Saturday, December 29, 2012

Red Sky Weekly - LOST: Confidentiality. Integrity. Availability.

The term “war zone” elicits images of tanks, gunfire and military personnel. However, as technology evolves, so do the weapons associated with the art of warfare[1]. The battleground has moved online.

Confidentiality of our information has been lost. While this article talks about Flame as a threat, Red Sky Alliance (and others) track hundreds of pieces of malware, all aimed at stealing data. In even the most sophisticated environments data gets stolen daily. On that, the natural progression beyond espionage is use of the stolen data. I was reading Popular Science yesterday (Jan 13 edition). I find it no surprise that the new Chinese unmanned aerial vehicle (CH-4 UAV) looks a lot like the US’s Reaper drone, or that the frontal view of the J-20 looks a hell of a lot like the frontal view of the F-35. While much of the information on size, shape, etc., may be found in the open press, much cannot. That which cannot is acquired via human intelligence (HUMINT) or cyber. Cyber is cheap and (compared to HUMINT) easy and significantly lower risk. Confidentiality of our information has been lost and it’s cost the US billions in stolen research and development, and competitive advantage.

Availability is lost. Distributed Denial of Services (DDoS) attacks have rendered small countries unavailable; Banks have been hit repeatedly. Nobody is safe from being taken offline temporarily. DDoS is an easy way to sent a ton of packets down range to a specific target, disallowing use of the target until those packet floods stop. While no long term damage (as far as I know) has been reported showing DDoS taking down a global bank to the point of bankruptcy. Availability is lost (at least in short spurts --for now).

So what’s next for cyber? Integrity loss. Beyond exploitation of intellectual property, it seems there would be plans for suspected longer term application of destroying data, or more simply, corrupting data to the point where its use creates a lack of confidence in the operator using it. How will companies protect the integrity of their data? When source code lands on the last server or storage, before going into production --on that chip, in the car, or computers heading out for general distribution, how can we be sure the code that lands on those end-use systems won’t do bad things when plugged in? How do we know today that massive auto-stock trading computers are not being manipulated? What about stock indexes and futures? What must we do to ensure future cyber won’t allow power to be turned on and off at adversarial will, or ensuring that air traffic controllers actually maintain control over air traffic.

How does a company protect itself when espionage and warfare rules apply?

I don’t believe the sky is falling. I’m an old Navy guy. I believe we’re learning to fight submarines. During World War I U-boats ravaged Allied shipping. It wasn’t until much later that we figured out how to detect them, thus saving the lives of untold numbers of sailors. Eventually we learned to detect the German U-boats, build them ourselves, and fight back with great success during WWII. This new cyber era is much the same. We’re facing new threats. The new tools, tactics and procedures are becoming commonplace in our world, and we will (WILL) learn to combat the growth in both numbers and complexity. As these new tactics and threats grow to ubiquity (and public awareness), Cyber will become just another weapon... Just another weapon that we’ll deal with in the future. Until then, many of us will still flounder in trial and error. Others (smart ones) will take the lessons from others and use them successfully to learn to deal with cyber in today’s new environment.

Red Sky Alliance members help each other learn. It’s about sharing information in real time about real events in a world where both Confidentiality and Availability has already been lost, and Integrity remains (currently) up for grabs.

We’ve pre-published our first Annual Report to members of our Advisory Board with the expectation of having it published more broadly very soon. It’s amazing to see some of the kinds of technologies exploited for economic gain, but equally amazing to see that Information Operations are most definitely being used to identify and manipulate those who shape policy, economic futures, and build our new tech... and I’m probably only just scratched the surface.

Hang onto your hats folks. 2013 is going to be a wild ride!

Until next year!
(Happy New Year!)


Saturday, December 22, 2012

Red Sky Weekly - Happy Holidays - something fun

As expected, activity in the portal has slowed a bit leading up to the holidays, so we have been focusing on adding capabilities to further benefit the membership. 

  • We started a DNS monitoring and reporting process. This will give us better situational awareness on malicious domains being reported through the portal. 
  • We are also beginning integration of automated network simulation into our MAG2 environment for easier identification of adversary protocols. 
  • Our first comprehensive threat actor profile is forthcoming just in time for Christmas. This will be the culmination of several years of tracking and analysis on arguably the most formidable and highest profile Chinese threat actor groups. 
  • We're wrapping up our first Annual Report. We'll be pushing it out to our Advisory Board in the next day or two for final review before publish.
  • We've begun making appointments for demos of the Beadwindow portal with Federal folks. My dance card for the weeks after the New Year are filling quickly!! Don't be left behind. Drop me a note.

