Cybercrime Lessons from HBO’s True Detective

For those who did not follow HBO’s recent hit drama, True Detective, starring Woody Harrelson (as detective Marty” Hart) and Matthew McConaughey (as detective “Rust” Cohle), it was an intense drama about a seventeen-year struggle to break a serial murder case and bring a sadistic criminal to justice. For those who do know all about True Detective, that is not a surprise.

So, what does a TV murder mystery have to do with fighting cybercrime and can we learn anything from True Detective?  At first, there would appear to be little commonality between murder and cybercrime –doubly so in this case for one world is real while the other is fictional.

However, I hope that by the end of this article you will agree that, while the crimes are indeed worlds apart, the art and the act of solving them are virtually the same, albeit significantly time-shifted.

Marty and Rust were confronted with a dizzying array of information, some of it factual (at least in the series), and some of it based on conjecture. They struggled to connect what seemed important and chased down a multitude of blind alleys in search of what was real versus what was obfuscated and at best confusing.

In the end, Rust and Marty were able to connect the dots and identify the bad guy and they tracked him down and justice was served – albeit almost costing Marty and Rust their lives.

Easy enough you say.  However, between knowing a killer was at large and bringing that killer to justice, was an intensive effort of investigation and analysis, over a seventeen-year period, piecing together many disparate pieces of information to come up with a solution to the mystery.

What many had believed to be several unconnected murders was in fact a collection of ritual murders that were in fact very connected, but in ways that were revealed only after deep and skillful work by Rust and Marty.

Back to the future and cybercrime.

Financial companies, especially banks and big “e-tailers,” are frequent targets of phishing campaigns and these companies spend significant amounts of money having the phishing sites taken down – usually repeatedly.

What the companies don’t know is that many of these attacks are being carried out by the same criminal. In fact, the same criminal is often attacking several brands, but again, the banks are seldom aware that often there is one serial criminal instead of these being a series of unrelated crimes by several criminals.  This is the very same view the police had in True Detective.  They did not see, they could not see, the connections among the various attacks.

When Marty and Rust took the time to do a deep analysis of huge volumes of data, their “mostly paper-based” version of Big Data, they were able to solve the crime – it took 17 years, but they did solve it!

Taking 17 years to solve a cybercrime would not be of much use, so Marty and Rust’s tools would not yield a timely solution today; however, their methods would and do.

To be effective in creating holistic solutions against today’s fast-striking cybercriminals, the good guys, just like Rust and Marty, must be able to connect the dots at very deep levels; but today they must do it very quickly.  This is no small requirement given the fantastic volumes of data, information, and apparent disconnected aspects of the crimes.

Fortunately, it can be done. Using patented deep analytics, cyber analysts are able to show that the same cybercriminal is in fact attacking many brands, often simultaneously, and the analysts can provide deep intelligence about the cybercriminal, often providing his/her e-mail address – and in many cases, being able to show them on their Facebook pages.  Perhaps more valuable from a bank’s perspective is that this deep intelligence can be used to stop or significantly reduce the cyber criminals’ attacks against the bank’s brand.  A major way this is done is by showing the companies how they can make sure their scarce and expensive resources are focused most productively in the battle against the cybercriminals.

In fact, this use of actionable intelligence, used either automatically in companies’ firewalls and network devices, or used to support law enforcement when desired, is the only effective way to make progress against today’s cybercriminal.  We have only to read the headlines every day to know that what may have worked yesterday in preventing cybercrime (it really didn’t work) will not work today against the more sophisticated cybercriminal.

Many “cyber solution” companies claim they provide this “actionable intelligence,” just like many companies claim to be in the “Big Data” business.  The simple test of this claim is for a prospective customer to demand proof.  If the company cannot demonstrate and validate that it can provide real actionable intelligence, then all they have is an ad campaign.  If they do have the actionable intelligence, they will be able to show it clearly and convincingly.

Really “True” Detectives are hard to find.  However, it takes true cyber detectives, using real intelligence and sophisticated methods, to unmask and prevent today’s cybercriminal.

