For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!
Saturday, April 06, 2013
Red Sky Weekly: “woshihaoren” (我是好人)
I LMAO'd last night when one of the members told me this story, so I had to pass it along. I'm going to clean up his language a bit. I'm crusty, and he's crusty, and the story was conveyed over a beer and cigar at local watering hole. I know some of the color might be lost, but here goes anyway...
This guy (I'll call him Jack), is the CISO of a company that does about a billion per year in sales, and although I won't tell you what the company makes, I'll say they're a high tech.
Jack has a problem. APT actors basically live in their network. Heck, they come to work nightly when Jack isn't there, stick around for an eight hour shift, and log in and out as they need to capture new information. It's bad. Jack is good.. very good.. but has a small team and although they work very hard to keep actors out, sometimes it just doesn't work out that way.
So one day, Jack gets pissed. He knows the actors use a tool to capture passwords from machines and when they do, they have free reign to do what they want. Worse yet, they capture credentials all the way back to last reboot. So Jack --a really pissed Jack, knows someone is going to read his (what should be private) password. So Jack changes his password, leaving a message for his attacker. You won't be able to translate this in Google, and for those of you who know me, I don't usually pull these punches, but in writing, on a blog, I'm doing my best.
The CISO's taunting new password:
Limp [insert sailor slang for 'Male Sexual Organ'] [insert ‘Racial Slur’]
The password, after the next ‘shift’ (24 hours later) was changed to:
“woshihaoren” (我是好人) --Spaced out Wo Shi Hao Ren means "I am a good person."
So this tells me two things. First, yes, someone is living in the networks and not afraid to interact directly with this (incredibly technical) CISO and his team, and second, OPSEC isn't always a concern --especially when they know they've got you and have free range of movement in your networks.
This isn't the first time I've heard about attackers living in a network, and I'm sure it won't be the last. This guy has been sharing some of the best intel on attackers that I’ve ever seen. While it’s true he’s got a real mess, it’s also true that he knows how to capture data, record actions, and repel when he does find them. Unfortunately he can’t be cloned (yet), and can’t work 24/7, but without a doubt, Jack is one of the best and he isn’t afraid to show others what he’s got going on, or help them with their own problems.
This is what Red Sky is about --neighbors helping neighbors.
Now some really cool stuff. We published two reporta --a Fusion Report (FR13-009), and our version of an Intelligence Information Report, an Intel Analysis Report (IAR13-004).
FR13-009: This week we released FR13-009, our 9th in-depth fusion report this year. FR13-009 is an analysis of our "APT1". Granted its not the Mandiant "APT1", but it's number one our list. As always, our report included roughly 15 pages of analysis, including detailed analysis of a widely used remote access trojan and its infrastructure. The report include several pages of indicators, and gave members two new Yara rules and a snort signature to drop into their defenses.
IAR13-004 is an unfinished intel report summarizing yet another VPN service linked to hackers. This paper was provided for situational awareness in an effort to provide Red Sky Alliance with the ability to monitor and warn against future threats and provide data to compare with past intrusion analysis.
Our first Intern graduates to employment! Our first intern is now employed with one of the best companies going. Bruno got hired as a Regional Intelligence Analyst with a global payment processing company in Wilmington, DE. He started on the first of April and so far, so good. I've been told by the CISO of another member company that he'll take as many of our interns as we can give him (they’d made an offer too). In fact, I've got a good Marine coming off active duty that I'm probably going to refer to him soon, but for now, Bruno had some really nice things to say about his experience with Red Sky. Bruno peer reviewed in the top 10% of our membership, rated by folks in a group of mature infosec teams dealing with some of the hardest problems. If you’re a student, want to learn to be an analyst, and think you can contribute and rank out in peer reviews, drop us a note.