This
week, we released FR12-020, which detailed a Poison Ivy variant provided by one
of our members. Analysis of delivery indicators and TTPs linked the incident to
known first-stage infrastructure, which is exclusively intended for the
delivery of Poison Ivy (PI) payloads. The report provided new insight into the
social engineering tactics employed by the actors, and also revealed
correlations among the leveraged URLs and domains. This resulted in the
development of 6 new signatures to aid in the detection of related activity.
Moreover, indicators provided in FR12-020 allowed for the identification of a
compromised site belonging to a major software provider for corporate
applications.
As of today, our six-month
operational anniversary, it’s been a heck of a ride.
- We’re now at 19 companies in the environment –including four vendors who provide analytic assistance to the members, and have three others going through legal review of our terms and conditions
- We’ve authored 20 fusion reports detailing analysis on submissions from the membership
- As of today we’ve racked our automated malware analysis suite, and will make that available for the membership as soon as we finalize our configuration changes
- We bootstrapped (self funded) Red Sky, so as not to be beholden to external pressures from institutional funders, and I’m happy to say, we’re cash flow positive, having hit breakeven within our first four months!
- We now have a solid analytic capability backing the membership. Our members have done a heck of job helping each other. Crowdsourced analytics from the membership, distilled into actionable, usable indicators and knowledge by the Red Sky staff and analytic vendor partners is working wonderfully! As a side note, a woman from Network World interviewed me today. She was surprised when I told her we allowed vendors as analytic members. I believe we have to partner with vendors, not exclude them. How else will vendors know what emerging threats look like and how to shape their futures? We have to tell them. They play by the rules (no ambulance chasing, just good analytic support to the membership). So far, so good!
- Our intern program and participation in Wounded Warrior is hitting on all cylinders and we’ve brought in a long time educator to ensure our curriculums are done right. We’re hoping to establish a pipeline of qualified analysts to our membership starting in December when our first intern graduates from his Masters program in criminology and cyber. Starting in the fall, we’re hoping to have new faces in the program from Wounded Warriors and will begin training them, preparing them for positions in our members workforces
- And best of all? We’re receiving referrals from our members for new members. That's the best compliment ever. Thank you!
So for now, I’m making this a
short blog. I’m driving from the Baltimore to Atlanta for GFIRST. I hope
to see many of you there! Ask me for a demo!
Have a great weekend!
Jeff
Jeff
