Saturday, July 20, 2013

The Three F’s of Good Intelligence

To quote the great Adam Carolla - 

"Any restaurant is only three crappy meals away from failure"

If you go to your favorite restaurant on any given day and are served a crappy meal, you will likely go back again because it’s your favorite restaurant and they may have just had an off-day. You're willing to cut them some slack.

Let’s say you go back again after your first lousy meal and you get another one. You may still be willing to forgive because you have had so many great meals there over the years. But after that third crappy meal, you probably will never go back again.

So why are we talking about restaurants in a security blog? Substitute meals with reporting and intelligence. No matter what your previous track-record, you are only as good as your last three reports. With the time sensitive nature of threat-intelligence, this becomes even more important. This is the reason we take our reporting so seriously at Red Sky. Ask any Red Sky member and there is a good chance they will tell you the same.

Don't get me wrong, we are not the para-militaristic "Hell’s Kitchen" of the threat intelligence, but we take pride in our work and we don't think that’s such a bad thing.  If asked for the ingredients in the recipe for a report that is relevant to today’s persistent threats, I would argue that it’s the same three every time… for the incident responder working on his eighteenth hour of slogging through pcap, pulling images, searching through running memory dumps for the needle in the stack of needles, there are three things running through their head… the three F’s:

·       Who the F is it?
…and as the CISO heads for the CIO’s and CEO’s offices…

·       What the F do they want?
…and as the Incident Responder stares at his screen, with phones ringing off the hook and his/her inbox filling with reports of wide spread problems…

·       How the F do I stop them?

C-suiters right now are scrolling right now in search of the ‘unsubscribe button’ but the incident responders, the analysts, the forensic folks and all of the other blue-collar geeks responsible for the long days of actually working at the brown end of the stick are laughing heads off right now!

Fortunately, there’s a ton of data available to answer these questions. Unfortunately, it’s located in disparate places, and you need to be able to sort the puzzles that have been dumped from their boxes, lay on the floor in front of you, and know how to pick the pieces to the puzzle you’re trying to put together right now. This puzzle (todays puzzle.. tomorrow’s will be different) is the same color are many of the others, and the size and shapes are only slightly different than the rest. You’ll need a keen eye.

When the puzzles are laying on the floor, all mixed up, and the CISO realizes his company is hemorrhaging data, and there’s not a damn thing he can do about it; when the CIO realizes that his network built for uptime, availability, and ease of use; when the CEO realizes he’s going to have to report the issue to the board and in a SOX material breach report (and the costs of responding will probably affect his bonus!); when all of these things happen and there’s no end in sight, and no way to stop the bleeding without completely disconnecting from the Internet –and you have no backup plan for operating without it, well, we called this (in our Annual Report) the ‘Oh Sh*t’ moment.

Companies have these every day, in every country in the world. If you’ve not had yours yet, you will. It’s just a matter of time. If you make something that someone else wants, if you sell to customers that others may want to exploit for their employment, if you build technologies that go into other things, you have probably had yours already. If not, your company may not be instrumented correctly to find it, may not have the skills in your Infosec team to know, or, like many companies I’ve talked with in pitching Red Sky membership, your CIO or Legal team believes that if they don’t know, they don’t have to report. If they don’t know, cyber doesn’t have to show up in your 10K as a risk to business operations.

Regardless of the category you find yourself in, you should demand the three F’s from any vendor. This is what makes it actionable... and good intelligence is only good if it helps with prioritizing your workload, or protecting you from wolves heading toward your sled. If you’re subscribing to a service, you should demand this tailored information in your intelligence service. If they cannot provide satisfactory answers, then it may be time to reach out to Red Sky.

In Red Sky, when we perform analysis, analytic rigor is key. We’ve defined Priority and Standing Intelligence Requirements (questions) that we answer on nearly a daily basis, privately inside the portal (where btw, membership costs are about half of your current subscription price!). We post PIR reports on nearly a daily basis, intent on pushing the information to the far left of the kill chain, almost to the point of reading tea leaves, but only reporting when we believe there’s an impetus for impending attack. Fusion Reports are more retrospective in nature, but if you’ve not seen an attacker coming after your crown jewels yet, then these fusion reports are proactive for you… they protect you from a group that has yet to be tasked with stealing your stuff… but they will soon, and you’ll be armed and ready.

Our PIR reporting is taken from open sourced reporting.. meaning we read the news, web pages, blogs, social media, IRC, whatever, and then add our own analytics to it. The stuff we read might be in Mandarin, Spanish, Portuguese, English, Russian, Arabic, or any one of a dozen others, but when we find something that might result in cyber consequences, we tell our members. The reports usually generate conversation in the portal, creating more information and a sharper focus on what might become the problem.. our members work together to help figure out what’s going on.. protect the guy next to you.

Interested in reading our PIRs? Set up an appointment for an introduction to the Red Sky Alliance. We’ll help you answer the Three F’s.

  • Red Sky => Business to Business
  • Beadwindow => Are you a government IT worker? You’re eligible too. 2210’s or other non-Law Enforcement or Intel IT workers can access our Beadwindow portal.
  • Need more? Wapack Labs can do some of the work for you. The lab offers a full analytic, R&D and forensic capability, as well as a simple cyber security operations and monitoring monitoring (Wapack cSOC) solution to help look for APTs or targeted attacks in your network.

Drop us a note. Set up an appointment. Let us introduce you to our membership as the next member of the Red Sky Alliance!

Until next time,
Have a great week!
Jeff


1 comment:

Anonymous said...

Especially the comment on 'executive staff not including "cyber" in the 10K report.' However, if any CFO, CIO or CEO intentionally excludes cyber risk from their annual and quarterly reports - there is a problem with that. Nearly every company/organization in the world today relies on cyber and to leave that risk out is a gross dereliction of duty. Even fast food joints (following the restaurant motif here) connect to the 'Net (if I'm not mistaken), if only for status of daily business transactions.
If the CxO gang does not know some cyber info, they have to make it part of their job to find out and ask their IT/Security staffs for various info/data. And for sure, these folks had best be asking all of their vendors for cyber info, specifically that pertaining to risk.
And having proactive info to draw from is one of the best ways to get a leg up on cyber issues.