Norse Corp: Deconstructing threat intelligence on Iran

A report written by Norse Corp in 2015, circulated privately among the company’s government contacts, has reopened the debate about threat intelligence and the vendors that promote it.

Designated as TLP:Green – meaning it can be shared within a community or sector, but not via public channels – the January 27, 2015 memo from Norse Corp was a sort of preview to the April 2015 report on Iran that was released with the American Enterprise Institute (AEI).

However, when you compare the two reports, there are glaring problems with the data presented.

Sales Intelligence

The memo was shared with officials in the military and the intelligence community. Those who were briefed on it were skeptical, mostly because it wasn’t a complete report and the data itself was a muddled jumble of claims with no supporting evidence.

Salted Hash was given this memo last February, but at the time it didn’t stand out as anything special.

Anyone who glanced at the memo would rightfully call it a sales and marketing tool, because it doesn’t look anything like a report that would be used to brief the intelligence community or government officials. Moreover, the Norse Corp contact listed towards the end; the company’s VP of Sales at the time, Phil Fuster.

Right from the start, the memo promoted what would later be known as the Norse / AEI report, “detailing more than 500,000 attacks on Industrial Control Systems (ICS) over the last 24 months.”

However, the memo stopped short of offering any proof supporting such claims. The memo then stated that Iran has “targeted Industrial Control Systems in the United States forty-seven times during 2014.”

The attack claims and attribution in the memo were supported by IP addresses alone. In fact, the memo stated that Norse Corp identified 35,432 IP addresses in Iran that were conducting attacks.

Yet, as made clear by the wording of the memo and the data presented, what is being listed as an attack is actually a scan. In addition, when a sensor reported scanning against larger sets of port ranges, which happened to include a control system port, the memo called it a sophisticated tactic and counted it as an attack against a control system.

Not actionable

At this point, nothing in the January 27 memo could be considered actionable intelligence.

First, the only evidence used to support the claim that Iran is attacking anything is a large block of IP addresses. Second, port scans are not attacks. If that were the case, then anyone who has ever used masscan could be considered a nation-state threat actor or an APT.

The memo also singled out mass website defacements by a group in Iran, speculating that the group was government sponsored, and the defacements themselves were training assignments.

And yet, aside from helping boost the image of a spooky and dangerous Iran, the memo didn’t connect the alleged ICS attacks to the defacements at all.

A larger report

As mentioned, the memo was a preview to a larger report issued several months later by Norse Corp and the American Enterprise Institute: “The growing cyberthreat from Iran: The initial report of Project Pistachio Harvest.”

The unsettling aspect to this report is how it came to be.

While Norse Corp has a large volume of data available to it, the company would sometimes start an intelligence report with foregone conclusions, and then search the sensor logs for evidence to support them.

Those familiar with the drafting of the Norse Corp/AEI report have told Salted Hash, this intentional confirmation bias is what led to its creation.

When you consider the January 27 memo and the Norse Corp/AEI report together, it still can’t be classified as actionable intelligence.

The report said scans from Iranian IP addresses were sophisticated attacks, despite the fact that scanning an IP address can’t be classed as an attack. At best such actions could be considered reconnaissance.

No matter how it’s presented, the definition of attack used by Norse Corp still doesn’t add up, because no control systems were ever attacked, Norse Corp sensors were simply scanned.

On page 39 of the Norse Corp/AEI report, the following observation was noted:

“In the course of several hundred thousand attacks, after all, ports used by SCADA systems were hit fewer than 70 times, suggesting that they are not normal elements of a scan.”

Outliers are not proof of an attack. But once more, the report is still talking about scanning.

In addition, the report refers to 2,400 scans against port 5900 (VNC). In a stretched definition of the word attack, Norse Corp counts these VNC scans as ICS attacks, because such systems have been discovered on remote connections before.

Threat intelligence is supposed to help an organization identify threats and determine what, if any, action needs to be taken. But when data is shaped to fit a foregone conclusion, or data is presented in a way that doesn’t actually identify a threat, then the intelligence value of it is useless.

And yet, data like this helped Norse Corp land a $1.9 million dollar contract with the Department of Energy.

Unfortunately, information in this report doesn’t help grid operators. It doesn’t address threats that are most likely to affect them. All this report does is talk about scans. With that said, it isn’t as if grid operators are having a hard time understanding threats.

The issue is getting real-time security visibility with context, explained ICS security expert Chris Sistrunk.

“There’s two issues at play, normal IT systems (which usually have visibility) and SCADA systems, where there is no visibility at all. The Ukrainian power attacks are a prime example and use case of why visibility and context is so important.”

A threat intelligence vendor needs actual incidents and intrusions, scans don’t even tell some of the story, they just let you know someone is walking into the library.

In an FAQ published after the Norse Corp/AEI report was released, AEI actually came out and said there were no attacks:

“Nowhere do we claim that our data show that Iran has attacked industrial control systems or hacked into the network of Telvent, one of the more important providers of such systems. Rather, a Norse sensor emulating such a system received 62 attempts to interact with that system in one burst from an IP address that was not scanning any other ports on the sensor. For reasons we explain in the report at length, we regard such interactions as indications of malign intent.”

And yet, that’s exactly what the January 27 memo claimed. It clearly said that Iran was attacking control systems.

Afterthought:

An interesting and related observation, made by experts who were consulted about the technical details in this story, is that Norse Corp sensors can be easily identified.

Most of the data that Norse Corp uses to define, or attribute an attack comes from their sensors – and those sensors are not even close to an actual control system. As the AEI statement says, they’re emulators with open ports, which would be considered a low-interaction honeypot.

More importantly, one wouldn’t actually see an attack against a low-interaction honeypot, because they’d only be able to see scanning and high-level interaction type of data.

Point in case: A threat intelligence vendor mistook a researcher’s scans from Chattanooga, TN for an actual nation-state attack.