Saturday, December 28, 2013

Red Sky Weekly (12/28/13): Wrapping 2013 and moving into 2014

There seems to be a never ending line of experts reading tea leaves for 2014, and not wanting to be left out, I'm going to post my own momentarily.

First, I should tell you, I think of risk not only as a negative, but also, what offsetting factors are present. These are positives, and in many cases, positive influences also have risks. In all cases, risk is subjective and needs to be classified and prioritized. Where are you going to spend your money next year? (Of course I hope some of it is spent with Red Sky Alliance!) Regardless, I've ranked my 2014 thoughts in priority order based on presence of leading indicators, probability of the incident actually happening, impact if it does, and the kind of risk (i.e.: Technology, Operations, Enterprise, etc.). Some of these are higher level risks, some are technical, others focus on the actual operation of the business and effects posed by the government or competitors. I've not published the full detail here (because of blogger limitations), but will happily send it to you if asked:

BYOD Exploitation goes mainstream:  
  • High Confidence; Probability Imminent; Impact if successful: HIGH
  • Bring Your Own Device, while sound from a cost perspective creates massive security, and legal challenges. BYOD, especially in the SMB/supply chain enterprise space is a highly sought-after target for access to banking, espionage (military, corporate, competitive) information and infrastructures. BYOD targets are more likely creative or knowledge-based individual contributors. In fact, we in Red Sky see this every day. We track the exploitation of several BYOD targets who are victimized in the hopes their machines may be used for business as well as personal use. This is a LARGE opportunity for attackers to exploit the enterprise's weak link -the user at home where security messaging is often forgotten. 
Exploitation of non-routable space:  
  • High Confidence; Probability: Imminent; Impact if successful: HIGH
  • As users continue to click, code will continue to be installed in the enterprise. Virtual machines and proxy use will grow as a vector of direct log-in into organization networks. This is not new for those who've been dealing with APT/targeted attacks for the last few years, but for those of you reading VirusTotal today for the first time, wondering why that sample you submitted calls home to (Google's DNS) and well, sorry folks, you're about to earn your t-shirt.
Exploitation of DNS as a VPN:  
  • High Confidence; Highly Probable; Impact if successful: HIGH
  • VPNoverDNS, Iodine and other tools are creeping into the threat landscape and have been commercialized as mobile applications as well as more traditional tools. VPNoverDNS has been identified in multiple locations and touts it's ability to exfiltrate data when all other means are blocked. Companies who have high value information, and high levels of security, will always have DNS available to an attacker, and with tools available, the ability to exfiltrate data via DNS becomes a much stronger reality.
As the Cloud grows, so does its exploitation: 
  • High Confidence, Probability: High, Impact if successful: MEDIUM/HIGH
  • The only reason this doesn't carry a higher risk ratings is because not all have moved to the cloud. Cloud adoption by corporate users continues to grow. As such, so does exploitation of cloud.
Espionage moves to Sabotage:
  • High Confidence, Probability Medium, Impact if successful: TBD
  • Tools used for exploitation can, and have been used for sabotage. Stuxnet created an atmosphere where cyber as a means of destruction should be considered a normal part of the new threat landscape and organizations must be prepared. 
  • Add to this the fact that the need for a military to protect the masses in cyberspace no longer exists, and the idea of NGOs, hactivism organizations, and individuals have far greater cyber firepower than ever before. 
Exploitation of Controller Area Networks:
  • Moderate Confidence, Probability Medium, Impact if successful: TBD
  • Vehicles with OBD have accessible computer ports available today. Last year a DEFCON presentation discussed hacking an automotive CANBUS in the car; another (not at DEFCON) built a handheld device to unlock and start vehicles. This, we believe, is a strong pair of leading indicators, and the topic of vehicular controller area networks will only expand during the course of 2014 and beyond.
    • Areas of concern: Automotive, Aerospace, Trains, and Maritime vessels
The Gloves are off. Cyber is officially a form of warfare:
  • High Confidence, Probability: High, Impact in 2014: LOW/MEDIUM and growing
  • While still new, several countries have built or are building offensive cyber warfare capabilities. Earlier in the year, countries that had a cyber warfare programs in place were the US, UK, Canada, Israel, Germany, China, Iran, Pakistan, South Korea, DPRK, South Africa, and possibly Cuba (informally through partnerships with others).  As of this moment Brazil, Argentina, and Venezuela have begun developing their own cyber capabilities.  Russia is rapidly expanding its capabilities.  Singapore is currently developing theirs, but not much is known about it. It stands to reason that this escalation will continue, presumably at a much faster pace than the last few years. 
  • Countries will define cyber borders. BRIC nations (Brasil, Russia, India and China) formed a coalition to build isolated networks, and the Brazilians have taken to training other South American countries in the use of Cyber as an offensive tool. 
  • Bottom line: NSA, right or wrong, as well as the dozens of other organizations around the world collecting cyber and other technical intelligence (and there are MANY), have caused massive knee-jerk movements toward encryption, TOR, and other means of protecting communications and privacy in cyberspace. At the same time, countries and NGOs are taking stronger defensive positions and bolstering their ability to both attack and fend off attacks through active defensive measures.... this is going to get exponentially worse over the next few years.
Cyber becomes the business equalizer:
  • High Confidence, Probability High, Impact in 2014: Low, growing
  • As companies realize the escalation of formalized government and NGO sponsored offensive capabilities, criminal activities will also escalate and companies will realize the massive competitive equalizer that is cyber through these criminal activities. Several examples exist where companies are exploited by those who believe they can get away with stealing high tech data, money, etc. Again, a bit of a no-brainer, but this is going to get MUCH worse. Businesses as an operation must consider competitive forces in their cyber defense plans moving forward into '14 and beyond. 
  • Not only must the criminal impact be considered but the goodwill impact must also be considered. Goodwill actually carries value on the financials, and must include a company's ability to sell based on their investments in information security. Goodwill on the balance sheet will be impacted if the organization is blocked from working with a specific industry segment (government, banking, healthcare, etc.) because of their lack of security or activities. 
  • Need an example? Target is already subject to law suits for losses --and they've not even been quantified yet! Think Goodwill will be affected? Absolutely. While CFOs have not yet fully realized it, this is a new reality... 

