Saturday, September 29, 2012

Red Sky Weekly - Which CISO would you rather be?

If you were breached...

Would you rather be in the press, or silently (but completely) p0wned and gutted?

In the last two weeks I’ve told stories of breaches into a billion dollar company and a large research library. You’ve learned that attackers can, and do come back regularly for data updates or things they’ve missed. Neither of these attacks have shown up in the press, but the effects are devastating.

Which CISO would you rather be?

Telvent is company that manufactures remote administration and monitoring tools to the energy sector --remote administration for SCADA computers. Telvent this week showed up in Brian Kreb’s blog where Brian describes an APT event targeting Telvent.  Press references to the “APT attack” suffered by Telvent are largely non-existent, other than secondary reporting of Brian’s work (this completely amazes me!). To ensure continued secure operations, Telvent had to author new procedures for their customers to use to connect. According to Krebs, their products are used in every Fortune 100 Energy producer. Their products are used for remote administration of their SCADA systems. The system believed breached tied older controllers to new systems. I’d bet a dollar that the effects are more widespread. Regardless, how can it be that a cyber event of such potential magnitude, reaching DEEP into a global critical infrastructure had less coverage in the press than a denial of service attacks on banks.

Wanna know why?

  • Denial of service is easy. Any reporter can understand, and therefore easily communicate the pain of a denial of service attack. When consumers can’t get to their banking websites, reporters can easily tell a story of cranky consumers (like my partner) who were denied access.
  • Telling the story of a group with a foriegn name, and posting warnings on pastebin is sexy. Reporters like sexy.
  • Journalists write well, and likely have strong education in journalism, but the important cyber stories -those having to do with hard to understand techniques, motivated by espionage, with potentially devastating effects are really hard to understand (or even believe) if you’ve not been immersed. The story is hard to write. Journalists largely don’t have technical backgrounds, and most infosec people are not journalists.

Reporting on espionage or cyber attacks is hard...

Telvent manufactures remote administration and controllers for SCADA systems. SCADA --those systems used to turn on and off nearly every motor, pump, generator, or switch in a way which makes the generation and movement of electricity smooth and efficient. Think about it like this.. the fuel delivery system in your car could be thought of as a SCADA system. When you push down on the gas pedal, the car’s onboard computer controls the mix of fuel and air that gets delivered to the engine. Another part of the computer tells the spark plugs to fire, thereby generating energy that move the pistons up and down in a cylinder, generating force that’s then transferred throughout the car to the tires.  In energy plants, computers control (turn on, turn off, and regulate) devices (generators, switches, pumps, motors, etc.) to ensure the most efficient and correct distribution of power, fuel, water, etc., and to ensure energy output and distribution across the country to consumers who need it.

What strikes me odd is that the press in general can’t seem to figure out that DDoS renders companies inaccessible for as long as the attacks continue... and then they stop. APT events, botnets, and targeted attacks steal information that will leave a company with a hell of a lot less capability to operate, even long after the attack... but it’s hard to report. Only the most tech savvy of the bunch (like Brian) understand the devastation that occurs (silently) during an APT event.

As an aside, Red Sky analysts, based on indicators taken from Kreb’s blog, believe the symptoms match with a TTP shift in a fairly prolific and highly skilled group. A significant shift in this group’s TTPs occurred approximately two months ago and information in Kreb’s blog match directly with the resultant change in the group’s infrastructure. We issued the information as Fusion Report 16. I suspect Red Sky isn’t the only organization to warn their members, but many CISO’s haven’t been enlightened to the very positive effects of information sharing yet.


As always, here’s the happenings in Red Sky this week:

We had a small, but great Threat Day. We’d expected to do it in NYC, but never got the coordination done with the member, so we did a short notice event in Washington DC. The presentations were outstanding (slides are posted in the portal).

  • Jay Healey came in from the Atlantic Council and spoke on Cyber Conflict history and futures, including parallels in what we say ‘then’ versus now.
  • Our Red Sky Tech Analysis Lead did a great talk on the different facets of a highly skilled APT actor set.
  • We received a brief from one of the members who specializes in looking at bad guys in other countries. It was a non-tech brief, but talked about the who and why, with pictures.
  • Last, but absolutely not least, we talked with another member about his discovery of an old tool being used for new tricks. Windows Credential Editor is being used extensively by attackers in his network to dump Windows credentials (through Windows 7) from unencrypted running memory... all of them back to the last reboot. Apparently there are no fixes in sight. Yikes.

That’s it for now.
Have a great weekend!
Post a Comment