to focus on cybersecurity, because that’s become such an enormous opportunity. And we see the next decade here of security intel being a fantastic place to be, in terms of being able to do use this data in a predictive manner.
It all depends on what you’re trying to predict, and it turns out that the general prediction business is not a very good business, and it’s not even very interesting from an intellectual point of view. Maybe if you’re highly academic, it’s interesting. But we realized that to build a real interesting business you have to attack a business case, and we focused on cybersecurity. It’s more interesting to think about how to answer meaningful questions for customers, and customers come to us and say, “Look, I’m interested in what do I need to worry about next week.” So, predictions are sort of all about what problem you’re trying to solve here, and we try to stay away from the general predictions.
Xconomy: What is the Dark Web, exactly?
CA: There are three levels to the Web, and three levels to where we collect intelligence. One is the surface Web. That’s what we all use, whether it’s a a U.S. newspaper or a European blog or social media, whatever. Some of it is easy to get to, some of it is harder. The harder parts might be in different languages. But all of it is fairly easy because I can get to it on my browser.
Then there are places that are called Dark Web that’s in the Tor domain, or the Onion domain as people might call it, where the content is encrypted and it’s set up in a way that even it’s very hard to read the data.
And then finally the stuff that it’s really hard to get to might require registration down there. As you dig in you’re going to find areas of the Web where you not only have to register but you may need to have another guy who will vouch for you to get in there. It can get pretty hairy.
Then there is the technical Web, where you think about IP addresses and domain names and file caches and malware.
And the most interesting point about that is that people tend to sort of read some Wired article from 10 years ago saying that the Dark Web is enormous and it is much bigger than the open Web, and that’s just not true at all. It’s actually pretty damn small. But there are some portions of it that are very interesting for the area of cybersecurity, if nothing else.
Xconomy: As a startup, I imagine that you see yourselves as a disruptive organization, helping people reinvent or rethink certain kinds of security. But I wonder who you would say you’re disrupting? Whose business are you taking away? What dollars are flowing to you guys that might be flowing to someone else otherwise? Or is it a green field?
CA: People have always done intelligence just sort of naturally, when you open up the newspaper in the morning. These days you might open up a Web browser. So we’re always trying to figure out, how can we make that work more effective for people. So you could say we are disrupting the element of the security market that has historically been served through intelligence providers who are doing things manually and might have been writing and sending customers written reports of various sorts. And so we’re clearly disrupting that. But most of this is a green field. Threat intelligence is a new area, and we can sort of come in and help customers get into this. The good news is that the acceptance for this is happening very, very fast, and people are defining the market. There are directors of threat intelligence, and they have budget to buy this. And it’s a lot of fun.
Xconomy: You guys have a blog where you sometimes share some of the things you’re discovering about what’s going on on the Dark Web, and in recent months you’ve published a couple of stories about this Russian hacker whom you’ve given the name Rasputin. And I wondered if you could tell that story, because I think it might be a good illustration of the kind of things that you guys do. And also could you explain why it’s important to you to share that kind of story on your public blog?
CA: Number one, we’ve always been pretty passionate about trying to share analytics stories in our blog, because it’s sort of important to put life into this sort of stuff. In the early days of the company there were a lot of conspiracy theories about us and what we did and what we didn’t do, and by making that concrete we hope that we helped that and sort of showed good examples of how the product was used. We continue to do that to this day.
And then number two, we want to share and give back to the security community. And I think that’s sort of the cool thing. The security community—in many ways it is a community, so everybody tries to share and publish stories. Partially because they obviously want to be thought leaders, so they’re self-serving. But also it truly is a community. We want to give back.
Specifically on this Rasputin story, we found somebody after the election, interestingly enough, who was selling access to a particular government agency called the Election Assistance Commission, whose job it is to help organize, help build, sort of put in place systems for running elections and helping states with this. It’s this fairly small agency, but they have a very particular mission there. And it could make it an interesting target for some. It’s not a good target if you wanted to come in and fiddle with voting systems or any actual vote tallying. But it can be a very interesting target if you want to affect and influence systems. It would be something an anonymous hacker could not pull off, because it’s been too hard. But a government actor could certainly do something very interesting with this.
So in mid-November we detected this guy that we put the name Rasputin on. He was selling access to this. And we detected that. We took it off the street. We bought the exploit, which was somewhat edgy in the way that we did it. We shared with the relevant government authorities in a nice orderly fashion, and then worked for them, primarily. They worked on it and we supported them as much as we could over a series of weeks, and then eventually we published this, because we thought it was an important story that needed to be told about this actor and it drove a fair amount of attention.
Xconomy: You said you took this exploit off the street. Are you actually taking it off the street when you buy it? How do you know that it’s not still out there waiting to be sold to the next customer who comes along?
CA: The simple answer is, you don’t. But these places are marketplaces. A couple of things matter. Money certainly is one. The other one is reputation. Most of these actors will build their credibility over time. And they might start off by selling something small, and they’ll build up to selling something bigger and with more money later on. And if they try to mess around with somebody, and they sell something to somebody and then two days later they come back and sell it again, that’s not going to help their reputation. And the reputation is one of the few things they have to sort of trade with or offer up down there. So it’s a very weird place. That’s why you’ve got to know what you’re doing.
Xconomy: Just for the sake of clarity, the attack or the infiltration you guys detected had nothing to do with the earlier stories last year about the DNC servers being hacked by by Russian actors. This is a separate story from all that, right?
CA: Absolutely, completely separate. One of the interesting things about what we have come to call the DNC hack is that actually, that actor, who presumably was what we call Apt28 and Apt29, did not attack any U.S. government systems. And I believe that that was quite deliberate, to make sure that they got an effect on U.S. election but without touching any U.S. government systems. Because now there is no line in the sand here, but there certainly has been talk about a line in the sand saying that if you affect critical infrastructure, that would be the equivalent of going to war. And these guys were clever. They accomplished their goal without touching any U.S. infrastructure or any U.S. government infrastructure.
Xconomy: With the DNC hacks and Rasputin and other stories surfacing, it seems like there is an increasing velocity of cyber-espionage, cyber warfare, and other attacks going on. And I’m wondering whether, objectively, that’s true, or whether there’s simply more coverage and more awareness than there used to be. Is there any way to gauge that, from your perspective? Is there more hacking going on, or is it just that the public is learning about those stories more often?
CA: There’s is a little bit of a perfect storm, absolutely. There is more media coverage. But yes, there is more hacking, absolutely. But maybe more interestingly, we’re seeing a different sort of hacking than what we’ve seen before. I’m using hacking in a very liberal sort of way. I think it’s two things here. We used to see a lot of people stealing credit card information or stealing credentials and that’s sort of come to the point where when we see now yet another Yahoo hack, somebody steals 500 million credentials, people go like, “Oh, OK, so what.”
Now, what we saw last year in 2016, and are presumably we’re going to see more of, is three things. One is the attack on elections and the political infrastructure. And I use the words political infrastructure maybe more than just the election infrastructure, because it’s unnecessary to attack election infrastructure. It’s better to [attack] the political infrastructure. We’ve seen that happening in France now. It happened in the U.S. and we’re going to see it elsewhere. So that’s one.
Number two, the idea of attacking the Internet in itself. The Mirai botnet in the fall where somebody attacked the Dyn servers up in New Hampshire, and which obviously had enormous impact on the Internet for a couple of days. That’s scary in terms of securing the Internet in itself.
And then, three, systems that we never thought were hackable at all being attacked. The guys who got away with $89 million from Swift was a huge deal
