously could have offered some protection because of their ability to load snapshots of systems that were wiped. Now Shamoon had migrated from just Windows-based systems to Linux in the attacks on VDIs.

cyberwar1-1024x482

Now, I don’t want to be alarmist and spread FUD everywhere. Yes, this is serious and destructive. Like Stuxnet, it broke things. And that’s the differentiator. So far, the line hasn’t been crossed where breaking things was deliberately done to harm people. Because as Archer would say: You want cyberwar? Because that’s how you get cyberwar.

While the expectation is that Iran is once again behind the attacks, Symantec has revealed there are multiple parties involved. More than one entity, so collaboration and cooperation.  The report is that an entity known as Greenbug may have assisted in getting the credentials needed for access.  Palo Alto reported on a campaign known as Magic Hound which targeted energy, technology and government with ties or locations in Saudi.  There were links between Magic Hound and two other actors with Iranian ties: Charming Kitten and Rocket Kitten. Finally, putting all this together was the group Timberworm or Cobalt Gypsy.  Per Symantec, Timberworm was behind the January 23 attacks.

Here’s the play by play. First, Timberworm used spear phishing emails with weaponized documents (we warned you about those Office Macros!) to gain initial access into the network. Once there, they used custom malware, along with leveraging existing sysadmin tools to avoid detection, and help them achieve persistent remote access. Quick FYI: custom malware is a hallmark of major organized cybercrime groups or nation state attacks because it costs a lot of time and money to craft, and the stakes are going to be very high.

Apparently Greenbug and Timberworm have been active, penetrating organizations beyond Saudi. Note that Shamoon, however, was only used against the Saudi target. Timberworm is a large operation, as is Greenbug, with targets in a range of areas. We know who they are now, what they can do, and that they have a shared interest. What we don’t know: the endgame. I’m waiting for that other shoe to drop.

http://www.zerohedge.com/news/2016-12-01/another-false-flag-destructive-iranian-hackers-allegedly-wreak-havoc-saudi-computer-

http://www.securityweek.com/shamoon-2-variant-targets-virtualization-products

http://www.securityweek.com/multiple-groups-cooperated-shamoon-attacks-Symantec

http://www.archersecuritygroup.com/second-wave-bomb-malware-hits-saudi-arabia/

My Approach to Threat Intel

In my role at work as a Threat Intel analyst, I track developments using various media feeds, and put together a succinct daily report of several key items that are pertinent to our clients and business lines.  Of course, I share my findings on Twitter and LinkedIn because that’s how the security community flourishes: collaboration. And to say I love what I do would be an understatement.

I don’t pretend to be an expert at what I do, nor will I say I have the definitive definition of what Threat Intel is. There is so much information to capture and analyze, and the learning is continuous. For me, my love of threat intel is in the hunt: looking for trends, patterns, new developments, things that reappear.  If you seek, you will find. There are many ways to search, and I am always trying to learn from people who have been doing this longer. It’s like fine-tuning a guitar, so I’ll always be looking at how to improve what I do.

I have go-to sources I read regularly, people online I follow specifically. My twitter feed is huge and categorized. But if I want to know something right away, it’s usually on there. I also have other sources to check in with directly. I collate information on malware, Advanced Persistent Threats (my most favourite things), specialized systems and their unique vulnerabilities.  This has helped me develop a baseline understanding over the time I’ve been doing this, so that I can understand who the players are when it comes to exploit kits, ransomware or DDoS.  And I try to make sure I know who the experts are, so that when they find something I am paying attention. That’s the head’s up.

When I’ve talked on Blue Teaming with my awesome pal, Haydn Johnson, we refer to the importance of knowing your baseline, watching patterns, so that you can identify anomalies. Those are your threats. That is your head’s up.  I find the same thing here as I track tweets, stories, advisories, reports and blogs.  I look for evolutions in how malware is delivered, so changes in exploit kits, or for kits to disappear from site. That means those kits are going to reappear with a new twist that our standard levels of detection and protection may not recognize, so attackers can access systems. Or, it could mean a larger scale attack, like Carbanak, when a massive crime gang operates on a global level and banks get taken for $1 billion. I play a lot of “what if” because I find I need to think beyond the normal realm to expect the unexpected. After all, the attackers are going where we aren’t looking.

