Saturday, September 21, 2013

Red Sky Weekly: Bruce Willis and Harrison Ford don't lie!

When is fiction based on truth? Would you believe it if you saw it?

Blowing up buildings, killing off the entire air traffic control grid, and stealing gobs and gobs of money. Live Free or Die Hard is the story of a guy (Bruce Willis) who does it all. Harrison Ford uses the database built into his daughters iPod to move 10 million accounts from the bank where he's the CISO to an offshore account, while his family lived (unknowingly at first) under the threat being killed in Firewall,

To far fetched for your liking?  Alarmist or realist?... you decide...

  • I published the (very true) story of  “woshihaoren” (我是好人) Red Sky Weekly: “woshihaoren” (我是好人 in April. It told the story of a cat and mouse game between a real CISO (I called him Jack) and a group of folks somewhere on the other side of the world. Jack's outgunned and probably will never get these guys out of his networks, but he shuts them down quickly. Heck, he's probably their training ground... (maybe we'll see a new movie? -Training Day III?)
  • I delivered the news to another CISO that an application that his company purchased (for a BOAT LOAD of money) was bought from another company who'd been completely p0wned. The result? The application he purchased was likely owned too... and probably leaking data.
  • In yet another, I informed a CISO last week that he'd had several emails heading for his company, all with malware attached. How would I know? Let's just say I do ok? We received a copy of the malware, and sure enough... it wasn't a birthday card from gramma! The information we gave him was less than 30 minutes old and the malware was undetected in the major virus engines.

When I talk with real life CISOs who've been through the 'oh sh*t' moment, every one says of those who don't know enough to share information that "they've never been through the giant sucking sound" (one CISO's quote.. not mine), or the idea that a virus might not be just a virus.. or the idea that we look at seven different areas connected by time to figure out how a chain of events occurred.

And if you think for one second that these movies aren't based on seeds of truth, I'd tell you this... the cat and mouse game is very real.  We've been doing this for two years as Red Sky Alliance and for several more before that... probably back to the roots -- the early days, old school, Solar Sunrise, Moonlight Maze, Titan Rain, APT, and now. As these things move into more mainstream, well... names stop when the new threats become the new normal... welcome to the new normal. 

Here's the bottom line... over the last few months we've compiled a list of companies who we believe are being actively targeted. We're not chasing ambulances and we're not the old glass repair guy running around in the parking lot with a hammer. We're a group looking out for each other. The community watch. The 'hoot 'n hollar' network. We want to know when one of our own will be hit. Heck, we told one of our members that they were being targeted. We gave them a dozen domains and IP addresses that were going to be used, and we grabbed the malware, analyzed it, and published the defensive findings before the attacks occurred. We named (by company name) six companies that we thought might be targeted. We published our findings to the membership, but warned the specific member (who handles security for the other six) privately. This stuff works. 

  • This weeks fusion report detailed a shift in tactics by one group, moving to a new downloader process for a specific remote access trojan. A remote access trojan, RAT, allows hackers to have full control and interactivity with the machine or machines where they have it installed. We've been seeing this in some of the discussion boards outside of Red Sky and took some time this week to send out some good analysis (and mitigations or courses) to our members.
  • We published a report on a bad guy that we've been tracking for several months now. The guy is active but practices really good tradecraft --no social media, not much open source communications --and seemingly never has, yet he's either an urban legend or he's just really careful.. not sure yet, but we know he writes some hellish malware.
  • We took on a bit of a GEOPOL project this week. More to follow as that unfolds, but this is reminiscent of my first project as an Intelligence Officer.. basics count and they need to be taught; so we're teaching a junior analyst. 

We're in our year-end membership push. We had 22 meetings in the last two weeks, putting four new members in front of the Advisory Board. We've also been asked (and have agreed to a test) to write targeted threat intelligence reporting for a couple of members. We'd been doing it for the last six months for one, and thought it might be a good second offering instead of some of the other more piecemeal work we've been doing in the lab. We like threat intelligence and we're really good at it. In fact, we've published over 100 analytic works in the last 18 months, and thought we might explore growth in the area of taking on a few clients to keep our minds nimble. So far, the reception has been terrific. 

I'll be at the Cyber Security Summit with Rick and Chris on Wednesday. Stop by and say hello. The booth with be sparse, but I'll have that target list in my pocket. You should ask me if you're on it! I've got an invitation for you if needed. It'll get you a discount on admission. I've placed it below the blog if you'd like to use it. We'll be in booth 211, and I'm sitting a panel in the early afternoon. The early attendee list looks good, so I'm looking forward to meeting some new people!

See you there!

Post a Comment