Enough of that
for now. I’m going to close with a short, sweet blog. It’s been a great year. I’d like to take a moment and say thank you, and Happy Holidays to all of our members, especially those early Founding Members who had enough faith to write us the first checks and get the Alliance off the ground. Thank you. To our military, and especially our deployed military members and the civilian support and their families, I wish you Happy Holidays, and a safe return home.

I’ve put together something fun to close out the year. I hope you enjoy holiday well wishes from Jim and I. Happy Holidays all!

Until next time.
Merry Christmas (or whatever you celebrate!),

Saturday, December 15, 2012

Red Sky Weekly - Predictions for 2013

I’m going to do something a little different this morning.

Last year, I published (in limited distribution.. in case I was wrong!) predictions for 2012. This morning I’m publishing that list to the blog, with updates to my 2011 thoughts for 2012, moving forward into 2013, and a few positive trends.

A couple of highlights on the positive side:

  • Companies outside of the critical infrastructures are becoming aware of the dangers of targeted and advanced persistent cyber events.
  • Adoption of information sharing by companies large and small has taken off. This, not just a trend in Red Sky Alliance, but in others as well. We see this has a major deal --low cost, extremely high payoff.
  • More companies are looking to formalized models to build their information security programs and management processes.
  • Securing the Human has become widespread -not just in SANS, but also in practice. More companies are employing routine, randomized testing and education of their end user workforce.
  • Last, “Best in Breed” practices are beginning to emerge. This is a leading indicator of institutionalizing new practices and processes to deal with the new, emerging threat landscape.

Next, my 2011 thoughts.

Last year I outlined several trends. I’ve updated them for this year, and through work with the Red Sky Alliance members during the year, have extrapolated some of this information into predictions for 2013, and thoughts on a few new items:

A couple of key thoughts, and the highest of risks on my prediction list for 2013. These were added authored for 2012 predictions, and those shown in red have grown through the year, to become mainstream in 2013. For example:

  • Use of remote access and their associated legitimate (but stolen) credentials are a mainstream method of gaining access to company networks and intellectual property
  • Supply chain, including not only traditional supply chain, but also non-direct value add suppliers (i.e.: legal, outsourced HR functions, and finance) are high value targets for intelligence on not only ongoing operations, but futures.
  • Traditionally closed systems (physical security systems) are becoming more interconnected to allow remote work, higher order analysis and correlation, and storage. These systems continue to be targeted as PSIM is integrated with traditional infosec operations. These systems include primarily voice and video.
  • I'd also like to couch one of my positions. My belief is that the healthcare system will see an avalanche of PII related theft in the future. I've not tracked the healthcare system this year as much as I have in the past, but this is one of those secondary value add suppliers that, in my opinion, are in danger of massive losses. Every healthcare CISO I talk with worries about this. I left movement as neutral, but believe the risk is high. I'd offer the same advice on the legal industry. 

2013 will bring new challenges, mostly associated with Cloud, Big Data, and Mobility. This should be no surprise to readers, as companies find massive returns on renting server, infrastructure, applications, etc., from cloud providers, and BYOD
is both a massive opex reduction and makes end users happy at the same time (Win-win! right? WRONG.).

Key takeaways for 2013:

  • Not surprising but the natural progression of things suggests that more companies will realize the devastation of being targeted and not be able to kick intruders off their networks. We call this realization their “Oh Sh*t!” moment... and we believe this feeling will spread like wildfire during 2013.
  • Our inability to deal with the overwhelming needs will result in a knee-jerk reaction for government to over-regulate and demand reporting from respective supply chain companies.
  • I should have placed BYOD concerns on last years thoughts, but BYOD at the time, was largely an immature concept. The idea that “Mechanics use their own tools, why shouldn’t computer workers?” means companies will realize the ROI associated with allowing the use of personal devices will bring an entire new crop of security concerns --all of which will feed the target footprint for those targeted events that we just talked about moments ago. BYOD is going to bring infosec pain. Be ready.
  • Last, large repositories are always great targets. As companies move to cloud based systems and big data repositories, we’ll see discrete attacks used against these large data sets in undetectable new TTPs.

