Saturday, September 22, 2012

Red Sky Weekly - Research Libraries... Rich targets?

Imagine this: You go to the research library after receiving an assignment to prepare a brief for 9:00 Tuesday morning. You’ve been tasked with preparing thoughts regarding the acquisition of a new company and its technology, and you’re waist deep in due diligence by 2:00 Saturday morning --with no end in sight until that Tuesday morning presentation. You'll be pulling all-nighters through the weekend. You’ve got financials spread out all over the table, legal documents describing issues associated with purchasing companies in this part of the world, reference material and patent searches to confirm value of the intellectual property and you’re exchanging email with researchers elsewhere, as you and your virtual team pull together the deck and details you’ll be presenting in just a few days.

Now imagine this... those library computers, electronic searches, public internet access, probably wireless access that you connect to with your personal laptop, store all of those communications and queries somewhere -if not only in simple memory or cache. Every time you enter a query, search for a reference, send an email, receive an email or prepare work product on that library network or one of their public computers, you give a would-be competitive adversary a clear view into your specific research, sources, intellectual property review, etc. If that library hasn’t done the necessary work to ensure the privacy of their visitors, and don’t have ways of maintaining security, you might be giving away more research th
an you're getting. I would argue that librarians are not security people, and probably don’t know the value of the electronic treasure trove that exists in these otherwise quiet, relatively uneventful places of business.

Why might I think this? Last week I told the story of a billion dollar defense company that maxed out their cyber insurance policy and now gets harvested monthly for updated technologies or those missed during earlier visits. That blog post, within one week, became my most read page since
the blog's inception. Interestingly enough however, this isn’t the first time I’d heard this story. I heard exactly the same story three or four months ago in a conversation with a consultant that I’ve known for several years. The consultant lead a team of security people who did work in a large research library for about a year. He described the routine harvesting of electronic library queries, emails in/out of the library, etc., as “APT Day”. Apparently once every week, on the same day, the library is harvested for all of the previous weeks queries, emails to researchers, and work product residing on its own, and its public-use computers. Who would have thought!?  A LIBRARY!? Attackers, in one fell swoop, learn what is being researched, what forward thinking is happening here, and all of the sources used by the researchers!
We’re all at risk. If data, data about data, or communications about data exist, and someone wants it, there’s a pretty good chance they’re going to get it. Today, malware isn’t necessarily required. There are companies out there who sell VPN services using legitimate (but stolen) credentials. Bad guys are in your network using your remote access user name and password. The only way to know about them and defend your networks, computers and intellectual property is to talk with someone else who’s gone through the pain of defending against it already. You mustn't be shy. Attackers work in well orchestrated teams, choose their targets, operate with precision, and get what they want. They only have to find one way in. You have to defend every way in. This is Sun Tzu upside down, so forget that lesson of 'best to have a defensive position' and start asking questions of others -before it's too late.


Red Sky had another terrific week. Here goes:

  • Fusion Report 25 released: FR12-025 discusses the PlugX malware leveraged in the recent IE 0 day attacks. The report included an in-depth analysis on the malware's functionality and capabilities. We also identified likely targets for the 0 day activity and provided information on related infrastructure that has a high-likelihood of being leveraged in the near future. The queuing for the analysis came from a private company member who wishes to participate to both portals. As a result, the report was published to both the Red Sky private portal, and the Beadwindow private/public portal where our current state/local members can also access it.

  • Beadwindow “Hoot ‘n Holler” call: We held our first Hoot ‘n Holler conference call with our Beadwindow members. The call included members from the Red Sky team, one state government and the CSO from a major metropolitan city. During the call, we assisted the government users with understanding the new TTPs from this week's Fusion Report, explained what they actually meant, and talked about how to protect from them.

  • New Members: This week we signed one new member and a second was invoiced and is now in legal review. The first is a high tech/defense company, with about a billion dollars in annual revenue. The company has already started contributing to the portal and will be attending our Threat Day next week. The second is going through legal review as we speak, and when they come into the portal, they’ll bring the management lessons and visibility of their three million computer environment. The company is diversified with majority holdings in global retail, technology, real estate and energy. We’re very happy to have both companies join us in the Alliance!

