The Tribal CISO

Throughout my career I have been through more “Leadership” or “Managerial” training than I can remember, from the lead by example style when I was in the military to the corporate leadership (aka managerial) style that has more of a scientific approach. I have seen many styles come and go, and there are certainly no shortage of articles and trends that are published on a daily basis. Many times those of us who have been through the drill enough know what works and what doesn’t — in the words of Kenny Rogers when to hold them and when to fold them.

We tend to focus on the results we have achieved in the past with a given scenario, learning from our mistakes and ensuring we highlight successful efforts.  In my observations we tend to do the same thing when it comes to implementing various frameworks whether it’s ISO, NIST, CoBIT, FAIR, ITIL, CERT-RMM, Diamond Model or Octave. You name it there is certainly a framework for it. Some people pluck the goodness from multiple frameworks and create their own; others will kneel to the altar of the chosen framework and swear allegiance to it for all time.

Leadership and management styles or skills can be viewed in much the same manner as there is always an interesting conversation when you ask someone the difference between leadership versus management, leading versus directing, mentorship versus oversight. The most glaring difference, however, is that one styles “Leadership” as more of a social mechanism and “management” as more of tools for your toolbox.

James Altucher published an article on the 10 things he thinks you should know in order to become a great leader, and there is a section that particularly caught my eye. Specifically he states:

Below 30 people, an organization is a tribe. 70,000 years ago, if a tribe got bigger than 30 people there’s evidence it would split into two tribes. A tribe is like a family. With a family you learn personally who to trust and who not to trust. You learn to care for their individual problems. You know everything about the people in your tribe. At 30 people, a leader spends time with each person in the tribe and knows how to listen to their issues. From 30-150 people you might not know everyone. But you know OF everyone. You know you can trust Jill because Jack tells you can trust Jill and you trust Jack. After 150 people you can’t keep track of everyone. It’s impossible. But this is where humans split off from every other species.

We united with each other by telling stories. We told stories of nationalism, religion, sports, money, products, better, great, BEST! If two people believe in the same story they might be thousands of miles apart and total strangers but they still have a sense they can trust each other. A LEADER TELLS A VISIONARY STORY. We are delivering the best service because…. We are helping people in unique ways because…. We have the best designs because…. We treat people better because…. A good story, like any story ever told, starts with a problem, goes through the painful process of solving the problem, and has a solution that is better than anything ever seen before. First you listened to people, then you took care of people, but now you unite people under a vision they believe in and trust and bond with.

How does this relate to the CISO role or anything else for that matter?

In my humble opinion, this topic and where you fall in it will decide if you will build and/or operate a successful cybersecurity program. Over the years I have built and run multiple teams performing all kinds of functions and not just in the technology space, but also in the military, emergency response, heck, even running a kitchen staff when I was in high school, and — success or failure — it always felt “right.”

Here’s why. As Mr. Altucher defined so well, I have a tribal leadership style and as I think back in time as I write this I have set up my cybersecurity programs both past and present in the tribal manner, but never really defined it that way until now. In business terminology, in each instance upon walking through the door for a new organization I have always assessed the landscape of the cybersecurity products, services, programs and projects. Usually reorganizing employees and operations to be collaborative, efficient, and effective. However, in another view I was also organizing the cybersecurity program into multiple tribes.

These tribes sat together, supported one another, collaborated together, gave and received advice and supported each other’s decision. They received mentorship as well as the vision for the tribe on what mission success should look like.  I backup my tribes and they back me up, always seeking out facts and making sure everyone’s covered.

For those of you with military or police and fire types of background, you can certainly relate to what I am talking about. When you think about this concept and observe your own current corporate culture, are you tribal? Are the functional teams supporting one another, giving and receiving advice and collaborating freely? Are you backing your tribes up and are you backing them up?

If not here are some advisory tidbits I would recommend:

  1. View your leadership style through a social aspect. Treat your management style as tools for your tool box. Do not treat your tribes as tools.
  2. Do you differentiate between program and projects? Programs have outcomes and projects have outputs. I lead my tribes as a program and want a successful outcome. Therefore, my tribes don’t have milestones or deadlines; they have only mission success or not.
  3. Keep your tribes small and focused. I commonly use the term “high speed and low drag.” This supports organizational resilience. When you’re breached and need to pivot, this is the optimum way; empire building does not mean success.
  4. Do not build your tribes solely around a standard or framework. If you focus solely on industry standards or cybersecurity frameworks you will fail. Build your tribes based on outcomes and whatever means mission success in your organization. Do not try and build a tribe into columns, rows, and cells.
  5. Be willing to change. If you are in your workspace as you read this and as you survey the landscape around you it feels like a scene from the movie Office Space, you should reflect on that for a few minutes and maybe think about some ways to change it.
  6. Observe the below simple diagram:
    1. It is not a top down org chart; it is a tribal “system.”
    2. Each tribe would have its own products and services they would be responsible for as well as the mission goals and outcomes.
    3. From an operations standpoint you are leading an ecosystem with an environment that changes every day, hundreds of times a day. Define what “normal” looks like and observe and react when something “abnormal” occurs.