To wrap up, every week we publish a simple highlight of the fusion report we published during the week. We could publish dozens (hundreds) of these things if we chose, but we try and choose something important that we believe users need to know about. 

  • This week we published FR12-033, which details a variant of malware leveraged in coordinated APT attacks involving several threat groups. The report revealed new intrusion infrastructure and contained information indicating a nexus with possible ties to a Chinese university. The incident is believed to have targeted a Federally Funded Research and Development Center (remember the discussion about indirect value add supply chain companies?). 
  • In the portal this week, early warning indicators were provided for pending DDOS activity targeting the US Banking community, and
  • We continued the "name and shame" analysis with a completed persona profile of a known operator and malware developer.
Whew. This was a long post. I hope you find it useful.
Until next time,
Have a great week.

Saturday, December 08, 2012

Red Sky Weekly- Threat Day, Name and Shame, Beadwindow!

We held our third Red Sky Alliance Threat Day in San Antonio this week, and it was an absolute success! We had a decent turnout with several member companies in attendance. The day started out with a joint presentation on a well known threat group and included a "name and shame" on several of the actors themselves.

  • Analysts, working together on site were able to identify not only (high confidence) identities of many of the people believed associated with this group, but also alias email addresses, buddy lists, blog sites, forums they participate in, and screenshots of their computers with (believed) exfiltrated files on the desktop. In addition to personas, analysts were able to view what they believed were targeted information including technologies ranging from military to electric automobile technologies and financials of over a dozen companies. A formal ‘Name and Shame” fusion report resulting from the onsite “Analyze-a-Thon” will be published to our community in the near future.
  • This presentation by Red Sky analysts and one of our members was followed up with a post-exploitation analysis of another group by a second member analyst.
  • The day was wrapped up with a lessons learned discussion, on building out a network forensics capability.

On the Beadwindow Private | Public side of the house, we’ve met with two of the six major Federal Cyber Centers, delivering presentations on how they might benefit from participating in the Beadwindow portal. My hope is that we’ll see some new participants soon. I’m very much looking forward to that day. While we hear every day that members of the government have a hard time talking to private industry information security practitioners, Beadwindow offers a great way to allow this sharing, and allows corporate members the ability to protect their anonymity if they choose.

As we head into the end of the year the portal this week was business as usual.

  • Our analysts are currently crowdsourcing a new malware variant and TTP involved in a recent uptick of APT activity.
  • Two new ‘diversified industry’ participants have joined and are participating. While it may seem hard to think about how you, as a new member might benefit from participating in the Alliance, one new member immediately started posting to an area we call “Wildfire”. The new member needed help. Wildfire is reserved for out of band communications during incident response, and to request assistance from the community. “Forming, Storming, Norming and Performing” processes we go through with new members is quickly becoming routine. The group is gelling nicely and we’re finding amazing benefit in the amazing group of companies now in the Alliance.

So, if you’re thinking about jumping in, now’s the time. Government and Academic users can take advantage of lower membership rates for membership in the Beadwindow portal. Commercial users can take advantage of founding level membership pricing for only another couple of weeks. Current pricing ends on 12/31. Don’t wait.

Have a great week!

Saturday, December 01, 2012

Red Sky Weekly - 12/1/12

We’re winding down 2012 but the pace hasn’t seemed to change even one bit. Attackers are busy, defenders are busy. This week Red Sky has people onsite doing analysis, and others building infrastructure to reduce friction points to collaboration, and even with all of that going on, we continue to add new members.

Here’s what’s happening:

  • Fusion Report 32 published: This week we released Fusion Report 32. FR12-032 details a newly leveraged backdoor and its associated infrastructure. We provided analysis of the malware's capabilities and protocol with 8 new signatures for identifying its communications.
  • Analyze-a-thon: Our lead analyst is onsite with a member this week developing an attributional profile of one of the most prolific APT groups out there today. In three days onsite, combing through mountains of forensic data, the team, working together has made significant progress in what they’re calling the “name and shame” report. The result of this analysis will be provided to the Red Sky community in our upcoming threat day next week.
  • Threat Day: Our next (our third) Threat Day is scheduled for this week in San Antonio, TX -again at a member location (I hear they have an indoor slide!). Presenters are lined up to talk through the day, and we’re expecting to video the day and post the presentations to the portal.

Short and sweet. Sometimes that’s best.

Until next time, have a great week!