Hackers will find alternative means of malware delivery and installation beyond spearphishing, wateringholes, etc. i.e.: light, sound, NRF, S-link, etc.
  • This is actually the softball that I'll toss into the mix. The idea that hackers will continue to innovate should surprise noone, but the ways that they're doing it are actually, IMO, kind of cool! The idea that RSA keys can be cracked over acoustic readings via wireless takes the idea of MASINT to a whole new level. And the thought that computers can be hacked via the speaker and mic on a system shouldn't probably be surprising, and much more complex to do than to think about, but I have a feeling you'll be seeing computer accessories built/sold to cover the mic and speakers.
Enough negativity for now. There are some positives:

First, you've heard me say this before. Now you'll hear it again.. what's old is new again!
  • Companies are learning to protect their jewels! Find what's important to your company, and wrap moats around it. It doesn't always work, but it's a mandatory first step.
  • Risk based models are (finally) popular! Nearly every CISO I talk to is working on processes to integrate threat intelligence into their operation. Why? Because it helps them assess risk! While they may not know it, Infosec is about assessing risk, and risk is derived through threat intelligence (one source obviously). I see this as a VERY positive sign. The security community is changing to intelligence-driven risk modeling!
Highlights from previous years? I've had a few... some right and some wrong.. here are some of the ones I called out last year:
  • I called for heavy VPN usage for exploitation. This has not only come true, but expanded to VPN over DNS, loading virtualized VPN servers in the enterprise, and rent-a-VPN from dozens of service providers around the world.
  • Growth of cross credential usage. Sadly, users still use one password for many accounts. With token and PKI exploitation growing daily, the ability to credential systems is growing harder and companies, because of costs, complexities, and the lack of understanding stick with what they know --passwords... of course the least secure of all. 
  • Growth of government concern and the need for SOX-like reporting. Whadya know.. the DFAR rule came out this year!
  • BYOD was on the radar, as well as Android exploitation. Both are discussed above. 
I'll close out with this... 2014 is going to bring some amazing challenges. One of the things we've been talking about (a lot) are the most common exploitation vectors, the TTPs associated with them, and targeting associated. If you're interested in having this discussion --prioritizing your work, understanding common attack vectors, etc., or would like a copy of previous years predictions, drop me a note.

...until next year...

From the team at Red Sky Alliance and Wapack Labs,
We wish you all a very happy, prosperous and secure New Year!

Saturday, December 21, 2013

Red Sky Weekly (12/21/13): Been there, done that, got the t-shirt!

Been there, done that, got the t-shirt is a saying that ran like water flowing across the bow of any of the many ships I spent time on during my early career. It means what is means. Been there, done that, and when we finished, we passed out t-shirts with the campaign, operation, or team logo on it. Sometimes the t-shirts are made from pride, sometimes their made to help heal. Sometimes their made to show unity.

Target earned their t-shirt this week. Sorry guys. I actually do know what it feels like to work the better part of the 168 available hours in a week fighting the networks. Thankfully, I was never in the global press because of it! Hang in there. And let me know when the shirts come out. I'd like to buy one! Neither Red Sky or the lab are first line incident responders, but we are tracking this closely. While it's not apparent (yet) how this all came to be, it is widely known that starting in 2009 Target went through a massive transformation where iron was replaced by hypervisors, and the companies in the know [1] published case studies (we have approximately a dozen more) discussing Target, their circumstances.

...until September 2009, Target’s POS systems and asset-protection ran on physical servers. By the second quarter of 2012, the company deployed 15,000 virtual guests running on more than 3,600 Hyper-V hosts across the entire store network. This includes 300,000 endpoints for servers, virtual machines, mobile devices, PCs, and POS registers.” This also includes an asset-protection solution. The list of technologies has had more than 25 CVE-rated vulnerabilities posted in only the last two months.

My point is this...

Networks are complex. Complexity causes pain... not sometimes; every time. Sadly, complexity is a necessary evil... and it's getting worse. 

And it's getting worse fast... far faster than builders and defenders can operate. 300,000 heterogeneous endpoints in 1700+ retail locations with 15,000 virtual machines running more than 3600 Hyper-V hosts. Add to this the "cloud" (I really hate that word!) that is the internal Target WAN connecting all the pieces, the external clouds used by the third party IT providers, the payment processors that connect (presumably centrally somewhere), and all of the other variables that go along with such a massive, geographically diverse, a non-IT oriented retail focused company. Add to that the fact that the third parties who run IT don't hold stock in the company and probably have a slightly less vested interest in their fiduciary requirement for managing the networks than they do in generating revenue from their customer... not a poke.. it's a fact of life.

Sorry Target. My best to you guys.  I'm certain there'll be some good lessons learned coming from this.

And "BZ!" to Krebs. Well done! Nice reporting sir!


Next week will be the last blog of 2013. It's been a hell of a year.

  • 37 blue chip companies represented in Red Sky Alliance, with another dozen or so in Beadwindow. We wanted to keep it a small, trusted group. So far, so good. 
  • Thousands of running threads produced more than 40,000 high quality, properly primary sourced, non-watered down APT and targeted event IOCS in nearly 200 analysis products published detailing full context of the incidents; plus over 300,000 products collected from open sources, used for pivoting off the 40,000 analyzed by Red Sky and its members.
  • Wapack Labs opened to handle some of the non-information sharing requests. As an example, we recently delivered a country study that will be used by a governmental organization overseas to help them secure their small nation... good stuff, but not necessarily information sharing related.
It's been a hell of a year indeed. 

Ok, until next week, I wish you the very best holiday season possible. Next week will be our 2014 predictions post, so hang in there.. one more to go and it's on to the new year!

Merry Christmas, Happy Holidays!


Saturday, December 14, 2013

Red Sky Weekly (12/14/13): Bridging the gap from user to analyst to protection

We were having lunch yesterday. Nice place. Sitting at the bar, I noticed two guys sitting next to me... phones going, both had laptops open. The one next to me was reading email in Outlook, and the conversation was all business. I thought, what a wonderful spot to grab competitive intelligence, so I fired up a sniffer just to check out the wireless... open.

