Saturday, September 29, 2012

Red Sky Weekly - Which CISO would you rather be?

If you were breached...

Would you rather be in the press, or silently (but completely) p0wned and gutted?

In the last two weeks I’ve told stories of breaches into a billion dollar company and a large research library. You’ve learned that attackers can, and do come back regularly for data updates or things they’ve missed. Neither of these attacks have shown up in the press, but the effects are devastating.

Which CISO would you rather be?

Telvent is company that manufactures remote administration and monitoring tools to the energy sector --remote administration for SCADA computers. Telvent this week showed up in Brian Kreb’s blog where Brian describes an APT event targeting Telvent.  Press references to the “APT attack” suffered by Telvent are largely non-existent, other than secondary reporting of Brian’s work (this completely amazes me!). To ensure continued secure operations, Telvent had to author new procedures for their customers to use to connect. According to Krebs, their products are used in every Fortune 100 Energy producer. Their products are used for remote administration of their SCADA systems. The system believed breached tied older controllers to new systems. I’d bet a dollar that the effects are more widespread. Regardless, how can it be that a cyber event of such potential magnitude, reaching DEEP into a global critical infrastructure had less coverage in the press than a denial of service attacks on banks.

Wanna know why?

  • Denial of service is easy. Any reporter can understand, and therefore easily communicate the pain of a denial of service attack. When consumers can’t get to their banking websites, reporters can easily tell a story of cranky consumers (like my partner) who were denied access.
  • Telling the story of a group with a foriegn name, and posting warnings on pastebin is sexy. Reporters like sexy.
  • Journalists write well, and likely have strong education in journalism, but the important cyber stories -those having to do with hard to understand techniques, motivated by espionage, with potentially devastating effects are really hard to understand (or even believe) if you’ve not been immersed. The story is hard to write. Journalists largely don’t have technical backgrounds, and most infosec people are not journalists.

Reporting on espionage or cyber attacks is hard...

Telvent manufactures remote administration and controllers for SCADA systems. SCADA --those systems used to turn on and off nearly every motor, pump, generator, or switch in a way which makes the generation and movement of electricity smooth and efficient. Think about it like this.. the fuel delivery system in your car could be thought of as a SCADA system. When you push down on the gas pedal, the car’s onboard computer controls the mix of fuel and air that gets delivered to the engine. Another part of the computer tells the spark plugs to fire, thereby generating energy that move the pistons up and down in a cylinder, generating force that’s then transferred throughout the car to the tires.  In energy plants, computers control (turn on, turn off, and regulate) devices (generators, switches, pumps, motors, etc.) to ensure the most efficient and correct distribution of power, fuel, water, etc., and to ensure energy output and distribution across the country to consumers who need it.

What strikes me odd is that the press in general can’t seem to figure out that DDoS renders companies inaccessible for as long as the attacks continue... and then they stop. APT events, botnets, and targeted attacks steal information that will leave a company with a hell of a lot less capability to operate, even long after the attack... but it’s hard to report. Only the most tech savvy of the bunch (like Brian) understand the devastation that occurs (silently) during an APT event.

As an aside, Red Sky analysts, based on indicators taken from Kreb’s blog, believe the symptoms match with a TTP shift in a fairly prolific and highly skilled group. A significant shift in this group’s TTPs occurred approximately two months ago and information in Kreb’s blog match directly with the resultant change in the group’s infrastructure. We issued the information as Fusion Report 16. I suspect Red Sky isn’t the only organization to warn their members, but many CISO’s haven’t been enlightened to the very positive effects of information sharing yet.


As always, here’s the happenings in Red Sky this week:

We had a small, but great Threat Day. We’d expected to do it in NYC, but never got the coordination done with the member, so we did a short notice event in Washington DC. The presentations were outstanding (slides are posted in the portal).

  • Jay Healey came in from the Atlantic Council and spoke on Cyber Conflict history and futures, including parallels in what we say ‘then’ versus now.
  • Our Red Sky Tech Analysis Lead did a great talk on the different facets of a highly skilled APT actor set.
  • We received a brief from one of the members who specializes in looking at bad guys in other countries. It was a non-tech brief, but talked about the who and why, with pictures.
  • Last, but absolutely not least, we talked with another member about his discovery of an old tool being used for new tricks. Windows Credential Editor is being used extensively by attackers in his network to dump Windows credentials (through Windows 7) from unencrypted running memory... all of them back to the last reboot. Apparently there are no fixes in sight. Yikes.

That’s it for now.
Have a great weekend!

Tuesday, September 25, 2012

Red Sky | Beadwindow - Hoot and Holler!

Last week was a very productive and rewarding week for Beadwindow.  Along with reaching out to community members, we held our first “Hoot and Holler”, a bi-weekly gathering of community members to share their intelligence and what they're experiencing on their networks and systems.  It was a very well received event for those who attended and a wealth of information for Beadwindow.

Having worked in the government sector for most of my career, I am very familiar with the constraints unique at local and state government levels.  While working for a large state agency, we were often short staffed, making it difficult to respond to problems that were deemed “critical”.  With the importance of network security being punctuated by the events of 9/11, state agencies across the board scrambled around looking for not only qualified security people, but also money to acquire the necessary tools.  I spent a lot of time sitting across the desks from executives describing nebulous concepts like intrusion detection when the first reaction was often, “I have a firewall, and I need a what?”  It was particularly difficult dealing with a lifetime bureaucrat with a sharp pencil and “no need for fancy email!” 

Recognizing those challenges early on, state and local leadership in the IT sector came together and pooled resources.  Department of Labor reached out to Health Services who reached out to Public Safety and so on.  This collaborative effort was planting the seeds of interagency cooperation that saved time, money, and helped spread the wealth of knowledge across the enterprise.  Today, these concepts are commonplace and the sharing of resources is ubiquitous.

For this new business model to work, leadership had to fill the “trust gap”, the space between agencies that were all fighting for the same pot of resources.  Leadership had to be challenged that working together not only saved money but increased access to resources normally unaffordable or unattainable. This is the concept on which Beadwindow is founded upon.

The conversations had at the Hoot and Holler illustrates a need for governments to reach out to others to compliment the tools and expertise already in place.  With budget cuts and freezes in hiring, the left to right curve of available resources to cope with TTP’s arcs sharply downward while the threats arcs sharply upward.   Today, the onslaught of threats far exceeds the capabilities of many governments, requiring agencies to look beyond their traditional cooperative boundaries and reach out to new relationships for information and resources. Beadwindow is designed to close the gaps and facilitate those conversations.

If you’re a Beadwindow member, I encourage you to reach out to the Beadwindow community partners for help.  I heard several examples of where sharing information with the rest of community could help free resources in one place so they could be targeted elsewhere. 

By sharing with the community what you’re seeing on your networks, you are sharing intelligence that benefits all members.  It really is the “pay it forward” model.  You get out of it, what you put into it.  You share the information in the portal and in return it sparks conversation. In return, the likelihood of you gaining information that is important to you that you’ve not seen before, increases significantly.

To find out about how Red Sky can help your organization, please reach out to me at In the meantime, please learn more about Red Sky @ or  

Have a great week and remember – If fighting is sure to result in victory, then you must fight!

Rick Gamache – Red Sky Alliance CIO – – 207-449-8090