Saturday, November 24, 2012

Red Sky Weekly - Anatomy of an Attack

Thanksgiving and Black Friday mark the start of the holiday season --bringing not only scrums for $97 televisions at Walmart, but also exponential increases in online activity. During the next several weeks, lasting until roughly the second week in January, more retail dollars will flow than any other time of the year. What’s this mean to you? Willie Sutton once said when asked why he robbed banks “That’s where the money is”. Why will hackers be out in force? Now is when the money flows.

What do these attacks look like? This week, a report detailing an incident at a state government victim was posted (leaked?) to the Internet. While there is no evidence (that I can see) of APT activity (bad guys paid by a government to steal information), this is clearly a targeted event carried out with purpose over the course of several weeks using multiple accesses ranging from backdoors to legitimate (but stolen) credentialed accounts. The organization owning the victim network moves a lot of money, and is responsible for protecting privacy information for millions of people.

In this case, the victim had been notified by a law enforcement agency that the privacy information (PII) of at least three people had been identified as stolen (this is probably the most common way of finding out about breaches such as this --someone else usually tells the victim).  A consultant was called in to identify the extent of losses, figure out if it was ongoing, and create remediation plans.

According to the report, the attack went something like this:

  1. The initial attack vector was confirmed as phishing emails, delivered on August 13, 2012. At least one user clicked, rendering the network compromised and likely, first credentials captured.
  2. Fourteen days later (8/27), the attacker entered the network, logging into a Citrix server (remote access) using credentials obtained (probably) during the initial August 13th breach.
  3. On the 29th, the attacker reentered the network, releasing tools designed to capture other user credentials on six additional servers.
  4. Between September 1st and the 4th, the attacker executed additional tools to capture Windows credentials. Additional tools were used to create ‘backdoor’ capabilities. The attacker uses new-found bounty to perform reconnaissance on other parts of the network.
  5. After roughly a week, the attacker performed additional reconnaissance on the network, until finally...
  6. Over the course of three days in mid-September, the attacker copied database backup files to a staging area, where they were encrypted into 15 encrypted 7-zip files. The files were then moved to another server (presumably their own) before deleting the files from the staging server.

The attack resulted in compromises of at least 44 systems. (One member claims the cost of fixing each server is roughly $10,000. At that price per machine, this incident cost, at a minimum, $440,000, but likely significantly more. This is a very public breach.)

  • One had a ‘backdoor’ loaded, three had database backups or files stolen
  • One server was used to remove data from the network, but 39 systems were accessed by the attacker during reconnaissance or password captures
  • Roughly 75 GB of data were compressed into fifteen 8.2 GB 7-zip files and (presumably, although not confirmed) removed from the network (we must assume these files contained information related to revenue generation and capture in the state, although the report does not mention losses of any privacy information)

  • Fourteen of the files contained 23 database backups, one contained roughly 1200 files related to the encrypted version of the data encryption key

Over the past months, you’ve read about Fusion Reports. The Fusion Report is a compilation of all information known about the attack --taken from one victim or multiple victims in the Red Sky Alliance, or externally when data is available. The Fusion Report is a two part report

Part one is authored in prose; intended to show our work and tell the story of the attack(s), much like shown above.

Part two is mitigation. Red Sky Analysts author snort, yara, etc., signatures when we can. Artifacts --file names with full directory structures, including file hash values and other meta data are included, and “Kill Chain” Formatted indicators are presented in a final tabular format. A sample is shown below. the idea is, Alliance members should be able to take information from any of our reports and cut/paste information distilled from reporting into highly actionable information that any member can act on today.

In this case, the kill chain information might look like
Table 1. (Completely fictitious. Please do not attempt to use):
Table 1: Sample Fusion Report indicator list
So here’s the deal. Remember Willie Sutton? There will be more retail transactions in the next few weeks than any other time during the year. Retailers will lose money as a result of cyber shenanigans. In addition to retail losses, the added noise on the networks will create opportunities for others to steal information from non-retailers, and to top it off, kids all over the world are home for the holidays, so the kiddie scripters will be active too (they always are over Christmas vacation!). Wouldn’t it be nice to be getting fusion reports, each containing hundreds of indicators from the Alliance --before you are attacked? The only way you can is to join.

Red Sky = private
Corporate members only

Beadwindow = Private | Public
Many of our private corporate members + government members

Drop us a note. Join us now.

Until next time, have a great week!