Saturday, March 24, 2012

Status - Red Sky Alliance

Good morning all! It's Saturday morning and I've had an incredible week at the Honeynet Project Annual Workshop. This years event was held at Facebook out in Menlo Park. Nice. Even during travel, startups don't stop. It's been busy!

So here are this weeks updates to Red Sky Alliance:
  • We've added new member! We're up to eight now, we more requesting our presentation and demo every week. This is great news!
  • Hacked! This week our external facing website was hit with an iFrame redirect attack. We knew it would happen, and it did. The website was back online quickly, although the original sits on a machine in MD. We posted a one page marker until I get back tomorrow and upload the original. 
  • Success! New malware was posted to the site by one of the members. Within an hour, two others posted analysis. One of them was Norman, using their new G2 Malware Analyzer. In both pieces of analysis, the submitting member was immediately given four new pieces of information which allowed them to block C2, and then do incident response. 
  • Upcoming "Threat Day": Preparing to host a "Threat Day" on April 11th at Defense Group's Vienna facility. No vendors allowed; only members and presenters. This should be a great day. Doing happy hour at the Army Navy Club the night before.
  • Our Norman G2 suite has shipped! We'll be online soon. Einar is hiring 15 new analysts/engineers and they're gearing up to support Red Sky Alliance. This is going to be a great partnership!
We've also posted a 'launch' site. We've only been online since mid-February (if you can believe it!). We've received a number of emails asking for more information, and I'm finding it easy to lose track and make sure everyone gets answered. To make sure I'm not dropping anyone through the cracks, I've added to allow folks to sign on if they've got interest. I'm hoping it'll help with my organizational skills!

That's it for now.
Have a great week!

Thursday, March 22, 2012

Last day for me...

Thursday morning. Blogging before packing while I prepare for my last half day with the Honeynet Project. I haven't (nor will I) post about some of the ongoings, but I'm here to tell you.. things really have changed since I started as a member in (ahem) '97? '98? Hell. I'm to old to remember I guess.

Regardless, we've gone from WU_FTP hacks to botnets. From 'step away from your keyboard' to botnet profiling, big data, SSH honeypots, Android exploitation/forensics, HPFeeds, and a dozen other topics I've kept in my notes but can't recall at 6:22AM. There were project members from 26 countries represented, and I've made it my mission to have a conversation with every one of them. I believe I've succeeded.

Anyway, this is going to be a short note. It's been terrific seeing everyone again. It's been five years since my last annual workshop (at Lance's house.. when things were much smaller). I hope to hear from you guys again, and see you next year.

Ciao (or should I say Cheers!, Kampi!, Proz!)

Monday, March 19, 2012

Honeynet Annual Meeting (the day before)

I arrived about 2PM PST yesterday in San Jose. Even on a 'cold day', northern California is really nice this time of year.

I feel like I'm giving confession.. Forgive me Father,  it's been five years since I've attended a Honeynet Annual Meeting. My last was five years ago at Lance's house. I expected to walk into the hotel and see a bunch of aging guys, grey, bald, overweight (all of which happened to ME in the last few years!) but what I found was actually a nice surprise. Yeah, the old crowd was here, but we were WAY outnumbered by the younger crew. In the end I spent probably 30 minutes with Max Kilger -one of my favorite conversationalists. Max is a PhD behavioral psychologist. He and I were the two 'non-geeks' when the project kicked off years ago. We authored a paper called "Know Your Enemy: Statistics" outlining and demonstrating very simple early warning techniques for inbound attacks. Max specialized in behavioral trends. I focused on non-technical intelligence.

Last night we had the opportunity to compare notes five years later. I'm sure we'll have more, but last night was fun. Max is writing models to code data to predict cyber activity in today's world. Wow. I've always taken the 'keep it simple stupid' approach -measuring defects, looking for anomalies. Max on the other hand has a world of data at his fingertips to mine, twist, and see what comes out. Wow.

Anyway, it's 5:41AM. I'm still on EST, so I've been up for a while. It's time to hit the showers and get ready for the day. I'm excited to see what these new young Honeynet thinkers have in store for me!