Saturday, March 31, 2012

Saturday night, and I'm VERY happy!

Why? I received a call yesterday from one of our members. We chatted about scale, automation, etc., but then I asked him how he liked our last Fusion Report? I was looking for feedback. There were some farming issues that we'll fix for the next one, but most importantly he told me "My team hates you!" (we're making them work!). When I asked if he was seeing anything from it, he told me "we're dropping all kinds of new stuff at our perimeter"

So why would such a simple sentence make me so happy?
  • The APT set went cross sector into a new target type
  • The guy who gave me the comment analyzes a LOT of indicators from a LOT of sources
  • The company has over 100 independent business and probably 150,000 computers. They have a VERY large perimeter
It makes me VERY happy that on our third report a director in a company of this size and stature in the Infosec community says about Red Sky "I'm sold on Red Sky!"

Red Sky contributed directly to identifying a new issue that he was able to push to his team and experience new results!

It makes me VERY happy!

Have a great weekend!

Friday, March 30, 2012

Red Sky Alliance: End of week status- Been a great week!

Good morning!

It's been a pretty great week for the Red Sky Alliance and I'm driving back to NH tomorrow, so I thought I'd post a snapshot of the week this morning.
  • Two new members committed (one finance and one LARGE healthcare organization), and a third (Fortune 10) gave us the thumbs up on legal review!
  • We posted Fusion Report 003 showing a longtime APT group that had previously targeted defense industrial base companies now modifying their tactics slightly and going after the government policy shop in a bank. This was HUGE. It validates our model of collaboration in a smart way across industries offering months (in this case years) of early warning. 
  • We've got two new folks working on the backend of Red Sky as analysts, and the malware engine is coming along nicely.
  • One of our Associate members (Kyrus Tech) was involved in the Zeus Botnet takedown! You guys should reach out and talk to these guys. Great skunkworks handling hard problems!
  • We're now tracking on over 60 threads with companies from four industry sectors, and we've just opened discussion boards on HP/Arcsight and RSA/enVision.
It's been a great week!!

Wednesday, March 28, 2012

Interesting developments

Two nights ago we posted a product inside the Red Sky portal based on an input from one of our more active members. At the time we thought it might be an early development, not associated with any groups, but authored the analysis anyway. When we were posting, we compared some of the IP space to other sources and found there might actually be a link. Yesterday we confirmed what we were looking at was not only an active APT set, but that they'd been active in the Defense Industrial Base companies for almost three years with little other activity, and now jumped to a completely new sector!

This is Red Sky's first real validation of what we've been talking about! Early warning comes from smart people talking to smart people in other sectors. When smart people share technical information, they tend to share better information than those receiving anonymized data or data in the aggregate.

Don't be a wall flower! It's about people talking to smart people!


Monday, March 26, 2012

New Red Sky Fusion Report: FR12-003.pdf : AS4808 Malicious Infrastructure and Malware

FR12-003.pdf: "AS4808 Malicious Infrastructure and Malware" was just posted to the Red Sky Alliance portal. This is our third fusion report. It came about from a seemingly innocuous report from a member reporting the incident. Upon further investigation by members, it appeared that the incident was more widespread than previously thought, and took advantage of individualized emails with different source addresses for each. One member reported approximately 700 emails in an environment of approximately 300,000 users.

"On 18 March 2012, a Red Sky member posted malware from a recent spear phishing incident to the Cyber Intelligence and Analysis Center portal. The malware called backed to malicious domain. Analysis of the domain revealed related infrastructure and open source malware samples. A total of three malware samples were analyzed: one provided by the partner, and two obtained from an open source malware dump. All three samples were linked to Autonomous System 4808 which is described in the report. Correlations between the various samples will be provided in the Malware Data section of this report. While no specific attribution was identified (we don't necessarily look for attribution, Red Sky focuses on IA), several of the IP addresses and domains used were tagged as APT address space by one of our sources."

At least two different sectors reported similar cases, but with individualized targeting characteristics.

If you're not receiving these reports, please contact us ( or sign up for our mailing list at

Collaboration is working!