Maybe presumptuous, but I passed the pair a business card, told them what I did for a living, and offered a very short, very impromptu, very polite cyber safety lesson on using open wireless access points. The restaurant was packed.

The guy next to me responds "My brother works for Symantec. He talks like you do. I know the risks, but just don't care." I was floored. He explained... "I travel a lot. If my banking or credit cards get stolen, the banks pay. I need access and don't want to pay the tethering fee for my phone."

On the other side of the coin we have analysts who want to analyze everything. They want to know where the guy filled up his car before buying a bag of Cheetos that he ate with his left hand. Every detail counts. Situational awareness is a must.

So how is it that we have such a massive disparity between what Joe (Jane?) consumer does at a bar in a nice restaurant, and those of us who'll spend days analyzing data to try and help those who don't care if they're being helped? (The guy told me he does have Lifelock! Wuhoo!)

At the same time...

We run into so many analysts who analyze for the sake of analysis, and frankly, although I know they're working hard, are really smart, and have great gouge... But sometimes make me really tired! How much of that work actually will keep that unsuspecting, unknowing, uncaring guy from losing control of his computer?

So tell me...
  1. How much analysis is enough? Now that you've pulled that malware sample apart, spent three months analyzing it, and spent who knows how much money, what did you get from it? Would you have obtained the same results by running it through a simple sandbox and recording the results... in about a minute? How do we push these results (fast) to the user in the restaurant?
  2. Attribution: We know who you are.... now what? Gonna have somebody killed? Jailed? Probably not. But if we can recognize the 'swing' of an attacker, and we know who he/she/they are, do we really need to prove it every time? 
  3. What exactly do you need to know? Why? How fast? What defines a priority intelligence requirement?  I've heard two people explain it really well... one guy is the newly named CISO of a medium sized DIB company. He defines priority intel requirements as those things that will most likely  hurt him today. Another holds a weekly meeting where teams nominate priority requirements that then get assigned out through a standardized collection process (I like this process very much!). 
  4. Keep it simple, stupid! Last, but certainly not least, besides the readers inside the government beltway, or those who've been named honorary govvies, how many of you can tell me what a Taxonomy is without looking it up on How many of you also know what taxonomies are available to you in the cyber realm? I'm watching with baited breath to see which one comes out on top, and when it does, we'll use it, but in the mean time, we prefer the Keep It Simple Stupid taxonomy... The guys over at Lockheed came up with Kill Chain a few years ago.. Not really anything new, but they did a great job. We like it, and we use it. Comma separated value text and not a lot of overhead. It allows a broad audience to be able to read, understand, and use the data for maximum protection.. fast.
Intelligence is supposed to help with futures. Are we spending time on the right activities? Can you show a clear line between the number of analytic hours you spend digging through data and reductions in successful attacks, reduced incident response cycle times, faster forensics or more targeted infosec spend?  How do push this down to that guy at the bar? Change his behavior without sacrificing usability and features?

We've found that in Red Sky, one of the value propositions is the simple recognition of not just IOCS (you can get IOCS anywhere these days), but in the context. IOCs without knowing the sources, and confidence in the sources can mean high false positives, and therefore, high labor costs in your incident response and forensic teams. If you could reduce this cost by simply participating in a crowdsourced, high confidence environment where you know the sources, can qualify the quality through peer reviews of those sources, and can get the data in a usable, keep it simple stupid format, well, why wouldn't you do it??


It's been an amazing week.

  • We held our 4th quarter threat day this week. The presentations were AMAZING, covering all kinds of topics from proprietary commercial SIGINT operations to case studies to new tools. Thank you to the host, and for all those who travelled to attend. What a great day!  
  • Next, we sent two press releases out this week. We haven't sent one in over a year, and then bang! two in one week! In both cases, we're partnering with some amazing folks:
    • Wapack Labs is stepping into a cyber threat analysis and intelligence role for the FS-ISAC starting at the beginning of the year.
    • Wapack Labs was chosen by CBTS to assist with intelligence requirements for their customers and CBTS joined Red Sky Alliance 
  • We're delivering TIAD this week, with analytic training in a National Level CERT. My guy is traveling as this gets published, and the team is standing by in Manchester to support. 
  • On Monday we're being visited by another ISAC, and Tuesday a group of techies (and their VC) from MIT.
It's coming up on the end of the year. We've got three weeks before our 2014 rate increase, so if you're spending end of year money, and have a need for great threat intelligence next year, or simply want to make your current small team more efficient, call us! We'd love to show you what we do!

Ok all, until next time, 
Have a great weekend!

Saturday, December 07, 2013

Red Sky Weekly (12/7/13): Are we entering a Cyber Arms Race?

It's been a crazy busy week. We processed three new Red Sky membership requests this week, updated a fusion report originally published in May, and posted three new pieces of analysis. On top of that, the Lab inked a deal to handle Cyber Threat Analysis and Intelligence for one of the major ISACs. My week wrapped last night with a Christmas party in DC. I'll take today for a breather, then back at it tomorrow.

One of the things that struck me at the party last night, sitting at a table with a bunch of folks like me, who either do work for the government or have worked for the government were two themes that came up over the really nice salmon -one spoken, and one not.

The spoken? "The (cyber) arms race"

The unspoken? "Disintermidiation"

The "arms race" discussion was not the long-term topic of the evening, but definitely one that stuck with me. The idea is that every country in the world today seems to be running hard to build, at minimum, defensive cyber capabilities. Many are also building offensive capabilities --either organic or outsourced. Regardless, the race is on. Red Sky analysts are tracking the growth of these capabilities for our membership. We have a feeling it's going to become important very soon.

