Blogs :: Jim Butterworth
All Blogs
Greg Hoglund
Rich Cummings
Jim Butterworth
Chris Harrison
Jeremy Flessing
Charles Copeland
Michael Snyder
Martin Pillion
Jim Richards
Shawn Bracken
Scott Pease

About Jim Butterworth

Jim Butterworth is the CSO at HBGary, Inc. Previously, he worked at Guidance Software, where he was the Senior Director of Cyber Security. Exclusively client focused, Jim brings 15 years of "In-the-Trench" experience in computer network operations and incident response with him, having conducted engagements worldwide, in every industry, specializing in Critical Infrastructure Protection and highly sensitive networks.
Page 1 of 1

APT and the Oil Industry

At HBGary, we have been tracking numerous APT groups that are above and beyond the “dirty dozen” -- the dozen or so code-named APT groups that focus on the defense industrial base. In particular, we have been tracking two organized groups that are focused entirely on the Oil and Gas sector.  The commonly–held belief is that these groups are in fact state-sponsored and mission-oriented to support an emerging country’s global energy growth.  We began tracking one of these groups before the Night Dragon attack was made public.  The second group came to light in the months that followed, perhaps as a result of the Night Dragon report causing many organizations to take a closer internal look.  Surprising (or not), a new APT group did emerge, with the investigation revealing they had enjoyed firm entrenchment for quite some time.  Both of these groups are confined entirely to the energy space, but not to any particular region.  They have command-and-control access into many transnational corporations, some of which are headquartered here in the United States and some as far away as the Middle East.


One could only presume what they are after.  The layered defensive ring topology of a critical infrastructure does afford some basic isolation, but not until you discover which ring the attacker has penetrated can you determine what it is they are in pursuit of.  Make no mistake: it is information that you would not want otherwise disclosed.   The motives behind the attacker’s operation run the “FUD” gamut from creating rolling blackouts along the Eastern Seaboard during a harsh winter, obtaining user manuals, schematic diagrams, to plant operations configurations. 


A disturbing recent trend, however, has been the shift in the selected target set from high-level executives to entire departments.  One exponentially targeted more than others.  If you are puzzled which, simply ask yourself which department is involved in every future endeavor, all contractual negotiations, all ongoing litigation …if you guessed Legal, you would be correct.


Stuxnet and Duqu definitely garnered a lot of press.  I believe, however, the more insidious threat are the undetected APT groups quietly and contently residing within your network.    
Posted by Jim Butterworth on February 21, 2012 at 10:44am

Perpetual Optimism and a Zero Defect Mentality

The CSO/CIO/CISO is constantly being inundated with hard decisions that stem from bad news, cost overruns, insider threats, outsider threats, litigation, P&L, employee performance, vendor solutions, and more. It is a neverending onslaught of challenges. How the executive handles these challenges is what will set the tone for their organization. The saying, "Stuff rolls downhill..." could also be rephrased, "Attitudes roll downhill..." On opposite sides of the leadership spectrum are the Perpetual Optimist ("The Cheerleader") and the Zero Defect Mentalist ("The Perfectionist").

The Perpetual Optimist believes that everything will be fine and either sugarcoats the problem or doesn't apply an appropriate level of urgency in the face of some pretty bad situations. "Perpetual Optimism is a Force Multiplier," former Secretary of State Colin Powell once said meaning that optimists will figure out how to do the impossible with inadequate resources. While this is a desired trait of a soldier in combat, our leadership in cyber requires another, more necessary trait -- honest realism. It is an asset that this industry is full of intellectually gifted technicians and operators. It is a liability that some of them have a seemingly unending supply of criticism when their view of the digital playing field is not in parity with the optimist's. It is also true that you do not know what they do in their off time; you can only hope that they are not occupying their time by participating in criminal cyber operations, or dropping your dox into the ether.

The Zero Defect Mentalist, on the other hand, expects perfection in personnel, equipment, processes or frameworks. This individual sees mistakes as a sign of failure and places heavy punitive consequences to any adverse event which comes to his or her attention. As an industry, we are no stranger to imperfection. Patch Tuesday, software updates, firmware patches, CVE repositories; these are admissions that errors exist and events are occurring daily, even increasing in numbers. IT is an error-prone environment where a few simple keystrokes made by a well- meaning user, administrator, engineer or coder can wreak havoc on a scale that is only limited to the attackers motives. Given our less than perfect conditions, it often leaves me to wonder how or why a leader may adopt a zero-defect mentality when he or she likely advanced through the ranks of an imperfect system. During my career, I have conducted many incident engagements within "The Perfectionist's network", where it was clear that a detection of malicious activity had been made early, but due to "self-preservation concerns", someone decided that this "event" would be better served to be ignored. Why? The excuse list is long: Fear of termination, admonishment, fear of judgement by peers, fear of shareholders, fear of public disclosure, and more. An atmosphere of zero tolerance fosters deceit.

I view our presence in cyberspace much the same as a herd of Water Buffalo drinking from a dirty water hole in the Serengeti, knowing full well that predators are hungry for dinner and will use stealth and surprise to isolate their meal. Eventually one of them loses their focus and before they know it, it is being eaten alive while its' peers sit back safely in the herd and offer no assistance. I know, from experience, that the heavily scarred ones are fighters, and they've been there before and are more than willing to render assistance. Over the years, I have met and worked with many personality types and have made a note that the ones that I've always held the greatest respect and admiration for were the scarred ones. It is their experience that defines them, as my experience has defined me. Find the scarred ones, and stay close to them...

-- Jim Butterworth

Posted by Jim Butterworth on September 19, 2011 at 12:00am
Page 1 of 1