We sent folks to training in Vegas this week, one to Marine Corps drill weekend, another heading for a week off in Steamboat, and me holding down the fort. So, no published Fusion Reports this week. We did however have some interesting threads and analysis via the portal. We analyzed our first suspected Palestinian malware specimen which consisted of an open source RAT. While the malware was not unique, we did derive tailored mitigations to protect against future attacks from this tool. Additionally, an Associate member used their resources to help identify a substantial amount of related infrastructure which was reported out to the members.
This week we observed our first occurrence of targeted activity which was independently reported from both Beadwindow and Red Sky members. This is to be expected and just goes to show that while we have two separate communities, the threat is sometimes the same. This activity will be detailed in an upcoming report to be released to both communities.
Those of you who know me know I’m a ‘keep it simple stupid’ kinda guy. All the data in the world, even when aggregated smartly, should never be implemented in your network without evaluating it first. So while aggregated security data may look great on paper, it still needs evaluation locally before implementing --locally meaning by your infosec team. How much time does it take to validate indicators in a security aggregation feed? My personal opinion is this... I’d rather ask someone smarter than me if the data was useful to them before I implement. I’d like to know what others found and of any lessons learned. There are two companies I’ve seen who I believe do aggregation well -they come at it from different perspectives. One is malware as the tripwire for aggregation and the other begins the process with browser-based data. Both offer real good perspectives on hard problems, but, there is a lot of malware out there, and there’s a lot of host based badness out there. Can you implement a steady stream potentially hundreds of thousands of indicators on your network and in your host based IPS in near real time? Could you evaluate all of the data coming from them? How much labor would that cost? Me? I’d rather ask someone else how they did it, and then do it my way using their lessons. That’s what Red Sky and now Beadwindow are all about.
Why do I mention this?
I had a call this week with a large enterprise company -pretty typical of the companies that we work with on a daily basis. This company had been an ‘anchor’ in another information sharing environment. The guy I talked to told me he’d dropped his membership in this other group, and asked what Red Sky does differently. It was interesting to me to hear about this one group. The claim (as they all seem to be) is aggregation of the meta-data associated with APT activities. I like to call this “Utopia” (I didn’t come up with this, a friend did), but here’s what I know. I’ve been tracking Utopia for many, many years. So far it doesn’t seem to exist. Me? I’m going to use my phone-a-friend. And yes, this company will continue to be attacked, and continue to receive aggregated open and premium sourced (ahem) security intelligence feeds, and yes, *I believe* we’ll be seeing that ‘anchor’ company joining Red Sky soon.
It’s not always about tech. Sometimes it’s about people.
Have a great weekend!