When you need one, be sure to get a True Detective!

Will the Target fallout shift focus away from compliance?

While in the check-out line at Target recently, I observed an interesting exchange that shows just how deep the impact from Target’s massive data breach has been. While rummaging for bills in her wallet, the woman in front of me in line asked the cashier whether anyone still used their credit card at Target anymore. The cashier could only shrug, but the fact that two ordinary people were discussing the impact of a data breach was remarkable, and Target’s recent sales numbers show that people aren’t only nervous about using credit cards at Target, they are avoiding the retailer altogether. Only 33 percent of US households shopped at Target in January of 2014, a 22 percent decline from 2013, and Target’s lowest level of shopper penetration in the last three years.

This is bleak news for a company that has already generated an enormous amount of negative publicity that has led to a U.S Senate hearing, a restructuring of Target’s corporate leadership, and even a change in Target’s employee dress code.

Who’s to Blame for the Target Data Breach?

Why are we still discussing the Target data breach that occurred in March 2014? In a world where ‘news’ literally lasts minutes – OK maybe hours or in special cases days – here we are still discussing a data breach that started around November 27 – December 15, 2013! What is so special about the Target data breach that warrants all of this media attention?

Well let’s start by putting the importance of this data breach in context. At the RSA Conference, TripWire did a survey that revealed the Target data breach has had a larger impact than Edward Snowden’s leaks on cybersecurity budgets and executive awareness. That, in and of itself, underscores its significance. In short, it had a major impact on the business. Executives realized that data breaches can be incredibly expensive. There are remediation costs of course, but more importantly, reputational costs. The damage to a company’s reputation dwarfs the monetary costs of remediation. We speak with security professionals every day who dismiss the reputational costs to an organization following a breach. Well, to then we say, why not ask Target about how insignificant their reputation damage has been.

Yesterday, BusinessWeek issued its take on the Target data breach. The article shows just how mainstream cyberattacks have become. In their March 13, 2014 story titled “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” BW does a nice job telling the story, complete with a graphic of a target with data spewing out of it. However, I found something else mentioned in the article that was even more interesting.

Here are a couple excerpts:

“Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon.”

“…as they [cybercriminals] uploaded exfiltration malware to move stolen credit card numbers – first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia – FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …Nothing happened. For some reason, Minneapolis didn’t react to the sirens.”

“…But then, Target stood by as 40 million credit card numbers – and 70 million addresses, phone numbers, and other pieces of personal information – gushed out of its mainframes.”


For as long as I have been involved in computing (since 1985), we have had performance monitors that alert IT professionals to issues or situations. In security, we have had IDS/IPS and SIEM tools for more than 10 years. So what is this article saying? That even with the newest and coolest security software solutions from FireEye, we still just send alerts and hope somebody takes action!

OK, maybe someone was supposed to do something and didn’t. The article seems to point to the Bangalore operation of Target for not reacting to the FireEye alerts:

“If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path.”

BW also says that the Symantec EndPoint protection Target used had detected the malware.


Let’s see, if my fire alarm goes off and I am not home, I wonder who hears it?

Wait, if I do come home – by chance – and my alarm has gone off – my alarm quickly identifies where the smoke is coming from and helps me prioritize what room I need to go to. Wait – that doesn’t happen either.

Oh, and when the alarm goes off, my sprinkler system immediately goes off and the fire department comes. OK, on that last point, the fire department comes because I have an ADT system (not a standalone smoke alarm). And no, I don’t own a sprinkler system.

So, the fact the alarms went off with FireEye and ‘no one noticed’ isn’t so crazy. That happens every day in our own lives.

But let’s be more specific.

Alarms go off with IT products, and specifically security products, every day. All the time. Today’s security professionals need information that is actionable. Security professionals need to have usable threat intelligence information that identifies, prioritizes and then targets in the indicators of compromise and stops or mitigates the attacker’s behavior. That the Target systems sent alarms and no one ‘noticed’ is not so amazing. The BW article should ask why the FireEye system didn’t do something without manual intervention, no? Why isn’t the detection system actually responding, instead of just triggering an alert?

