Saturday, September 21, 2013

Red Sky Weekly: Bruce Willis and Harrison Ford don't lie!

When is fiction based on truth? Would you believe it if you saw it?

Blowing up buildings, killing off the entire air traffic control grid, and stealing gobs and gobs of money. Live Free or Die Hard is the story of a guy (Bruce Willis) who does it all. Harrison Ford uses the database built into his daughters iPod to move 10 million accounts from the bank where he's the CISO to an offshore account, while his family lived (unknowingly at first) under the threat being killed in Firewall,

To far fetched for your liking?  Alarmist or realist?... you decide...

  • I published the (very true) story of  “woshihaoren” (我是好人) Red Sky Weekly: “woshihaoren” (我是好人 in April. It told the story of a cat and mouse game between a real CISO (I called him Jack) and a group of folks somewhere on the other side of the world. Jack's outgunned and probably will never get these guys out of his networks, but he shuts them down quickly. Heck, he's probably their training ground... (maybe we'll see a new movie? -Training Day III?)
  • I delivered the news to another CISO that an application that his company purchased (for a BOAT LOAD of money) was bought from another company who'd been completely p0wned. The result? The application he purchased was likely owned too... and probably leaking data.
  • In yet another, I informed a CISO last week that he'd had several emails heading for his company, all with malware attached. How would I know? Let's just say I do ok? We received a copy of the malware, and sure enough... it wasn't a birthday card from gramma! The information we gave him was less than 30 minutes old and the malware was undetected in the major virus engines.

When I talk with real life CISOs who've been through the 'oh sh*t' moment, every one says of those who don't know enough to share information that "they've never been through the giant sucking sound" (one CISO's quote.. not mine), or the idea that a virus might not be just a virus.. or the idea that we look at seven different areas connected by time to figure out how a chain of events occurred.

And if you think for one second that these movies aren't based on seeds of truth, I'd tell you this... the cat and mouse game is very real.  We've been doing this for two years as Red Sky Alliance and for several more before that... probably back to the roots -- the early days, old school, Solar Sunrise, Moonlight Maze, Titan Rain, APT, and now. As these things move into more mainstream, well... names stop when the new threats become the new normal... welcome to the new normal. 

Here's the bottom line... over the last few months we've compiled a list of companies who we believe are being actively targeted. We're not chasing ambulances and we're not the old glass repair guy running around in the parking lot with a hammer. We're a group looking out for each other. The community watch. The 'hoot 'n hollar' network. We want to know when one of our own will be hit. Heck, we told one of our members that they were being targeted. We gave them a dozen domains and IP addresses that were going to be used, and we grabbed the malware, analyzed it, and published the defensive findings before the attacks occurred. We named (by company name) six companies that we thought might be targeted. We published our findings to the membership, but warned the specific member (who handles security for the other six) privately. This stuff works. 

BT BT
  • This weeks fusion report detailed a shift in tactics by one group, moving to a new downloader process for a specific remote access trojan. A remote access trojan, RAT, allows hackers to have full control and interactivity with the machine or machines where they have it installed. We've been seeing this in some of the discussion boards outside of Red Sky and took some time this week to send out some good analysis (and mitigations or courses) to our members.
  • We published a report on a bad guy that we've been tracking for several months now. The guy is active but practices really good tradecraft --no social media, not much open source communications --and seemingly never has, yet he's either an urban legend or he's just really careful.. not sure yet, but we know he writes some hellish malware.
  • We took on a bit of a GEOPOL project this week. More to follow as that unfolds, but this is reminiscent of my first project as an Intelligence Officer.. basics count and they need to be taught; so we're teaching a junior analyst. 

We're in our year-end membership push. We had 22 meetings in the last two weeks, putting four new members in front of the Advisory Board. We've also been asked (and have agreed to a test) to write targeted threat intelligence reporting for a couple of members. We'd been doing it for the last six months for one, and thought it might be a good second offering instead of some of the other more piecemeal work we've been doing in the lab. We like threat intelligence and we're really good at it. In fact, we've published over 100 analytic works in the last 18 months, and thought we might explore growth in the area of taking on a few clients to keep our minds nimble. So far, the reception has been terrific. 

I'll be at the Cyber Security Summit with Rick and Chris on Wednesday. Stop by and say hello. The booth with be sparse, but I'll have that target list in my pocket. You should ask me if you're on it! I've got an invitation for you if needed. It'll get you a discount on admission. I've placed it below the blog if you'd like to use it. We'll be in booth 211, and I'm sitting a panel in the early afternoon. The early attendee list looks good, so I'm looking forward to meeting some new people!

See you there!
Jeff




2 comments:

Arctific said...

The initiative seems nice. But, trust comes before coordination and this trust development cycle needs a bit more work.

It would be nice to share incident response data to other firms before they get hurt, or receive credible incident pending data before my firms do. But, I am not flying to Chicago just to say hi for 50% off.

Enjoy the conference.

Don Turnblade
bio: www.linkedin.com/in/arctific

Jeff said...

Don,

Absolutely. You hit two nails on the head. Trust is a major issue. Security guys are generally close hold anyway, but they tend (at least in my experience) to not have a problem sharing (or flaming) from behind a keyboard. To that, we started our membership with a group of companies who knew each other, then expanded out from there. These were natural networks that they'd been operating in before bringing them into Red Sky. Then we moved to one degree of separation.. which is where we stand today. All members have to be accepted in by the original founders... who can both vote you on the island, and off. Once in everyone is peer reviewed. We also do a number of personal activities aimed at trust and bonding.. from 'booz'n and brainstorming' sessions to more formal threat days once per quarter.. of course we fill the interim with other activities.

On early warning? Exactly. Our membership is roughly 30 companies but own, manage, control of secure tens of millions of computers in ~140 countries around the world. We give them advanced warning/analysis and have them secure what they own.. and they do. This helps us keep the trust. We have no interest in bringing in thousands of members like an ISAC. Our goal is maybe a couple dozen more large enterprise companies and that's probably about it. Additionally, we do write (for a fee) highly targeted threat intelligence, but not as a subscription service.

Hope this helps answer your concerns. The process definately does work, but certainly it's not for everyone!

Jeff