In the weeks to come, I will be trying to bring in more information to widen my search. I’m researching all I can on what experts think best defines Threat Intel and Hunting. Because to really capture what’s out there, we need to broaden our scope.  I want to be looking ahead of the curve in this chase, anticipating their next move based on the wealth of information we have at hand, and factoring in what we know about human behavior. Next gen tech has spawned next gen threats, and as always, the attackers are ahead of us. And here is the thrill of the hunt.

CyberSec for Everyone

I was recently asked to speak with Mansoor Tamweer, a reporter with Ryerson University here, about what the public should know as a general overview on Cybersecurity.  For me, it’s a privilege to be asked, and my calling to help others.

I don’t come from a traditional technical background. Infact, as I’ve often shared, I really didn’t think I could learn “tech”.  Until I sat down and took apart a computer and discovered the fun of learning hands on. That morphed quickly into becoming a software junkie. Back in the day when software suites were the thing: Lotus, WordPerfect, Microsoft. Like Pokemons, I had to catch ’em all.  Again though, learning for myself dispelled my old fears and hesitations. Instead, I understood things at a more user-based level, and was able to to explain “how” and “why” to non-technical people, equipping them with not just the skills but the confidence in themselves to try on their own. This is my biggest win. And I’ll keep doing that as I learn more, because everyone needs to know. We own our own security.

The recent ransomware attacks on Canadian universities prompted the call to me, because I had spoken with the Ottawa Citizen about a ransomware attack on Carleton about a month ago. Credit where credit is due: the information I share comes via others in our security community who really are the experts on malware, ransomware, threat intel, securing systems etc. I learn from them, then try to make the awareness and understanding happen for a broader base.   Imagine that we, the security folks, are the tip of the iceberg. We know and understand a lot. But everyone knows the mass of the icerberg is submerged. Like 95% of it. To me, those are the end users. The non-technical folks who trust in the products and services they buy. And who need us, more than ever. My theory is that if we can help those people do one or two basic security things better, then we may flip this table in our favour. Like a numbers game. You know the adage “Teach a man to fish, and he’ll eat for the rest of his life”. When I explain things to friends and neighbours, they want to learn. They’re scared, intimidated, but they want to protect themselves, their families, their homes. We can make that happen.

There is lots of FUD – fear, uncertainty, doom – being peddled. And the ubiquitous images of hackers hunched over keyboards in black hoodies. Clarification: hackers aren’t all bad guys. There are way more good guys, striving to learn things nobody else can, to improve things nobody else will. My hoodies are purple and red, and hunching is bad for my back. I’m not a “1337” or elite hacker – I’m still shiny new to this realm by many standards. But I’m learning the skills to understand how to protect based on how to attack. Break. Fix. Break again. We’re hackers – that’s what we do. And you need us to do this. How else are you going to know where your weak spots are?  Really, your best offence will be a solid defence because attackers go after the low-hanging fruit. They move on if there is anything in the way. That’s where teaching basic security at a level everyone can do comes in. And I know we will have to keep trying – this isn’t going to be easy. People are resistant to change, hesitant to learn new things. But if you are persistent, it will happen.

signbunny

Tameer was a great host, and I really enjoyed talking about security with him. One thing asked was if there were places for people to go and get a basic understanding of security. I said he could start here with my site. I am trying to make it a resource, a one-stop or a first-stop, for people at all levels. I’ll make sure I regularly feature security for beginners in this blog area as well as a resource page. Since we need to learn to walk before we run, what are the basics? Here’s my quick list:

1. Passwords. Do this right. It really is your first line of defense and a deterrent to the attackers. They will move on. There are rules, and passwords only work if you follow these rules: do not share your password; do not use the same password across multiple accounts; when you buy something, change the default password it comes with. And if you feel overwhelmed by trying to manage all your passwords, consider using a password manager like LastPass. I’m not endorsing anything but just giving you a starting point. Jessy Irwin, @jessysaurusrex on Twitter is a fantastic and funny resource on security for us all. Follow her.