Disintermediation? This is one of my favorite words. I first heard this word in a cyber context when Dave Aucsmith took the stage at the AFCEA conference in Colorado last spring. Disintermediation is an economic term that describes 'cutting out the middleman' in a supply chain. In a cyber context, the idea was that in the era of cyber, attackers will attack victims without the assistance of a military, essentially cutting out the middleman. An October Gartner report offered an assumption that "By 2020 25% of global enterprises will engage the services of a "cyberwar mercenary" organization." (Source: How to Select a Security Threat Intelligence Service, 16 October 2013, Rob McMillan, Kelly M. Kavanagh)

So I think a lot about these two ideas (forces?)... an arms race, plus cyber disintermediation. Wow. Imagine the future. Indicators are aligning and I'm not sure any of us are going to like it:

  • Red Sky is busy, as are apparently other threat intelligence organizations. Companies are beginning to understand that intelligence is important stuff. 
  • Several companies have sprung up in the last couple of years who chase 0-days, touting offensive capabilities. 
  • There are countries in the world that seem to not mind being viewed as the location of choice for launching points of these capabilities. Motivations to do so are economic, political, activist, or any number of other reasons.
  • Many countries around the world are posturing for offensive cyber operations, and I believe the number of countries staging these capabilities will grow significantly over the next few years.
  • At the same time, the labor pool is short, meaning outsourcing will become mainstream in the future, potentially laying credence to McMillan's assumption. 
Here's my concern, and one we talked a lot about last night... my concern is that outside of those who've worked with the government over the last few years know why they have cyber pain today. Those who have not, don't. I've heard those in-the-know referred to as the "one percenters" and those not in-the-know as the "99 percenters".  Beyond the one percenters, the messaging doesn't seem to resonate outside of the Washington circles. This is important stuff... not one person connected to the internet by cell, computer, pad, wristwatch, appliance, or what's being called the "Internet of Everything" will be able to sit out the storms that are coming. The ability to reek havoc has outpaced the ability to defend against it and it's only going to get worse as we move through the stratas of criminal, to espionage, to planned and unplanned offensive cyber.

Interestingly enough, cyber is still viewed by many as a weapon in and of itself.. cyber is only a means of carrying out something more. It's cheaper (and carries a hell of a lot less risk) to hack a computer than it is implant humans to steal information or sabotage. Information is pouring onto the the Internet in massive buckets from devices you've probably never thought about before, but those information poured onto the internet by nearly any of these devices offer a smart analyst real information.. or a smart operator a real opportunity.  

  • People in DC are talking about the idea of a 'cyber arms race'. So whether it's real today or not, because people are talking about it over dinner in DC means it's probably coming.
  • The world is becoming even more wired through "Internet of Everything". Are you going to be ready when the coffee pot in your office break room is used to listen in on conversations or become an attack relay into other machines in your company?
  • Analysts are assuming cyber mercenaries in the very near future. Just like the DC comments, it's in writing. For me, this is the second indicator that people are talking about it... and for every comment, the likelihood of it becoming true grows.
  • And, the unspoken, disintermediation, in a cyber context is very real. 
Yes, we are in an arms race. And yes, the landscape and rules of engagement of warfare in the future are going to change significantly. 

Wow. That was a real buzz kill. 

So what are companies doing about it? Threat Intelligence is one of the hottest topics in cyber today. Knowing, or at least having an idea of what's coming allows the smart, informed CISO to make good risk-based decisions about what to fix today, tomorrow, and at least have a plan for next year and the year after that. These roadmaps will likely change. They always do, but the idea is this.. talk with others. Compare notes. Make an informed decision about where all of this is going, and base, your long term strategy on good data, not noise.

That's where Red Sky Alliance comes in. Tactical intelligence is published routinely.. a couple of times every week. They come in the form of Priority Intelligence Reports and Fusion Reports. Strategic information comes in the form of Intelligence Analysis Reporting and GEOPOL studies of the world's offensive growth curve. 

Not comfortable participating in the portal? Call the lab. We'll do it for you. 

Drop us a note. We'll be happy to show you what we do.

Until next time,
Have a great week!

Saturday, November 30, 2013

Red Sky Weekly: USG, NGO hacked; two new RAT versions

I live in an apple orchard. Last summer, when mowing the lawn, I got stung by a bee... actually, I got
stung by lots of bees. Evidently, I got a little too close to the nest with the tractor and set off a swarm. Immediately, I began swatting... but that didn't do me any good with a couple hundred wasps heading my way. So I gunned the tractor and got out of the area as quickly as I could. I still didn't know where the nest was, and knew I was going to need to find it to be able to mow the lawn next time. So after the bees settled down, I walked the orchard to find the nest. That night, employing an old farmers trick, I built a torch with a kerosene-soaked rag wrapped around the end of a long stake. I drove the stake into the ground while it was still light, and in the middle of the night (when it's good and dark), I lit the rag on fire. The bees, drawn to heat and light, swarm to the fire while the nest was sprayed with a stream of high pressure wasp killer, from a distance.. no more bees.

Intelligence makes all the difference. What kind of bees do you want to kill? What do they want? How can they be baited? All good information to know.. all good intel -some tactical, some strategic. All must be known to stop the pain now, and keep it from happening again in the future. 

SO, who would you rather be? The guy getting stung? Or the guy lighting the torch? You have to be both. 

One of our members tells his story of 'intelligence driven information security'. He's a smart guy who's been in the intel/security space for a long time. I know him as an analyst, but he's done a lot of things really well for as long as I've known him. He takes a two step process in consuming intelligence, and I love the cleanness of the process. He's one of the few guys I know that can articulate it well, so I talk about it often.  He talks of 'priority intelligence requirements' -those things that he'll look for first thing in the morning.. things that are happening today... wolves closest to the sled.  He then looks for things that'll get him tomorrow, next week, and next year --First, tactical, then strategic. If he wants to stop the stinging, he knows, he'll have to have information (intel, the gouge, whatever you want to call it), that will help him figure out what's coming, not just what's here.

If you follow my blog, you know that Threat Analysis and Intelligence (I call it CTA&I) is something I'm passionate (fanatical?) about, and write about regularly.

When I think about intelligence, especially in the cyber space, it's easy to see how many could confuse actionable information with good intelligence. And, we find that many folks we talk to think they understand, but in reality, most do not. And some of those who do, often times have no real means of consuming and/or implementing that information. There was a great piece that came out from Gartner a couple of weeks ago. I'm not a Gartner member, but someone forwarded it to me last week. The piece, "How to Select a Security Threat Intelligence Service" (Published: 16 October 2013), takes on the sometimes contentious discussion of what intelligence is and what it isn't, and what should be considered when purchasing threat intelligence. It breaks intel down into two simple bins --Operational, and Strategic.

