Saturday, October 13, 2012

Suspected Palestinian malware? Why a Red Sky Associate Membership?


We sent folks to training in Vegas this week, one to Marine Corps drill weekend, another heading for a week off in Steamboat, and me holding down the fort. So, no published Fusion Reports this week. We did however have some interesting threads and analysis via the portal. We analyzed our first suspected Palestinian malware specimen which consisted of an open source RAT. While the malware was not unique, we did derive tailored mitigations to protect against future attacks from this tool. Additionally, an Associate member used their resources to help identify a substantial amount of related infrastructure which was reported out to the members.

… This is a great example of why Red Sky welcomes certain vendors to the table. We call them Associate Members, and we believe that they, if they can do what they say they can do, should be rewarded. When vendors bring great analytics to the table, like we mentioned above, and the membership sees the value in their offerings, they get rewarded -through peer reviews, networking in a great community, and exposure. We don’t allow active selling, nor do we tolerate ambulance chasing, but we do believe that vendors were probably operational security folks at one point too, but now they’re entrepreneurs in the infosec space. Just like turning management, we lose a little bit of our operational skill and situational awareness every day we’re not pounding a keyboard and scouring PCAP for the nuggets. Smart folks who chose the entrepreneurial path lose their edge as well. So in Red Sky, vendors get the benefit of being analytic members of the community. They pay a fee for membership, must pass the advisory board, and then play by the rules. In exchange they get to participate in a forum where some of the best minds in some of the best infosec teams are looking at some of the hardest problems. They participate like any other analyst, get peer reviewed like any other analyst, and are rewarded by showing off their wares. There is no better way to show what your products/services can do than to actually do it... and there’s no better way to buy, than to see what it can do first.

This week we observed our first occurrence of targeted activity which was independently reported from both Beadwindow and Red Sky members. This is to be expected and just goes to show that while we have two separate communities, the threat is sometimes the same. This activity will be detailed in an upcoming report to be released to both communities.

Those of you who know me know I’m a ‘keep it simple stupid’ kinda guy. All the data in the world, even when aggregated smartly, should never be implemented in your network without evaluating it first. So while aggregated security data may look great on paper, it still needs evaluation locally before implementing --locally meaning by your infosec team. How much time does it take to validate indicators in a security aggregation feed? My personal opinion is this... I’d rather ask someone smarter than me if the data was useful to them before I implement. I’d like to know what others found and of any lessons learned. There are two companies I’ve seen who I believe do aggregation well -they come at it from different perspectives. One is malware as the tripwire for aggregation and the other begins the process with browser-based data. Both offer real good perspectives on hard problems, but, there is a lot of malware out there, and there’s a lot of host based badness out there. Can you implement a steady stream potentially hundreds of thousands of indicators on your network and in your host based IPS in near real time? Could you evaluate all of the data coming from them? How much labor would that cost? Me? I’d rather ask someone else how they did it, and then do it my way using their lessons. That’s what Red Sky and now Beadwindow are all about.

Why do I mention this?

I had a call this week with a large enterprise company -pretty typical of the companies that we work with on a daily basis. This company had been an ‘anchor’ in another information sharing environment. The guy I talked to told me he’d dropped his membership in this other group, and asked what Red Sky does differently. It was interesting to me to hear about this one group. The claim (as they all seem to be) is aggregation of the meta-data associated with APT activities. I like to call this “Utopia” (I didn’t come up with this, a friend did), but here’s what I know. I’ve been tracking Utopia for many, many years. So far it doesn’t seem to exist. Me? I’m going to use my phone-a-friend. And yes, this company will continue to be attacked, and continue to receive aggregated open and premium sourced (ahem) security intelligence feeds, and yes, *I believe* we’ll be seeing that ‘anchor’ company joining Red Sky soon.

It’s not always about tech. Sometimes it’s about people.

Have a great weekend!
Jeff