2. Wifi. If you like using free wifi, or wifi hotspots, please do not believe those are safe. You need to surf protected, with a shield around you. This shield is called a VPN. A Virtual Private Network. You can get some for free that will buy you a few hours of security at a time or you can spend about $5 a month and get something really good. Why do you need it? When you go online, your IP address is visible to anyone. They can track you, mislead you, and attack you. A VPN switches your IP address which throws an attacker off your scent. You can go online without them knowing where exactly or who exactly you are. I use PIA Private Internet Access for my VPN if that helps.  And I use this on my cell phone. Easy to set up. No more excuses ok?

3. AntiVirus. It isn’t a silver bullet but it will catch things and help protect you. There are loads of free versions. At the bare minimum, you can use the one that comes with Windows. And i use it on all my devices. Avast is good. ESET. And if you want to spend more for extra protections, go ahead. Monitor all the connections. friends

4. Think before you click. Everyone has heard about phishing and ransomware. Yes. People send you stuff with attachments or links. You click it and “boom”!  But even the smartest people can be fooled. You can test that link before you click it to make sure it really is legit. You can enter the url or link info here: http://scanurl.net/.    As for that attachment, you can use you AV to scan it first.  This article by Lifewire has lots more info to help.

5. Backups. Set yourself up with backups. And multiple ones. Keep one off your network because your network gets contaminated. And when you get hit by ransomware, or malware, you have something to restore from. All your files are not lost forever. You won’t be held in some attacker’s grip.

6. Encryption. That sounds pretty technical for some. But the fact is, if you are using any mobile device, you need to encrypt the hard drive, or set up a passcode to lock the screen. Do you have any idea how many breaches have been caused by laptops stolen from cars or desks that were not encrypted? Windows will walk you through encrypting your own hard drive. And at the very least, secure your lock screen on your phone or tablet.  Those SMS messages we love to send? Texting. That is out in the wide open for everyone to access. You can use a secure encrypted messaging system that is just as easy and free. Signal. WhatsApp. Wire. Download. Set up your username and password. Done. No more prying eyes.

The interview with Tameer airs on January 23 on The Scope, Ryerson’s radio station. Thanks so much for the opportunity to share what I know. Stay safe!

Sector 2016

sector

This October marked the 10th anniversary of Toronto’s main security conference, Sector. I had the pleasure and privilege of being a speak, as well as working with a terrific team of volunteers. It was thrilling to be part of this event, plugged right in, to welcome people to our city and then to deliver a talk I had really wanted to give.

There was fanfare. Edward Snowden – yes, for real- was video conferenced in as the keynote speaker Day 1 and he did not disappoint. He has put his time away to good use, becoming expert on matters of privacy and rights. There was a second terrific keynote panel on Day 2 by a group of very successful and talented women about their experiences and insights on careers in InfoSec. The selection of talks and speakers was truly impressive, featuring leading experts and exciting new voices.

Here is my presentation, that started from a story on the Defensive Security podcast back in March. What caught my attention was how a bank heist in Bangladesh for a billion dollars was bungled because of a spelling error, and how far things almost went. Bank heists make great stories.  This year, we’ve got some really good stories to tell courtesy of a trusted network known as SWIFT, and some banks that believed they were inherently protected by virtue of being connected – except they weren’t. Hundreds of millions of dollars have revealed some ugly truths and dangerous assumptions.  In this security fairy tale we’ll talk about scary godmothers, big bad wolves, fire breathing dragons and what’s inherently wrong with the banking system. Because the emperors have no clothes on. Click on it to go to the site.

sectorslide

Irongate & Customized ICS Malware: Don’t Hit the Snooze Button This time

icspic3

ICS or Industrial Control System networks are integral to running our critical infrastructure, industrial and manufacturing processes, hospitals.  These are specialized systems that have been kept separate or “air gapped” from main networks, but that has been changing over the past few years as everybody finds ways to get connected. However, a mindset persists that because these systems are “special” and “different”, and because they have been segregated from conventional networks for so long, they are inherently protected. This past week heralded the discovery of “Irongate”, customized malware for ICS that is still in the testing stages and has not been used against production facilities – yet. The fact that somebody has carried on from where Stuxnet left off is a warning to us all that our assumptions on what keeps us secure no longer apply.

