Friday, May 04, 2012
Another great week. Fusion Report 7 published, new participants, and great analytics!
This week was a banner week. While the week ended poorly for me –my car broke down landing me at a dealer in Greenwich, CT where I’m now typing my weekly update from a hotel room a mile away from the garage that now houses ‘Daisy’. It’ll be noon at least before I hit the road tomorrow. Luckily, my car is still under warrantee. I guess if something bad needed to happen to offset all of the good this week, I’ll take it!
Here’s what we had happen this week:
· Fusion Report 12-007 was published
· Analytics are being prepared discussing what started as a hunch, now developing into a full analytic on a service provider hosting malware
· Three new (GREAT) companies are now involved with Red Sky and our activity is grown amazingly well!
Fusion Report was published earlier in the week. This one dealt with yet another group of sour apples. FR12-007 detailed the technical characteristics of the attacks, published three pages of qualified APT indicators in the kill chain format, and offered a bit of analysis on what we believe these sour apples were looking for. One thing I hear over and over is ‘whack a mole is hard’, so we’re now trying to help our Infosec members prioritize their efforts by pointing them (when possible) to targeted areas in their environments. I know when I was a CISO dealing with thousands of different technology areas, I would have greatly appreciated someone pointing me to the area that was being targeted… so we’re doing our best to do that now.
Presentations were made to two great tech companies in North Carolina –both of whom are now participating in Red Sky, and today on my way up 95 I stopped off to see some folks in northern NJ who are also now participating. These companies are going to make incredible additions to the Red Sky community, and one has already made significant contributions to a discussion around my next topic…
Earlier in the week we posted a blog entry on a ‘hunch’ about a service provider whom we believe might have been hosting some malicious content. The hunch was based on blog entries showing an overseas users utilizing a small, remote ISP on the other side of the world. I couldn't help but wonder why! After a few rounds of ‘RFIs’ and answers coming back, log snippets from multiple companies and analysis from the membership and Red Sky team, I think we can positively call it out. It was a pretty nice success so early on, but heck, we’ve got a great team of folks participating.
To date, we’ve created over 170 new threats for 1100+ comments/analytics/discussions, with 8000 page views in the environment. We boast nearly 50 (very smart) individuals representing analysts, incident responders, and engineers from nearly a dozen companies.
We’re doing well. Hopefully I’ll be so lucky when I retrieve Daisy tomorrow!
Until next week,