  • Operational Intel is intel derived through traditional IT tools. Operational Intel should be thought of as short term and tactical. It drives daily operations and will protect from what an old friend likes to call 'wolves closest to the sled'. Intel is delivered in machine readable formats by various subscription services, open source groups, commercial collaboratives (like Red Sky) or information sharing and analysis centers. 
  • Strategic Intel is used to affect longer term, strategic positioning of the organization and it's infosec team. 
Operational (Tactical) Intelligence helps you deal with the bees stinging you now. Red Sky members share information about things happening now. Companies are vetted before coming in. Accounts are issued by name. Once in, everyone is peer reviewed. Indicators lists are maintained in comma separated value format for easy consumption. Fusion reports give the story of how they were derived. Members participate in the analysis, assist with everything from false positive derivation to building tools. 

Strategic intelligence helps you deal with those things that might sting you tomorrow, next week, or next year.  Strategic intelligence, comes from Red Sky members participating in geopol discussions, sharing targeting information, objectives of attackers, etc. 

What's happening in Red Sky? This week...
  • Humanitarian NGO hacked: We posted analysis, and notified an international humanitarian organization that they'd been victimized. Wapack Labs (Red Sky's 'hands on' end of the operation) identifies and exploits sources of information not generally available to others. Through this source, we identified leads that lead us to this NGO. In coordination with an EU Computer Emergency Response Team, we were able to notify the humanitarian organization of the problem, and help them figure out what do to about it.
  • Two new RAT versions were identified, analyzed, and shared. Again, through the lab, information was received and shared to the Red Sky membership. It was then analyzed by the collaborative with indicators cleaned up, and posted.
  • Compromised US Government Certificates and Accounts: Wapack Labs received information from one of its HUMINT sources, raw, unevaluated information of US Government certificates and account compromises. We're receiving more and more information related to attacks on various governments and NGOs. Some of this stuff really isn't in our lane, so all information is posted to the Beadwindow portal where government users can download the information and act on it as needed. 
So yes.. it's been a good week. 

Why should you join us today? Because for slightly less than half the cost of a good subscription service, you get to access and share information with many of the original authors of much of the data that those subscription services analyze. What kind of information?
  • Incredible tactical information: The portal has been busier than ever. Tactical intelligence is growing and every minute you wait, you're losing valuable protection information.. information that would cost HOURS (if not days, weeks) to derive without help. From the tactical perspective, in both Red Sky and Beadwindow, you can quickly pull down:
    • Information of hacks in industries, how they acted, and how others protected against them.
    • Monitoring and sharing of network activity by others
    • Shared monitoring of open sources such as social media, Google groups, chat rooms and other forums
    • Analysis of artifacts - If you can't do this yourself, ask about Wapack Labs' malware analysis.
  • Strategic Intelligence.. at a very high level...
    • Who are these guys?
    • What do they want?
    • What will make them stop?
    • What exactly are they trying to do when they hack us?
    • How will you know? 
    • How can you prevent the attacks, or stop them in progress?
Come join us. Build your network! I was in a meeting a few weeks ago, when I (once again) heard the most common thing that I hear when talking with potential members of Wapack Labs customers.. "I got a guy". Every company that we work with has hired someone from the intelligence or law enforcement community. They think because they hired 'a guy', they're good. In fact, the 'guy' is almost always adorned with an 'intelligence' title but have dozens of responsibilities that don't include intelligence. Red Sky and Wapack Labs focus on intelligence. We have process. Use our process to compliment your team. The networks are huge, and pay off in spades!

Schedule a demo today. Our membership price is going up at the end of the year, and if you join now, you can lock in 2013 prices. We offer flexible payment options, and every minute you wait is another piece of information that won't get used in your network today. Drop us a note to schedule your demo.

Until next time!
Have a great week!

Saturday, November 23, 2013

Red Sky Weekly - 11/23/13: It's about the swing!

One of the guys told me yesterday that our growth and content creation lines were near straight lines at a 45 degree angle. He'd noticed that since the end of summer, the portal has been on fire. So this morning before jumping into the blog, I wanted to check the numbers out for myself. It's been a while since doing so, and I'm coming up on a threat day where I've got to report out to the membership our current status and what's coming.
Figure 1: Content Creation
Figure 1 is a graphic showing content creation since our kick-off. Our portal was issued to us (empty) in mid-January 2012, modified, tested and deployed in mid-February with content population starting in March. Since then, this thing has been a straight line of activity. 

Our community has grown from two (Jim and I) to 207 total accounts (as of this morning), with roughly 80-100 active every month (Figure 2). This was a total surprise to me. I've been involved in information sharing organizations before (several in fact), and have never seen user participation levels like these. What does that mean to you? It means there are 80-100 active, peer reviewed analysts who can help you with just about any request. Need help with something special? Just ask. Someone will have worked on that too. Need to reduce false positives in your IOCS? Just ask. Setting strategy for next year? Metrics help? Others have been working the same things. Good intel - tech to GEOPOL, cross sector participation, and finished reporting from the discussions. How cool is that!?

Figure 2: User Adoption and Creation
Figure two is the graphic showing the numbers of active participants month over month back to the beginning of the year. It's amazing to me to think that even when the week seems slow, month over month the activity stay's relatively consistent.  By far, besides the containers that hold the fusion reports and IOCs, the most active area in the community is intelligence, followed closely by the Malware Lab. 
  • Security Intelligence is the location in the portal where members talk about what's coming. We've added priority intelligence reporting and geo-political analysis, both based on traditional intelligence cycle processes, both creating a ton of activity. 
  • Malware Lab is always busy. Most of our folks have malware analysis capabilities, and they'll drop results into the Malware Lab. For those who don't, Wapack Labs can help. We can run the code for you and drop the results back into the portal. 
So why did I title this blog "It's about the swing!"??