So for the last several months I’ve been keeping you up to speed on the progress, growth, and significant happenings in Red Sky Alliance. The other day I was asked during lunch to quantify our membership, our business, and where we are in relation to others entering the information sharing space. I’ve done this informally before
and here’s what I tell people:

We began bringing members into our empty portal in mid-February. Since then the participation has been terrific.  While the numbers are an estimate based on an informal survey of the members, we believe they’re pretty close, and very telling of the community we’re growing:

  • As of today Red Sky Alliance hosts 15 large enterprise, and four associate (analytic) members. Our current membership includes major telecom, several global banks, several high tech internet companies, one global engineering/construction company, and a couple of large enterprise diversified companies engaged in everything from airplane manufacturing to electronics to energy production.
  • We have five companies currently in various stages of the membership process. When these companies complete the process, we estimate that these 20 member companies will control close to 20 million devices in over 140 countries in the world in dozens of industry segments, including a global energy production, retail, real estate, and managed IT and security services. (Yes, we like MSPs. They help us scale protection while at the same time maintain opsec.)
  • Financial members in Red Sky process the vast majority of credit card transactions in the world today, and manage the lion's share of money moved between stock exchanges and their clearing houses.

On the Beadwindow side, in less than a month, we’ve added a couple of new members, and now include:

  • Three major US cities
  • One state government
  • One global bank
  • One  ISAC
  • One global Internet company

So, Red Sky is cooking with gas. The portal activity is picking up again post-summer, and solid activity is coming out of it. Fall is always busy until around Christmas. We’re geared up to handle it.

The Beadwindow portal is also doing well. New members mean new education. State and local governments (my first impression.. I’m learning too) seem to have very small information security budgets and little organization around managing across agencies. One CSO told us that his (one) IT Security guy was just moved out from under IT, and that neither the IT folks or the city government departments will let him look at data to perform his analysis. Whew. That must be exhausting, and a real morale dumper for the guy who’s going to be held responsible when something really does hit the fan (and it will!). There’s a major learning curve coming for these poor guys! We’re on it. We’ll do our best to help.

That’s it for now. Have a great weekend!

Tuesday, September 18, 2012

Red Sky | Beadwindow - One Week Down, many more to go!

For those of you are new to Red Sky, you may not be familiar with Henrybasset’s “Red Sky Alliance” blog published each week by Red Sky co-founder, Jeff Stutzman.  As an extension to that blog, we will are publishing a second blog, Beadwindow.  This companion blog will communicate the weekly activity of the Beadwindow community.  As things grow, so too will the discussions and information.  It is our sincerest hope that you find this blog both informative and a reaffirmation that collaboration and information sharing DOES work and IS the model for success in fighting the TTP threat.

Beadwindow?  As the new CIO for Red Sky, one of my first tasks was to get the Beadwindow portal up and running and to immediately help our community members with collaboration in defining the threats they are seeing on their networks.  This is not an easy objective. Having come from the government sector, sharing information is not a natural habit.  Beadwindow, being private-public cyber partnership, is pushing those longtime cultural behaviors aside and providing both a means and trust to break through the barriers that have plagued the government sector.

With this in mind, I am very pleased to report that Beadwindow is already providing a valuable space for our early adopters from both significant municipalities and state governments to connect, interact, and build long-standing relationships with.  I believe that the only way we can protect our critical infrastructure as well as our intellectual property is if we work together – Red Sky provides the space, all we need to for you to do is maximize its potential.

Before I wrap up this first installment of the Beadwindow blog, I wanted to remind each everyone that Beadwindow members have access to Red Sky’s Norman Malware Analyzer (MAG2) device.  We are already seeing a lot of activity with our MAG2 – keep it coming!  The MAG2 device is capable of analyzing up to 40,000 separate pieces of malware a day!  The MAG2 is an excellent “first responder’s” device and should be an immediate resource in your triage plans.  DO NOT let this resource go unused. 

We are moving forward and growing. For those already aboard, keep the discussions going and the analysis coming. For those of you on the fence about how Red Sky can help your organization, please reach out to me @  In the meantime, please learn more about Red Sky @ or  

Have a great week and remember – If fighting is sure to result in victory, then you must fight!

Rick Gamache – Red Sky Alliance CIO – – 207-449-8090