Stuxnet showed us that specialized systems offer attackers, especially at the nation state level, a unique opportunity for this reason. Nobody is looking when they think they are secure. The fact is that attackers live within our networks for long periods. We have seen this proven in recent months through the rapid escalation of ransomware and lateral movement through networks to accumulate info and destroy data; in the attack on the power grid in the Ukraine where attackers harvested credentials to access the VPN and get into supposedly secure systems; and the SWIFT banking heists where attackers learned the most intricate details of how to manipulate printer outputs and redirect huge monetary transactions.

‘Airgaps’ are great in theory, but don’t hold up given the growing reality of the Iot and now the IIoT. With pressures to cut costs, increase productivity, and just make things easier, these systems are being connected to corporate networks and the “Cloud”. There’s a whole lot of scary here because the truth is that ICS systems are not well monitored. Experts like Chris Sistrunk and Robert M. Lee have made this pointedly clear in emphasizing the need for NSM, network system monitoring and DFiR, digital forensics, to look for what attackers leave behind.  You can’t find the danger if you aren’t looking.

While the big announcement of Irongate was this week, researchers actually found samples late 2015, and reports show that the malware can be dated as far back at 2012, and was submitted to VirusTotal through the web interface in Israel in 2014. There is no evidence of this having been used in any campaign, nor is it associated with known threat actors.  Siemens ProductCERT confirmed that “the code would not work against a standard Siemens control system environment”. As it stands, it is not proof-of-concept for an actual weapon or adversary. Yet, the code was found when searching for droppers compiled with PyInstaller; Irongate droppers are Python scripts converted to executables from that same software. Somebody saw the need to make this, and the opportunity for exploit.  We need to read into that and act on it before it moves from test to production.

According to Robert M. Lee,

“ICS is a viable target and attackers are getting smarter on how to impact ICS with ICS specific knowledge sets… The unique nature of ICS offers defenders many advantages in countering adversaries but it is not enough. You cannot rest on the fact that ‘ICS is unique’ or ‘ICS can be hard to figure out’ as a defense mechanism. It is a great vantage point for defenders but must be taken advantage of or adversaries will overcome it.”

Right now, there is a lot of speculation around why this exists in test, without a known contributor. Dan Scali, senior manager for FireEye Mandiant ICS Consulting, posits “Is someone trying this in a simulated [environment] before taking it to a production environment? Or is it a researcher saying ‘look what I can do … a Stuxnet-type thing?”

Robert M Lee expressed concern that this illustrates a fundamental security problem with ICS/SCADA. “It’s a sign of the interest in this by pen testers, security companies, as well as adversaries…I am not confident that a majority of the industry could respond to it. We don’t know what’s out there; antivirus companies aren’t finding it and even if they had, who would know what to do with it [the threat]?”

If we’re not looking, we’re not finding. And we won’t be able to prepare for attacks which are already in the works. We would be foolish to think otherwise.

This argument is made by Lior Frenkel, CEO of Waterfall Security.  He expects attacks similar to Stuxnet “are in the pipeline”.

these attacks will increase in their sophistication and complexity so any solution needs to be completely comprehensive and robust to cover the full perimeter of an ICS site … (adding that) unidirectional gateways are the optimal solution for these attacks”.

Add to that this assertion by Sean McBride, attack synthesis lead for FireEye iSIGHT Intelligence: “I would not be surprised to see sandbox evasion and file replacement attacks incorporated by future ICS malware deployed in the wild.” This is yet another wakeup call for ICS SCADA, and other sensitive segregated systems.

Irongate is

  • sophisticated,
  • has the capacity to be persistent,
  • is evasive
  • undetected by AV
  • introduces new features to existing knowledge of customized ICS malware.

The key feature is a man-in-the-middle (MitM) attack, where the malware replaces existing DLL (Dynamic Link Library) files with malicious ones, enabling it to come between a PLC and legitimate monitoring software to engineer the next step. Like a scene from a movie, where the security camera footage is manipulated, the malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface. This “footage” goes on replay while other data gets sent back to the PLC. Hence an attacker can alter a controlled process without alerting the process operators.