Nucleus Market Vanishes – Now What?

Over the past year, the number two Dark Web market in terms of activity was Nucleus. As of late 2015, this market had more than 25,000 vendor listings, but on April 13 of this year, Nucleus disappeared.

While it’s not the first time Nucleus has been down and it’s not uncommon for Dark Web markets to go offline, we are now one month into this “downtime.” As recently as May 8 there are still more than 5000 Bitcoins in the Nucleus wallet (a value of more than $2.25M USD). Here are some possible explanations:

  1. Exit Scam? There is a lot of talk from Nucleus Market buyers and sellers of an “exit scam.” Exit scams occur when the marketplace vendor wants out of the game and closes up shop, but doesn’t tell users and continues to accept payments in Bitcoin. If this is case, the owner of Nucleus Market may have pulled off quite the heist. However, there is a substantial quantity of bitcoins associated with the Nucleus Market and they continue to build each day. Since the market went offline there have been no withdrawals from the Nucleus wallet; however, there has been continuous deposits. Is the owner planning to grab that money and run? Or not?
  2. Hacked? Another possibility is that Nucleus was hacked and subsequently brought down. Legit business aren’t the only ones being victimized. There is some speculation that an actor who goes by the handle “theDmaster” exacted revenge on the market after he was kicked out. If this occurred, it’s possible that a) the access to the Bitcoins has been blocked as part of the attack or b) that the owners of Nucleus are in fact trying to get the market back up and running and thus have not run off with the Bitcoins.
  3. Busted? It’s also possible the Nucleus market was busted by law enforcement and/or the site’s owners are in hiding. The alleged administrators of Nucleus recently posted a comment about Interpol seizing their servers and that they were now working with Dream Market (another dark web marketplace) but this could just as easily be a plug from  competitor Dream Market in the hopes of winning Nucleus market customers.

Investigations will of course continue into Nucleus Market but how does what we know now impact dark web trade?

Before its disappearance from the Dark Web, Nucleus market was one of the top places to go for:

  • Drugs and paraphernalia
  • Fraud related activity (such as payment card information, stolen accounts)
  • Guides & tutorials (How to card; Get rich quick schemes; Black Hat SEO; Drug manufacturing)
  • Services (such as hacking for hire, fraud related services)
  • Counterfeits (i.e. money, apparel, tickets, etc.)
  • Digital goods, media piracy
  • Electronics
  • Erotica
  • Jewelry
  • Lab supplies
  • Weapons

Nucleus vendors now need to get their wares ready for sale on other markets. There has been significant buyer and vendor chatter about moving to AlphaBay, Dream Market, Hansa, Oasis, Valhala, Acropolis and new markets such as LEO. If they do, these vendors must re-establish street cred on the markets where they set up shop. It may also take time for buyers to find their preferred vendors.

What does this mean for you?

First, recognize there is no honor among thieves. Second, and more importantly, this highlights the “intelligence challenge” of dark web surveillance as markets and vendors disappear and sometimes reappear. By tracking the commodities being sold on the black markets, organizations can gauge the underground market economy and get an idea of what commodities are being actively sold, what prices they are being sold for, and how much volume they are moving. No different than a legitimate business, you can get a sense of what commodities are the top desired items and therefore gain an understanding of what the future targets may be. Most importantly, you will know if you look similar to those targets.

When markets such as Nucleus cease operations, the actors who were operating in that area will quickly scatter to new locations and start anew. From an intelligence perspective this creates an instance where past history measurements lose some steam and causes a moment of chaos until the market places begin to settle down.

While the Nucleus Market going offline is most impactful to the users who lost their money, it does illustrate the need for continuous monitoring of the black markets to understand the potential fraud footprint and how it shifts. For organizations that have to continuously battle a large fraud footprint, it is critical to maintain situational awareness of the ebb and flow of market change.

“Actionable” Information vs. Practical Cyber Threat Intelligence

I am a practical guy. I don’t like to waste a lot of time and tend to gravitate to things that work, whether I originally thought up the idea or if someone else did. I’m of the “if it works then it works” mantra. Much of that attitude stems from joining the military and being thrust into a culture that demands outside-the-box-thinking. Assess the problem and work through scenarios, use past experience and lessons learned, use the right tool for the right job and lastly, be mission oriented.

When it comes to cyber threat intelligence (CTI), the key value can be unlocked by making it practical. What are the answers to the “so what” questions? Why would anyone want to spend budget on this? CISOs and like roles have a lot of headaches. How does this help that headache? How do I make this stuff useful to decision makers? Who are the decision makers? Why would they care?

