Friday, August 24, 2012

Red Sky - New Fusion Report; Announcing Gov focused portal

What a week! I just returned from GFIRST. Highlights include:

  • Red Sky Alliance opens “Beadwindow®” for Federal, State, Local, Tribal cyber research and analysis
  • Fusion Report 12-021 released
  • Kudos to US-CERT

Building on success of the private Red Sky® Alliance cyber intelligence and analysis center, Red Sky Alliance is happy to announce the opening of a second, separate portal called the “Beadwindow® Center”.  Beadwindow® is intended for use by Federal, State, Local and Tribal Infosec teams. Inside the portal members share information about current advanced threats and assist each other with analysis, best practice, and preventing future attacks. Government users may also interact with corporate users through anonymization processes linking the two portals. On the back end, Red Sky analysts distill the conversations to author Fusion Reports that detail, in a clear and cohesive way, all information known about the subject. The Fusion Report includes an executive summary, detailed analysis, mitigation recommendations, and a list of indicators in an easy to use Kill Chain format.

Account provisioning is occurring as we speak. Early adopters of the Beadwindow® Center include six major US cities, two states, a major Information Sharing and Analysis Center SOC, and Red Sky Analysts. Members of Red Sky Alliance will, if they choose, be offered credentials allowing them to interact directly with government users. Interested in an account? Contact Jim Mckee.

This week we released Fusion Feport 21. FR12-021 provides incident details and analysis concerning malware leveraged by one of the most active threat actor groups. The malware was delivered by way of a redirect to a .gov website that was compromised in order to serve as a malicious host. Indicators also show the targeting and compromise of a major web based software provider for the financial and healthcare industries. Due to this compromise, actors may have acquired credentials or sensitive information on the provider's customer base which includes numerous banks and financial institutions.

Kudos to US-CERT. I’m happy to see US-CERT (Tom Millar and Richard Struse) championing the development of TAXII -a structured means for sharing attack data in a uniform way. This is LONG overdue, and I’m happy to see US-CERT taking a strong leadership role, stepping out, and getting this done!


During my talk yesterday I stated something that I believe (and I’ve heard others say quietly) that I don’t think there’s a piece of intellectual property on a computer, attached to a network, anywhere in the world that’s safe from exploitation. Exploitation may mean theft, changing the code (integrity), or denial of use. This is not a local problem, nor a US problem. It’s a global problem. Our networks are crawling with bugs and those who wish to exploit them. The only way forward is to learn how to work within untrusted networks while we devise a long term strategy for weaning us off the current implementation of the Internet and design a next generation network (Nextranet?) with security built in to take it’s place. During the meantime, we MUST work together, else lose every piece of intellectual property we’ve ever created to those who choose to steal it rather than build their own.

Red Sky and Beadwindow are intended to do three things:

  1. Help companies fight today’s cyber problem. Just about every bug flicked at our networks are sticky. The problem is becoming ubiquitous.
  2. We partner with vendors in the communities to make sure they know exactly what members are seeing. We want vendors involved to make sure they know exactly what operational users of their products are seeing. We hope this will create a next generation of better security products.
  3. Last, but certainly not least, we’re feeding the labor pool with trained analysts who are taught to analyze emerging threats.

Our community is not a means for investigation, rather network defense. We work hard to make sure that conversations remain focused, but unstructured. Members are notified of new inputs as they occur, thereby allowing those who have not been hit to protect themselves before they are. Feedback to date has been tremendous. When asked if State and Locals wanted their own portal using a separate but similar Red Sky environment, I was overrun with requests for accounts. We don’t see ourselves as competing with the ISAC --we see ourselves as an enhancement to the current model -highly complimentary. We work solely in the emerging, targeted and APT space. Our members benefit from knowledge imparted by others. Everyone is peer reviewed to ensure we know who generally has better gouge (technical term for really good stuff!) than others.

I am highly outspoken when discussing data versus intelligence. Aggregated feeds of data, because of the vast amounts available, are no longer actionable. Here’s what I know.. right or wrong.. it’s what I know and believe... the only way to get good intelligence out of the vast multi-industry international streams of data is to ask the originator of the data what it means. When you can’t verify the source, its credibility as a source, configuration of originating machines, context of the data or believed motive (of the human attacker as derived through analysis), aggregated data without trusted endpoints runs the risk of becoming a garbage in garbage out model, where users should question their confidence in its use.

Bottom line.

Public private partnerships are hard. Even after so many years, private sector companies rarely share openly and completely with the government --even in the best partnerships. Red Sky and Beadwindow together will give both sides the opportunity to talk and share cyber information --voluntarily, members of one may never choose to talk or expose their data to others.. that’s ok. The option exists. If Red Sky Alliance members find value in data received from the government, they’ll talk about it. If Beadwindow members need information from corporate users, they can ask. Their discussion will be moved to the private Red Sky portal where members can discuss the questions among themselves and submit an anonymous (or sourced if they choose) answers back to Beadwindow members. The process is designed to alleviate trust agita. We’re doing our best to connect the smartest people in a place where they can compare notes, share data, offer each other defensive tips from their own lessons learned, work through the hardest problems, and build a lasting bond among companies who have the ability to protect computers in over 140 countries in the world today.

You too should join the conversation. We can’t win without honest discussion. We’re all standing around with our pants down (or dresses up Margie!), and you know what? We all have the same parts! Amazing! Let’s help each other.

Join the conversation.

Until next week,