I keep a morse code key on my desk. It reminds me of where this all started for me. I was a Coast Guard Radioman (RM3) standing watch at Coast Guard Communications Station Boston (actually, in Marshfield, MA), eventually growing to Telecom Specialist (TC1) before heading off to Navy Officer Candidate School (that's a whole different story!). Back to the code key... when you're operating by morse code (we ran many of our comms by morse code (I'm dating myself!!) , after a while, you get to know who you're talking to by the 'swing' of their key. It's like recognizing the voice on the other end of the phone. After a while, even though some of us have never met, we get to know each other. The portal is the same way. We're getting to know each other through active participation, peer reviews, and various get-togethers --some involving food and mild liquid lubrication.. it helps with the bonding ;)

The swing has become apparent in the portal. Those who communicate regularly seem to really hit it off analytically. The products that the team pushes out cement the conversations in formal, easy to read, 'this is what it means' and 'this is how you stop it' reporting. Will it always work? Probably not, but it's a great start to working your own environment, knowing what to look for, finding it, and saving yourself a hell of a lot of time and frustration of trying to go it alone. 

We're pushing through to the end of the year. We brought on a new member this year, and are pushing to close out our year and get new folks started before January. If you've been thinking about requesting a demo, give us a call. We've been flat out for the last few months (see Figure 1!). I'm expecting that we'll slow down as we pass Thanksgiving, so this is the time. Drop us a note!

Until next time,
Have a GREAT Thanksgiving!

Saturday, November 16, 2013

Red Sky Weekly - 11/16/13: Mind the Gap!

I had dinner at a local steakhouse last night. And as I ran through the menu, I found a new page --a picture of each of the cuts of steak laid out as a simple one-page guide to what each was --marbled, lean, expected taste/texture, etc. Why the new page? Evidently the restaurant (who'd been here for years) had a realization that the majority of their customers didn't understand the differences from one cut to another. As a result, they tended to order the same cut, over and over, without ever trying other possibly more expensive cuts.

Why am I talking about a steak dinner?

Because this week was busy. 0-days, new malware, shifts in TTPs, etc. For whatever reason, this week seemed much busier than others. It brought me back to a day when I operated as the Information Security Officer. The company did about $7 billion per year in sales, had roughly 35,000 employees in a few dozen locations around the world, and with partner and supplier connections, probably expanded the network to about 100,000+ people. We had export controls, consent decrees (court ordered firewalls between potentially competing internal businesses), and a dozen or so regulatory issues, including, like many of you, SOX and increasing government pressures from DSS, and others. My job? I managed information security for this entire environment on two people.. me and one other. We focused mainly on architecture and architecture reviews with almost no time to deal with testing final integrations -but we did do patch management really well. It was largely automated and relied heavily on the desktop teams. It didn't take long to realize we needed help. We were being targeted, and every run of the host-based scanners reported at least several hundred computers that needed to be looked at, troubleshot, investigated and probably rebuilt.

So what's the gap?

It's the space that lies between what actually needs to be done and what actually gets
done. It's knowing that you've got 800 machines showing up in that host-based scanner result, and finding out that you've actually got a problem, but having to simply burn and rebuild them without doing the forensics that might help stop it next time (and there WILL be a next time!). It's playing whack-a-mole for months before finally realizing that this just isn't working anymore. It's the complexity of interconnectivity of systems of heterogeneous systems connected to other systems of heterogeneous systems connected during acquisitions past; it's gaps in visibility across the network from the lack of uniform tools; it's not being able to touch every machine during an emergency. It's virtualization and clouds, and having to ask permission to take a box offline or leave it on for monitoring. It's the lack of trained personnel --not people lacking infosec training, but company training on the processes of intelligence handling, incident response, forensics, restoration and continued monitoring and protection.

The gap is knowing what must be done, but not having the ability to actually do it. It's a security intelligence provider offering victim notification a gig of indicators suggesting a large percentage of your company has been p0wned, but not having the instrumentation to even go find it. It's knowing intelligence could have prevented it, but not even knowing where to start.

Don't burn out. Don't chase your tail. Get organized. Get help. Mind the gap.

Red Sky can help mind the gap... the knowledge gap. What have others done when they had 800 machines show up with those same results you're seeing today? What worked, and what didn't? Ask them! With a few keystrokes you can ask the question, get answers, and possibly save yourself yet another overnight in the lab running forensics, banging your head against the wall. Others have been there before you.. and others will come after you. Perhaps you can help them with their gap!

Can't participate in a collaborative? Think Wapack Labs. There are lots of reasons why Red Sky might not fit, but that shouldn't stop you from getting the information you need. The lab handles other kinds of questions. "We've been bought and sold so many times... what's my network look like?" "Who keeps hacking us and what will make them stop?"

How do we help? We've got a great membership. We've got almost two years of ongoing conversations in Red Sky portals and several years of targeted incident response before that. The problem you're having today is probably one that someone else has already had.. so ask them. Need analysis and indicators? Check out the fusion and intel reports. We published two of them this week. Any more would probably be overwhelming, so we work hard to keep it simple and actionable.

On the 11th, we're having our end-of-year threat day. We'll have happy hour on the 10th as an ice-breaker, and a day of presentations and great conversation on the 11th. We'll have a line open for those who can't attend but want to be involved virtually. It's always a great day.

Want to join us? We're pushing hard as we come into the end of the year. Drop us a note. Let's set up a time for a demo!

I'm keeping it short today. Much to do before traveling tomorrow.
So until next time,
Have a great week!

Saturday, November 09, 2013

Red Sky Weekly - Life is hard, but it's harder with bad intel!

You'll probably recognize the saying. That’s not really how the saying goes, but it’s pretty much the same point… Let me explain.

I spent some time this week with an old friend from the Defense Industry, who, like many of us, has moved on. His new company, not defense related, joined Red Sky Alliance last week. We had great conversation with him and his new team. We shared war stories of using creative ways to find attackers living in their networks. And as with any good series of incident response war stories, they always turn to harder cases. You know the ones. They’re the ones where you’ll never find (or stop) attackers by using indicators of compromise (IOCs) alone. As an example, we talked about one case where a virtual VPN server was set up inside a network, allowing attackers the ability to simply log in using encrypted comms over the port left open for normal encrypted web traffic (SSL). Once in, the proxy was used as a jump point to into other virtualized attacker installed servers. Attackers built their own virtual network on top of the company network, and used it as their workspace and the activity entering and leaving the actual network looked just like normal employee activity!

