Saturday, April 07, 2012

Weekly status: Red Sky Collaboration identifies entire malicious Class C

This week was another great week for the members of the Red Sky Alliance. It's funny. In my meetings with prospective members, they always ask about ROI and what they get for their membership fee. I talk of 'one stopped attack' and the cost of lost data with relative clarity.  I can say with relative surety that after this week, none of the current members are wondering what they get for their membership fee.
  • Red Sky released Fusion Report 12-004 this week. Red Sky analysts reported an entire European Class C as malicious and the addresses used for a shell game. We found it during analysis of a Banking/Finance submission. The report offered full malware analysis and details of the Class C Subnet being used in the attacks. The submitter stated the Red Sky analysis was some of the best they'd seen. The analysis was performed using multiple sources, starting with the attack data as the trigger followed by fusing open source intelligence information with corroboration from a product called ScoutVision. Multiple sources make for higher confidence assessments. The company blocked the Class C and requested permission to share the analysis with the the FS-ISAC's Threat Intelligence Center.  Since the incident affected only this company we agreed.
  • On April 3rd about 9PM UTC a Fortune 100 defense industry member reported spearphishing with "UPS C2". We know this TTP. While the company responded to the incident, Red Sky members performed analysis of malware, began victim notification/coordination with C2 and exfil machine owners, and coordinated identification of contact points from those companies where we had none. The submitter stated "nobody else offers this kind of service!". Red Sky knows the value of standing up command and control during incident response, but in this case the simple act of offering another set of eyeballs and external coordination went a long way. We called another well known company to tell them they'd had three machines being used in the attack. When the Director of Incident Response answered the phone, I stated my name and that I was with the Red Sky Alliance. She immediately said "I've heard of you. I think think this is something we should be involved in."
  • Associate members Kyrus-Tech, Norman ANA, LookingGlass now have dedicated analysts participating in Red Sky. All proved their value week, and two have a new customer as a result. Vendors are welcome to join as Associate Members. Associate members pay a fee, participate in analysis, and are peer reviewed by readers just like any other member. Selling inside the portal is never allowed but if vendors really can do what they say, this is where they get to prove it. These companies are proving it; the Red Sky membership is benefiting from the great analysis; and the vendors are earning new customers. It's a win-win-win.
  • This week Red Sky hired two new student interns and we're expecting a decision from a third by early this week. Two of the interns are Masters Degree students with the third a PhD. One will perform fusion report analysis, but the others are political science and criminal justice students (MS and PhD) who will begin authoring non-technical reports on targeting and trends. They'll be bringing experiences from studying violent criminal gang activities to the cyber realm!
That's it for now. As a reminder, Red Sky is hosting an invitation-only happy hour at the Ritz Carlton (DC/VA area) on Tuesday night and our first quarterly 'Threat Day' on Wednesday. If you'd like an invitation, please drop me a note.

Jeff

Tuesday, April 03, 2012

That's the way collaboration is SUPPOSED to work!

One of our members called "Wildfire!" today, meaning they were submitting information to the portal as they worked an incident. The member submitted log snippets showing exfiltration and C2 destinations as well as inbound sourcing, the malware, and a full copy of an email with the header intact.

Within minutes after the report, Red Sky began victim notification while the company worked the intrusion from the inside. When we needed a contact at an external company one of the other members chimed into the portal with a contact and then made an introduction. Victims responded to offending servers. The C2 and exfil paths were blocked by the member, and all external entities (except one, where we had to leave a VM) knew about the incident and were responding.

When the dust settled, one of the companies has asked for membership information and felt they too should be a member of the alliance. I'll have that meeting next week!

That's the way collaboration is SUPPOSED to work!

Jeff is happy today.