Friday, August 17, 2012

Red Sky weekly update - Six months in operation and a new Fusion Report!

This week, we released FR12-020, which detailed a Poison Ivy variant provided by one of our members. Analysis of delivery indicators and TTPs linked the incident to known first-stage infrastructure, which is exclusively intended for the delivery of Poison Ivy (PI) payloads. The report provided new insight into the social engineering tactics employed by the actors, and also revealed correlations among the leveraged URLs and domains. This resulted in the development of 6 new signatures to aid in the detection of related activity. Moreover, indicators provided in FR12-020 allowed for the identification of a compromised site belonging to a major software provider for corporate applications.

As of today, our six-month operational anniversary, it’s been a heck of a ride.
  • We’re now at 19 companies in the environment –including four vendors who provide analytic assistance to the members, and have three others going through legal review of our terms and conditions
  •  We’ve authored 20 fusion reports detailing analysis on submissions from the membership 
  • As of today we’ve racked our automated malware analysis suite, and will make that available for the membership as soon as we finalize our configuration changes
  • We bootstrapped (self funded) Red Sky, so as not to be beholden to external pressures from institutional funders, and I’m happy to say, we’re cash flow positive, having hit breakeven within our first four months! 
  • We now have a solid analytic capability backing the membership. Our members have done a heck of job helping each other. Crowdsourced analytics from the membership, distilled into actionable, usable indicators and knowledge by the Red Sky staff and analytic vendor partners is working wonderfully! As a side note, a woman from Network World interviewed me today. She was surprised when I told her we allowed vendors as analytic members. I believe we have to partner with vendors, not exclude them. How else will vendors know what emerging threats look like and how to shape their futures? We have to tell them. They play by the rules (no ambulance chasing, just good analytic support to the membership). So far, so good!
  • Our intern program and participation in Wounded Warrior is hitting on all cylinders and we’ve brought in a long time educator to ensure our curriculums are done right. We’re hoping to establish a pipeline of qualified analysts to our membership starting in December when our first intern graduates from his Masters program in criminology and cyber. Starting in the fall, we’re hoping to have new faces in the program from Wounded Warriors and will begin training them, preparing them for positions in our members workforces
  • And best of all? We’re receiving referrals from our members for new members. That's the best compliment ever. Thank you!
So for now, I’m making this a short blog. I’m driving from the Baltimore to Atlanta for GFIRST. I hope to see many of you there! Ask me for a demo!
Have a great weekend!