The question I get (nearly on a daily basis!), with regard to intelligence, is ‘how good is it, and how can you tell?”

Let’s try this...

When dealing with targeted infections, every company does three simple things simultaneously:

  1. They must stop current infection(s) (an infection is a set of compromised machines, and might be expressed as a percentage of your network --in large enterprise, it might be 1-2% per infection);
  2. They must stop the current infection(s) while maintaining current operations and allowing the business to continue to operate;
  3. And they must plan for how they’ll maintain operations into the future over now untrusted networks (and you won’t, ever, trust them again).

From our perspective, and the way I push my team and train analysts, is this.. Intelligence is analyzed data that will be used to present the answer to a specific question relative to strategy… futures.  “Intelligence” has been used to describe IOCs (Indicators of Compromise), forensic analysis (from a previously hacked machine or machines), reverse engineering, and many other past tense, or current state activities. But from our perspective, IOCs are required information, and will help you find and stop activity now, but Intelligence tells you what IOCS to use next. Intelligence is about futures.

So without getting into the religious wars over what intelligence is and what it isn’t, let’s get back to the questions.

How good is your intelligence?

How can you tell?

Intelligence has many traits, but in my opinion, you can tell good intelligence by looking at a couple of simple things. In fact, try measuring these:

  • Intelligence should be actionable. Intelligence that you can’t act on isn’t intelligence, it’s analyst porn;  it’s a ‘self licking ice cream cone’; it’s intelligence for the sake of intelligence; it’s research time spent to make the analyst smarter (not a bad thing), possibly offer situational awareness, but doesn’t necessarily create returns on your intelligence spend.
  • Intelligence should be sourced. This doesn’t mean users need to know every source, but the author needs to be able to express both confidence in the source, and quality of reporting. For example: Red Sky considers its finished analysis (fusion reports) high confidence information relating to targeted events. This is because we practice, and expect, peer review on our products. Our products are sourced, allowing readers to check our work, and we practice something an old friend used to pound into me --analytic rigor. Analytic rigor is the act of identifying multiple sources that point at one conclusion (or sometimes not!). When we correlate data, we typically compare Red Sky derived data to multiple sources through our own private collections of CIF data, malware, crowdsourced data and potentially dozens of others. This gives us “layers of analytic confidence”. We can quickly compare high confidence data (fusion report drafts) to open source data (CIF) to primary sourced data (data off the wire from the members). Source quality counts.
  • Intelligence should make your future life easier, not harder. When you drop an intelligence derived IOC into an IPS, does it make bad things stop? What’s the false positive rate? Do you know? Red Sky members receive snort signatures and Yara rules when possible. In the snort signatures, we label the rule with the Red Sky report that it came from. That way, you can easily measure the effectiveness of rules published in Red Sky reporting. While every rule may not fire immediately, the idea is that it will in the future. You may not have seen that activity yet. We don’t necessarily get feedback on which rules fired where, but we do get feedback from CISOs who tell us that they use EVERYTHING we give them, and that they’re renewing because we give them information that they don’t get elsewhere… both great compliments!

So lets go back to our original example.

The FBI shows up on your doorstep one day and tells you that your network is phoning home to .  When you look at the traffic (assuming you have the ability to do so), you find a machine pumping data through port 443 from a machine on your internal network, using an internal non-addressable IP address. It’ll look pretty much normal --maybe one that matches your DHCP addressing but the machine name doesn’t necessarily match your naming convention.  Whadya gonna do? You’ll want IOCs, but you’ll also want intel. IOCs will give you the machine name, internal IP and other information to help with the immediate infection, and without them you’d probably spend days (weeks?) scouring your network for others that might be talking to this first virtual machine… and when you identify those comms, they’ll become encrypted, or move! This is where good intel will help you with what’s coming next….

Assume you’ve pulled IOCs from one of your sources (I hope it’s Red Sky Alliance!). You find the invading virtual environment. In every case the activity will escalate. Once you learn to protect from the immediate activity, the tactics will change. How will you know what’s coming? INTELLIGENCE. And what must that Intelligence be? Actionable, timely and correct. Without it, your future life is about to become really hard. It should make your future life easier, not harder.

That’s how you can tell good intelligence.



  • We had two new members join us this week --our first large law firm, and another one of the large cloud providers.
  • We posted another new intelligence analysis reports and a priority intelligence report.
  • We’re preparing for our 4th quarter threat day.

It’s been busy. We like it that way!  Christmas is busy for Santa and hackers, and our membership price will increase at the beginning of the year. A December membership will let you lock in your rate for up to three years, so if you’re thinking about joining us, do it now. We’re happy to schedule a demo. Just drop us a note!

Until next time,

Have a great week!

And for you veterans. Happy Veterans Day! Enjoy the weekend. You (we!) deserve it!

Saturday, November 02, 2013

Red Sky Weekly - 11/2/13

It's been a LONG (and awesome!) week, but I'm not going to post this week. 
It's 5:11 AM and I'm forgoing my weekly blog and heading to Boston for the parade. Congrats Sox! It was an amazing series! Wuhoo!

Saturday, October 26, 2013

What is Wapack Labs? What does it do for Red Sky (and others)?

I just sent a note to one of the sources we use in identifying information that might be of help to our members. If you've ever sourced folks, you'll know that even at 6:30 in the morning when you might otherwise be having your first coffee, you might still find yourselves quelling the "the sky is falling" messaging when every source feels their gouge is more important than anything else in the world today.

Why sources? Because cyber comes in all shapes and sizes.  This blog is a bit different. We've done some amazing work in the lab and I rarely tell anyone about it, so I thought I might today.

As a bit of clarification, Red Sky is about information sharing of good cyber intelligence and network defense. When our guys post information to Red Sky members, it comes from smart guys, but also from things that smart guys have developed in Wapack Labs. The idea in the lab is to both perform second and third level dedicated for those who need it, but also, we use it to find new sources of unusual, high value information, collect that information, and turn that information into actionable intelligence to support members of the Alliance. But in doing so, we almost always come across a ton of other really interesting information that we then distill down to answer other questions.  We have the ability to do computer forensics, analysis, break down PCAP, and all of the other things needed to be able to help defenders protect their networks --and we do. We work these issues and post findings for members in the Red Sky and Beadwindow portals. But at the same time, when going through these processes, data identified gives us a really great perspective on other problems.

