On Super Bowl weekend, HBGary CTO Greg Hoglund found himself locked out of his own email account. The fallout of the leaked messages from his account and that of HBGary Federal's CEO Aaron Barr has been widely reported. Yet, not from the point of view of the victims. In Part 1 of this interview with CSO correspondent Robert Lemos, Hoglund talked about how the hack happened and the lessons for chief security officers. In Part 2, he describes his research on Anonymous and why the group is making the insider threat problem more dire. You said initially that Anonymous was not even on your radar. Why is that?
Hoglund: We at HBGary were focused almost entirely on some APTs (advanced persistent threats), mostly focused on China. And that has been the bulk of our research for quite a while because most of our customers have suffered attacks from, what appears to be, state sponsored Chinese intelligence. It's espionage stuff, so we were heads down on that.
We were blindsided by the Anonymous attack. I did not expect to be attacked by what I thought was a bunch of kids who DDOS websites offline. Granted, DDOS is illegal. I believe that here in the United States its a 10-year prison sentence, so its no small crime, either. Most people don't think of it as a crime, they think of it as a virtual sit in. So people don't take it seriously, me included.
So after the attack, you started focusing on Anonymous and researching their organization?
I took all our resources and just turned them directly onto Anonymous, and we found all this information about the group. And what I learned is that they are not at all what people think they are. There aren't very many, first of all. There are not thousands, they are not a legion. That is all just stuff they say to make people fearful or intimidate. They have a whole propaganda wing. So lets get this straight: A lot of the people in Anonymous are pseudo-journalists, they write the news. They completely use the media as a tool.
So what did your research find? What is Anonymous doing?
There are a dozen people at the center of Anonymous. Most of those people are criminal hackers. And they are not just attacking HBGary, they are attacking numerous defense contractors who are in the defense industrial base and system integrators for the government. They are attacking numerous companies in the pharmaceutical space and the chemical space. They are attacking U.S. corporations.
They are singling out individuals within the defense establishment. We are talking about stuff where they are targeting people who are part of the Department of Defense or the intelligence community. Literally, they are putting all their personal information into planning documents -- they are targeting these people. They are going after people's family and children. They actually have all the family members listed. And they call them up on the phone. They harass them. There have been cases where death threats have been left. It's just ridiculous, and it's completely unacceptable. I had no idea about any of this before I was attacked.
For companies, you see the danger of Anonymous not in hactivism but in corporate espionage? As an insider threat?
The biggest threat to your intellectual property is your front door. Anonymous is one platform for leaking information. Anonymous is one group. There is Anonleaks. There is Wikileaks. There is CrowdLeaks.
There is a trend to recruit insider threats. And that is something that CISOs need to be aware of. There is a platform by which someone can be an insider threat, and supply information supposedly in an anonymous fashion. Even though insider threats are always there as a potential problem, they are actually exacerbating the problem. There may be more insider threats now because of this.
While Wikileaks isn't journalism, it does do a function of journalism well -- keeping sources anonymous. Is that not valuable?
There is a difference between someone willing giving information to Wikileaks, and a cyber thuggery group criminally hacking into computers and stealing that data. That's two totally separate things.
Let's be clear here, Anonymous is not protecting Wikileaks. Anonymous is a group that hacks criminally into systems, and we are talking about probably over five corporations that I know of right now in the United States that are being actively targeted by them. When they get access, they are going to steal the data off those system, e-mail, files off the file system, they are going to do everything they can, and then they are going to leak it and manipulate it and create stories about it. Basically, that is their platform.
That is something every single CISO should be scared of. They should definitely be aware of it and mitigating it.