Causes for concern should be:  this malware was undetected by AV, even though some strings had the word “dropper” and there was an actual module named scada.exe; the malware is evasive, and will not run if it detects the use of VMware or Cuckoo Sandbox environments – something Stuxnet could not do.

Although Irongate is not as complex, the similarities to Stuxnet stand out:

  • Both types of malware search for a single, highly specific process.
  • Both replace DLLs to manipulate processes
  • Both are evasive. IRONGATE looks for sandbox or VMware that allow observation of malware; Stuxnet sought out antivirus software.
  • Both manipulate process data. IRONGATE actively records and plays back to conceal it manipulations however.

A key difference is that unlike Stuxnet, “Irongate has no worm-like spreading function, nor any apparent ties to nation-state actors”.

Recommendations on how to secure against this latest variant of ICS malware include integrity checks and code. But it really comes down to following through on best practices and those areas already identified as weak. The problem is that what we’ve been doing will fail us going forward, and we’re failing at doing the basics right. Know your baselines and actively look for anomalies. NSM needs to happen, as does DFiR within ICS, comprehensively and without further delays and excuses. Otherwise, we are turning a blind eye to attackers who know these systems better than we do.

This latest variant of customized ICS malware may be in the testing stages as we found it. But you can bet if someone else is working on this, things have already moved toward production and deployment. Irongate is yet another major wakeup call and we can’t keep hitting the snooze button.

Resources:

https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

https://www.helpnetsecurity.com/2016/04/13/ics-network-attacks/?utm_content=buffer3b349&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

http://www.darkreading.com/threat-intelligence/shades-of-stuxnet-spotted-in-newly-found-ics-scada-malware-/d/d-id/1325753

https://www.helpnetsecurity.com/2016/06/03/ics-focused-irongate-malware/

Yes Virginia, Dreams Really Do Come True!

securityunicorn

Sorry to have neglected you this past while. Big changes have happened. But that’s a good thing. A really good thing. And something I hope to carry forward.

You may have heard about the lack of talent in cyber security. And the lack of women in tech. And the resulting lack of women in cyber security. I am thrilled to tell you that I have now changed that statistic by one.

Yes Virginia, dreams really do come true. Because  I was offered the role of my life. My dream job.

I now do Threat Intel with the cyber security team at KPMG. As a cyber security consultant.

Repeat after me:

OMG! OMG! OMG!  Now breathe. (that really was fun, wasn’t it!)

Now I can stay up all night, every night, looking for cyber boogeymen and playing what-if til I can’t keep my eyes open. And people actually want to know about what I find. Oh, holy cow – it is amazing!

I have to learn more about all. the. things. Which is fantastic because I like all the things. Networks. SCADA ICS. Mainframes. Web Application Firewalls. And of course my 3 favourite letters: APT or Advanced Persistent Threat. Because the biggie of all those, Stuxnet, is what led me here in the first place.  I get to work with amazing people whose knowledge and skill just inspires me every day to do more.  We plan and build and evaluate things most people have no idea about, but that will actually make the world a better and safer place for everyone. And that is the realization of one of many childhood dreams. I still haven’t walked onto a Starfleet Enterprise class ship yet, but believe me, this is what it would feel like.

And this is where I tell you the really good stuff. That you have it in you to make your version of this happen. I stopped listening when people told me “you can’t do that” or “you  got that all wrong” or “maybe you’d be better at’.  I listened to that voice inside me, that passion pushing me further even when it seemed impossible. Even when I couldn’t understand it the first time, or someone said no, and said no again.  Because something inside of me wouldn’t let it go. I loved it too much.  Listen to that piece of you that won’t let go.  Find that thing you love enough to fight for it – and fight.  You deserve the sweetness of this victory. And oh, if it can happen for someone like me without all the proper degrees and traditional routes, then it can happen for you. Believe.

So come along and join me for my next incredible, amazing adventure. I’m only just getting started!

(Necessary Disclaimer bit that all these posts are my own and not my employer’s)