Friday, May 04, 2012

Another great week. Fusion Report 7 published, new participants, and great analytics!

This week was a banner week. While the week ended poorly for me –my car broke down landing me at a dealer in Greenwich, CT where I’m now typing my weekly update from a hotel room a mile away from the garage that now houses ‘Daisy’. It’ll be noon at least before I hit the road tomorrow. Luckily, my car is still under warrantee. I guess if something bad needed to happen to offset all of the good this week, I’ll take it!
Here’s what we had happen this week:
·      Fusion Report 12-007 was published
·      Analytics are being prepared discussing what started as a hunch, now developing into a full analytic on a service provider hosting malware
·      Three new (GREAT) companies are now involved with Red Sky and our activity is grown amazingly well!
Fusion Report was published earlier in the week. This one dealt with yet another group of sour apples. FR12-007 detailed the technical characteristics of the attacks, published three pages of qualified APT indicators in the kill chain format, and offered a bit of analysis on what we believe these sour apples were looking for. One thing I hear over and over is ‘whack a mole is hard’, so we’re now trying to help our Infosec members prioritize their efforts by pointing them (when possible) to targeted areas in their environments. I know when I was a CISO dealing with thousands of different technology areas, I would have greatly appreciated someone pointing me to the area that was being targeted… so we’re doing our best to do that now.
Presentations were made to two great tech companies in North Carolina –both of whom are now participating in Red Sky, and today on my way up 95 I stopped off to see some folks in northern NJ who are also now participating. These companies are going to make incredible additions to the Red Sky community, and one has already made significant contributions to a discussion around my next topic…
Earlier in the week we posted a blog entry on a ‘hunch’ about a service provider whom we believe might have been hosting some malicious content. The hunch was based on blog entries showing an overseas users utilizing a small, remote ISP on the other side of the world. I couldn't help but wonder why! After a few rounds of ‘RFIs’ and answers coming back, log snippets from multiple companies and analysis from the membership and Red Sky team, I think we can positively call it out. It was a pretty nice success so early on, but heck, we’ve got a great team of folks participating.
To date, we’ve created over 170 new threats for 1100+ comments/analytics/discussions, with 8000 page views in the environment. We boast nearly 50 (very smart) individuals representing analysts, incident responders, and engineers from nearly a dozen companies.
We’re doing well. Hopefully I’ll be so lucky when I retrieve Daisy tomorrow!
Until next week,

Monday, April 30, 2012

You should check us out now!

I didn't post over the weekend as I normally would. Our next fusion report is going to hit sometime this week --a little off our pace of one per week. No problem. We're not pacing our reporting on the calendar, it's based on when we see something that we really think needs to be looked at deeper and would hold value to the members. So look for an announcement for our next report sometime this week.

In the mean time, there are several of you that I'd reached out to earlier in the year when we were kicking off. I explained the benefits of a collaborative analytic operation; talked of massive upside for your companies; the ability to obtain protections before the attacks occur in your industry; low false positive rates on indicators... the list goes on. And do you know what's happened since going live on February 11th of this year? I believe we've proven our point:
  • Our very first fusion report detailed analysis detailed APT activity --from a simple request for malware analysis. 
  • Our second and third discussed details of two different groups believed responsible for APT activities targeting two different industry segments. Report three, had it been received by the victim two years earlier when the other sector was being attacked, would have been protected.  Unfortunately they hadn't. They will next time.
  • Our last fusion report assisted an external non-member group and added a non-technical "Threat Activity Report" to the mix showing not only how the attacks occurred, but potentially what the group was looking for.  Need to show your management what the threat is without all of the technical jargon? This is the report for you. It's two pages long, high level, non-technical, and clearly shows areas this APT group is targeting.
All in all, we've come a LONG way since February 11th. The portal is up and operating nicely. We still have features we'd like to add (and we will), but a bunch of companies are talking, and we're now tracking on about 165 threads, have published seven new reports and farmed, collaborated on, and published over 200 indicators of APT compromise (or early warning indicators if you haven't seen them yet!). We've built out our 'three pillars' of analysis - discreet (malware, pcap, etc.), all-source technical fusion, and non-technical all source intelligence analysis... and the results are amazing.

So my invitation to you. If I talked with you earlier, but you were afraid of jumping into a new company, well, I'd invite you to have a look now while we're still filling Founding level memberships.

If you'd like to re-look Red Sky, contact me at today.