Saturday, November 10, 2012

Red Sky Weekly - New TTP detected by Beadwindow member!

This week will mark two milestones --our active user-adoption is at an all time high and Fusion Report 30 is about to be released. As with every social network, there are ebbs and flows, however this week the flow has hit a record rate. We hope the momentum will continue. Saturday will see the release of our 30th fusion report which will detail a previously unobserved TTP and C2 protocol. To date we have reported on over 10 different threat actors and have built out a solid profile of several of the more active groups.

If you haven’t been able to tell, I’m really excited! I haven’t been this excited about a major success in one of the portals since earlier this year. We’ve had a ton of ‘wins’ but this week one of our government members posted early indicators and pcap of a TTP shift in the Beadwindow portal. That information generated incredibly active discussions in the portal --crowdsourcing. Everyone brought a piece to the table until in the end, the new TTP was validated and shared.

So major activity this week:

  • Beadwindow was on fire with activity surrounding a TTP shift. The information was shared with the private portal, prompting several of them to jump into the conversation on Beadwindow
  • Red Sky received a submission from a non-member which lead to the discovery of more activity utilizing Windows Credential Editor to steal Windows creds (does anyone know when this will be fixed in Windows?)
  • A piece of malware that our folks have struggled with for the last couple of weeks finally broke and gave up the booty --a previously unknown (at least by us) TTP and C2 protocol

Interestingly enough, this stuff really demonstrated what I think is the value of Beadwindow. Our submitter is a state government guy who used our Norman MAG2 malware analysis tool, bounced findings and ideas off of our Red Sky Alliance technical lead and analyzed the targeted cyber events by interacting directly with the mature, APT-hardened information security teams in large private companies --and they’re helping him protect his networks --and he’s given them something to protect theirs. This is exactly how Beadwindow is supposed to work.

Before I forget, if you’ve not been mailed directly, we’re honoring our Founding Member prices through the end of this year. After that, they’re gone. While most will not be brought into the Advisory Board, the price holds through 12/31. We’re accepting full members and associate (vendor) members at 2012 prices. Don’t wait.

Until next week. Hopefully I’ll see some of you at FedCyber!
Jeff