And on that, it should be noted... Information isn't intelligence. Intelligence comes from being able to identify the nuggets in information that might be helpful in aiding decision makers on courses of future actions. This is what Wapack Labs does. Red Sky is where we put that intelligence. Wapack Labs is where we develop and analyze it.

What kind of intelligence are we talking about?  Cyber defense obviously, but also insider threats, competitive intelligence, M&A, and self examination as starters.  With enough smart guys (we're keeping it small), we could easily go into dozens of others, but these are really fun so we'll focus here for now!

So beyond the cyber that we push to the portal, here are a couple of examples of non-cyber focused work that we end up obtaining as part of the process:

  • Insider Threats: Last week we had the ability tell a global consumer electronics company that they have an insider threat problem. We had done research supporting cyber defense. This work that lead us to conversations (open source of course) of a specific group. One of the guys does security consulting work in a number of companies, and we had a conversation with one of them last week. This work has lead us to start an insider thread in the portal. 

  • Mergers, acquisition, or outsourcingWould you buy or use a company without doing due diligence?  Since earlier this spring, we've answered questions from companies about possible merger and acquisition targets, and this week we're being contracted for the third time to answer questions about a bunch of companies who're being looked at for large scale IT outsourcing by a non-member. The questions usually go something like "We're thinking about using tell us what you know about them."

  • Infrastructure: While not necessarily intelligence focused, the Lab has received a number of requests where companies want to know about themselves! Our last paper went something like this... "We've been through a number of acquisitions and divestitures. What do you guys know about our infrastructure?" We're not into mapping networks, but the answer might be more along the lines of "We found that you still have web servers and a DMZ residing ." -or- "we found a dozen or so of your addresses registered as VPNs with a (ahem) third party." (This isn't a good thing.)  Interestingly enough, there's a TON of open source, free information out there that can be used to find out about a company's infrastructure and if you know how, you don't need to even touch the network to find it and answer questions like this.

So if you've wondered what Wapack Labs does, but were maybe to shy to ask, this is what it does... cyber defense, R&D, analysis, and anything else we find fun, interesting (and of course, revenue generating!). 


I'm keeping it short today. It's been a heck of a week! 

So until next week. 
Have a great weekend.

Saturday, October 19, 2013

Security is a team sport!

We went through an exercise this week proving just this. 

It seems that in nearly every meeting I’ve had in the past several weeks, someone asks a question about what Red Sky Alliance knows about Insiders. It’s true, we focus on corporate espionage and APT events, but clearly insiders –at least one class of insiders, falls easily into the ‘determined adversary’ category… and for that, we’re on it!

So what constitutes an insider?  I have an old friend who’s studied this for years.  Dawn Capelli left Carnegie Mellon (maybe a year ago?) where she built and spearheaded the insider threat group at SEI. She’s the expert, and she’ll tell you that insiders come in many shapes and sizes.

So what which category are we talking about?  I’m not talking about Snowden. In fact I’m growing tired of reading about him in TechDirt (the “all Snowden all day” RSS feed!), but more about others, whom we know to be wearing the white hats by day, turning gradually darker as the evening draws close, and finally pure, pitch black after hours.
We realized that for the last several months we’ve been authoring not only the fusion reports that I talk briefly about in my weekly blogs, but in May we began writing ‘priority intelligence reports’. For those of you in the IC, think Intelligence Information Reports, based on both priority and standing requirements. For all others, PIRs talk of ‘wolves closest to the sled’.  Anyway, in going through the last few months, we’ve come to realize that many of the individuals that we’ve identified through our research are both smart guys by day, and by night, cyber thugs stealing IP, coaching newbies, testing their 0-days and pushing their way through the corporate walls.  Heck, maybe they do it by day to.  Not sure, but here’s what I do know…  we presented to one company this week where we showed them a picture of a really smart guy by day, but a really bad guy by night. He advertises the fact that he works, as a security consultant for their company, in an IT Security consulting role. We know him from his involvement in other things…  He, in my mind, is an insider threat. 

He’s one case. We have a few others. And what’s interesting to me is that there are some interesting correlations that seem to be appearing:

  • Many of these guys are doing double duty
  • There is targeting employed as part of the group(s) that they belong to
  • And by watching employment by some of these Jekyll and Hyde’s we can get a pretty good idea of not only who many of these folks are, but who they work for.  And if we’re right, we know why some of these guys are getting very specific jobs. 

How does this work in the real world?  We played out an example just this week. Someone we know (from our research) was hired by a company in the US. This is a great company, and they hired a smart guy, but at the same time, some may consider some of his off-hours associations questionable.  Those associations often times make for a great intel sources, but at the same time they could also significantly increase the risk that this guy could also be a really efficient insider, placed in this company to deepen information known about this company’s customer base or security posture.  It’s not unheard of.  Dawn had probably documented hundreds of these cases before leaving SEI. In our case, our early assessment wasn’t perfect, but by the end of the day after sharing notes and talking with members, we had a pretty good idea where we had gaps.  We’ll continue tracking, asking our members for information, keeping the conversations moving… and over time, the assessments will become clearer.

Security IS indeed a team sport.

We been getting really good about talking together about information security threats, but should insiders be another topic? 


The guys have been busy this week. The portal never stops moving. It’s great! Here are a couple of the highlights:

  • Fusion Report 27: Red Sky analysts issued our 27th fusion report of the year. FR13-027 presented findings about a previously unknown malware variant observed in the wild. The report provided analysis on the infrastructure and presented technical analysis of two of what we’re calling “Backdoor.Baby” variants.
  •  Intel Report 18: This week we updated our analysis of “Flower Lady” with our 18th intel report of the year. IAR13-018 builds upon work in two recent Fusion Reports analyzing infrastructures and malware attributes --connecting the dots from attacks as far back as 2011.

It's been a busy week. 
I'm going fishing.
Have a great weekend!