The traditional definition of the steps for security are protect, detect, respond and recover.  Target and its vendors clearly had the detection part down. However, without the other three steps, it did nothing to stop the Target data breach or limit the damage caused. In Target’s case, that is considerable damage to its reputation. For FireEye, potential customers may now be asking themselves, why choose a product that did not prevent the massive Target data breach.

YYBC: Don’t lie to your users about compliance

2014 was PhishMe’s 3rd year at RSA. Our growing team allowed me to steal a few hours away from the Exhibit floor and attend some excellent sessions. While many of the sessions I attended related to PhishMe’s offering I also made it a point to take a break and enjoy some fringe topics. A talk entitled: “The Dark Web and Silk Road” with Thomas Brown, Deputy Chief for Cyber, U.S. Attorney’s Office of Southern New York was a fascinating view into how Bitcoin is used in illicit underground marketplaces. The presentation was well-done and a great play by play about how the man behind Silk Road was unmasked and arrested.

Another presentation that really stood out: “Cognitive Injection: Reprogramming the Situation-Oriented Human OS” with Akamai CSO Andy Ellis.

Effective security awareness includes everyone

I’m often asked which employees are most likely to be targeted by phishing emails. It’s interesting to think about, but the truth is that adversaries will target whichever employees can offer access to the enterprise’s network—and that could potentially be anyone in your organization. Recent research from ProofPoint confirmed this, finding that staff-level employees were targeted by phishing attacks more often than middle and executive management.

The takeaway here is that for security awareness to be effective, it needs to include everyone in your organization. Aside from the obvious security necessity, including the entire organization in your security awareness initiatives enhances your program in a number of ways.

Breaking out of the compliance mindset

During my years at Mandiant, I responded to a lot of breaches for a wide variety of organizations. Every breach case had one thing in common – the customer was compliant.

Difference in the group

Addressing security threats requires a new direction from the mindset that compliance equals security.

While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.

Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.

Use metrics to measure and improve security awareness

It’s no secret that data is revolutionizing industries. Baseball managers have applied data to buck century-old beliefs about strategy (think Moneyball), anyone who has ever used knows that data has transformed retail, local law enforcement analyzes data to predict crime, and scientists are even using data to stop the spread of infectious diseases.

Most security awareness programs fail to gather metrics. Those that do typically measure inputs instead of outputs. What this means is that many teams are measuring items such as the number users who complete a CBT course or attended a lunch instead of the number of incidents related to a specific IT risk area. This is akin to looking at the number of times I visit a dentist each year instead of the number of dental incidents (cavities, root canals, etc.) and using that data as an indicator of good dental health.

What Does Big Data Mean for Enterprise Security Intelligence?

Big data is a buzzword and it certainly can be ambiguous and overused. But it is actually really meaningful – particularly for enterprise security intelligence solutions. Big Data, however, is essentially meaningless unless you have the right tools to analyze massive amounts of data.

Here are a few of the advantages that big data brings to enterprise security intelligence:

  • We can collect more data than ever before on the cybercriminal and the source of the crime.
  • Big data lets us connect more data than ever before. This helps us understand the root cause of phishing threats.
  • Through patented analytic tools, we can actually correlate that data and understand who the bad guy is, and track his behavior patterns.
  • By using big data and adding the right analytical tools, you can siphon out and correlate the data, taking you directly to the source – the cybercriminal himself.

How do you make security awareness engaging?

Think back to all of the corporate training you’ve sat through during your career. Chances are (especially if you’ve worked at a large enterprise), that some of that training had little relevance to your job duties. How much knowledge from those courses did you retain? Although you technically completed the training, would you have been able to apply any of the information you were given in real life?

For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. This is why traditional awareness training has failed. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory buried in a pile of other dull corporate training they’ve been forced to endure over the years.