Friday, August 10, 2012

Red Sky weekly - Two new Fusion Reports!

I apologize for the length of this blog, but it’s been two weeks since my last post (sounds like I’m at confession!), and wow has it been a great two weeks. 

  • Two new fusion reports have been posted to the portal -one offering a campaign profile and a combined 250+ new indicators and several new snort signatures
  • We’ve become part of the Wounded Warrior program
  • Our Tech Analysis Lead attended an FS-ISAC sponsored ICS program 
  • Membership continues to grow

We released Fusion Report 18 last week, which details a previously unobserved malicious downloader. The malware is suspected to be of Russian origin and employs multiple layers of protection to include encryption, compression and suspected custom packing code. Despite the better OPSEC practiced on the part of the Russian actors, we were still successful in deriving multiple related indicators.

The skillset inside the membership was apparent last week. Multiple encoded binaries were posted to the portal and another member analyst was able to recognize the obfuscation scheme and provided a decoding script which enabled the malware to be analyzed. Just another benefit of crowd-sourced malware analysis!

As a result of this work, our team reached out to over 40 government contractors who we believe (with high confidence) to have been affected by the targeting of a specific aerospace program.

FR12-019 was released today. Fusion Report 19 details a set of attacks from a known group of operators. This represents the second report detailing an intrusion campaign and is a reflection of the quality of data provided by our members. Campaign analytics are crucial in adversary profiling and is one of our main goals going forward. The report provided analysis on the adversary's targeting, malware evolution, and included three new snort signatures and over 80 new indicators of APT activities (APT defined as espionage by real bad guys.

From a non-analytic perspective great things are happening. We’ve been operational for six months in a week. A couple of highlights:



  • Since my last blog post we’ve added four new Fortune 500 companies to the portal. With today’s addition, I believe we’re at 21 with three others working through legal processes to join.
  • We held our first internal meeting last week on standardizing data being passed. We had a great meeting with DHS a few weeks ago, and had been heading down our own path in parallel, but we want to find the right middle ground. Our membership are all large companies. Some have written their own taxonomies. We’ve been using a simple kill chain format. It’s a work in progress, but right now, people are talking. That’s important too.
  • This week we received “Preferred Employer” status with the Wounded Warrior program as we continue to build out curriculum for retraining Wounded Warriors and interns coming through Red Sky Alliance enroute new employment. The majority of the Red Sky team is made up of former or current military, representing active duty Navy, Coast Guard, and Army, Marine Corps reserves, and civilian Air Force. We LOVE the Wounded Warrior program and are VERY excited to be given the opportunity to teach returning vets how to do cyber analysis in this most challenging space!
  • Last, but certainly not least, Thank You! to the FS-ISAC who allowed our Tech Lead to attend an ICS program with them in NY this week. Our Tech Lead came back with some great new ideas, an education in industrial controls, and a newfound perspective on other areas of threat.

I could have gone on for at least another page. Red Sky is doing well, and we’re receiving interest from companies on almost a daily basis. One told us today that he’d participated in meetings in DC yesterday with a group of CISOs who all talk about Information Sharing and restrictions placed on some of the others out there who are focused on APT. Red Sky Alliance was built with those lessons learned in mind, and the idea of correcting those restrictions. We want it to be easy to share information smartly and safely, and allow members to be able to use the information published to the maximum extent needed to protect their networks. Another this morning (yes, I actually received TWO nice pieces of feedback just this morning!), left a position with a large defense company in NJ to take a Threat Intelligence position at a global credit card company. He told me that he wanted to join Red Sky because he’d been hearing so much about the ‘real time intelligence’. He was very excited!

Until next week!
Jeff