The problem is the value from CTI is being misrepresented. What I’ve noticed is that there is an overwhelming drum beat towards tools — tools that will sprinkle pixie dust over your threats and make things “actionable.” But getting an avalanche of data is not the same as evaluated intelligence — and yet they get confused way too often.

Information is raw and unfiltered. Intelligence is organized and distilled. Intelligence is analyzed, evaluated and interpreted by experts. Information is pulled together from as many places as physically possible (creating an unnecessary and unrealistic workload for any analyst team to organize, distill, evaluate, etc.), and may be misleading or create lots of false positives. Intelligence is accurate, timely and relevant.

The reality is that “actionable” really just means a new alert/alarm/event that you now have to whack-a-mole. In some of the presentations I’ve given I’ve talked about the “actionable, actionating, actionator.” Sounds ridiculous right? That’s the point. But this is more common than it should be. And because of this teams are getting dragged away from productive efforts and into areas that are less productive.

This should not be surprising as many of the CTI vendors are tool builders, and no surprise, they push tools to solve the problem. However, here is where I will deviate, my background is that of a CISO, Program Manager, Team Builder. I am seeing a big disconnect between threats that are present in our industries and the practical application of resources — combination of people, process and technology — to reduce the likelihood of those threats from becoming a reality.

You see there’s a big difference between security tools and programs. Security tools (or feeds) are bolt-on and output-driven while security programs encompass people, process and technology … and they are OUTCOME-driven.

Threat intelligence should be outcome-driven vs. output driven. In my previous role as a CISO, I wanted and needed to know about threats that were specific to my organization. I needed to know what capability, opportunity and intent those threat actors had, along with a plan to ensure we were well-positioned before an event occurred (and in case we were not ready, that we had an effective plan in place as we moved from event to incident to breached).

So as you look at the many “threat intelligence” options out there, ask yourself this: will this intel drive the organization to make the right decisions and take the right actions?

Don’t try to bite off more than you can chew and start simple by focusing on evaluated intelligence. From there make your risks learnable by separating out random (or un-analyzed) risks from what is more likely so you can reduce your uncertainty — and then tie those learnable risks to the characteristics of your business.


This real-life case study will contain some info, but not all – to protect individuals’ personally identifiable information – as well as our intelligence collection sources – with our goal of highlighting the importance of having visibility into your supply chain cyber risks. In the beginning of April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include some professional sports leagues as well as major media and entertainment companies.

The actor, going by the name AlphaLeon, is associated with both the AlphaBot and Thanatos trojans – early strains of these pieces of malware appear to date back to early 2015. AlphaLeon has been known to sell access to these trojans on the dark web. While the actor has not been a seller for very long, the group’s experience and presence indicates they have been active in this space for more than five years – including multiple dark web and open web forums.

After discovering information related to the latest activity of this actor, we alerted Invision Power Services (IPS) who had not yet detected this compromise. We worked with them to validate that the actor appeared to have established a presence within the managed hosting environment that Invision Power Services operated via Amazon Web Services (AWS).

It is our understanding that IPS is still working through their own internal investigation into the incident and additional information may be uncovered, but it appears that the initial cause of the compromise was most likely the result of unpatched software. AlphaLeon indicated that this access, which affected multiple high level brands, would allow them to install Exploit Kits with the purpose of infecting users visiting these sites with their trojan. This would grow the group’s botnet further, which would in turn be sold via various underground markets. The trojan appears to be capable of:

  • Stealing banking credentials and bitcoins
  • Gaining (and selling) webcam access
  • Delivering ransomware
  • Sending spam
  • Stealing gaming credentials
  • Distributed Denial of Service

As of the date of this post it does not appear that AlphaLeon has initiated this specific campaign.

This case study highlights three primary things:

  1. This is a classic case of supply chain risk management. Invision Power Services is a supplier to some of the largest brands. These companies entrusted their web hosting provider to perform a reasonable service based on whatever contractual agreements were in place. Even if the impacted companies are not at fault, they still have their own customers and their brand and reputation to protect. If you are going to outsource a service that has cyber risk tied to it, you are outsourcing a portion of your brand and reputation in some way shape or form and you need to keep some eyeballs on that supply chain.
  2. Having a dark web intel capability is an important component of your overall cybersecurity efforts. In this situation, a bad actor was observed in a dark web forum. This source was key to gaining intel that was not available through normal open channels. The dark web is certainly not the only source you should be pulling from in your intel efforts, but it is an important area for which you should have a collection capability.
  3. The intel process works. SurfWatch Labs analysts observed discussions that concerned us, we notified the victim hosting provider, they confirmed the issue and started to react. That is what is supposed to happen.

As you outsource capabilities to other vendors, your cyber risk exposure expands. Make sure you cast a wide net in regards to your intelligence collection capabilities. It is critical to understand this and to keep a watchful eye on not only your internal environment, but that of the vendors you do business with.