Saturday, April 14, 2012

Weekly status: Fusion Report five: "Subian" identified, named by Red Sky

Red Sky analysts posted Fusion Report 12-005 to the portal this week. FR12-005 details analysis of a previously unknown (by AV vendors) variant of Poison Ivy. Red Sky analysts have dubbed this version “Suibian”. The malware and TTPs associated with its use have been completely analyzed and posted to the membership for their inclusion in their own defense in depth. This is a great find!

Beyond that, here's a status for the end of the week:

  • Yesterday we added a new member to the mix. This company is a Global 200 (a $45 billion global financial). Their team is going to bring great value to the rest of the membership.
  • This week we assisted an external information sharing and analysis center understand a targeted attack by providing triage reporting and analysis. 
  • We held our first Threat Day. I won't rehash the day, as I blogged it previously, but it was a small, very smart group. It was a GREAT day... and happy hour at the Ritz prior to was fun too!
  • We've partnered with a new data source company, giving Red Sky two of the three pillar analytic capabilities that I've wished to integrate. I'm meeting with two companies next week for the third.
I keep getting questions about "Whats the difference between Red Sky and an ISAC?" One of them is bullet four. I believe that it's better to have smart people feeding us the right information rather than a feed of a lot of information. Think of Red Sky as a crowd sourced CIRT (without fly-away incident response teams), with both organic analysts and peer reviewed, trusted crowd sourcing inside the membership. Soon I hope to have automated 'tipping and queuing' offering warning services when a company shows up with unexpected peering, turns up in a blog entry somewhere, or data mining shows patterns of impending trouble. It's paying off. This week I was asked to present to DHS and one other analytic/sharing organization to help them with their own information sharing capabilities. I've been doing that a lot lately. I'm glad to help. I hope it does.

More next week.

Thursday, April 12, 2012

First Red Sky Threat Day

We just concluded our first Red Sky Threat Day. What an amazing day. We started with the least interesting presentation of the day (mine!) followed by a discussion on gaining "layered attribution" through malware analysis, and wrapped formal presentations with a discussion on automation-assisted open source intelligence collection and analysis.

The group was small (10 I think?) but it was great. A quick "cyber real estate" inventory of companies participating revealed that the four companies represented by attendees manage approximately a million computers in over 140 countries in the world. Through the Alliance, these members get new information to help them protect their respective enterprises, and those enterprises reach almost every corner of the world!

Last, ever wish you could translate a web page to know what was being said (about you) in a foreign language blog? What if you had the capability to read hundreds of blogs in multiple locations with multiple languages and had the capability to turn that information into actionable, fused reporting that could help protect your network.

Our small group witnessed this new capability yesterday... It's coming to the Red Sky Alliance.

Standby. More to follow.