Why sources? Because cyber comes in all shapes and sizes. This blog is a bit different. We've done some amazing work in the lab and I rarely tell anyone about it, so I thought I might today.
As a bit of clarification, Red Sky is about information sharing of good cyber intelligence and network defense. When our guys post information to Red Sky members, it comes from smart guys, but also from things that smart guys have developed in Wapack Labs. The idea in the lab is to both perform second and third level dedicated for those who need it, but also, we use it to find new sources of unusual, high value information, collect that information, and turn that information into actionable intelligence to support members of the Alliance. But in doing so, we almost always come across a ton of other really interesting information that we then distill down to answer other questions. We have the ability to do computer forensics, analysis, break down PCAP, and all of the other things needed to be able to help defenders protect their networks --and we do. We work these issues and post findings for members in the Red Sky and Beadwindow portals. But at the same time, when going through these processes, data identified gives us a really great perspective on other problems.
And on that, it should be noted... Information isn't intelligence. Intelligence comes from being able to identify the nuggets in information that might be helpful in aiding decision makers on courses of future actions. This is what Wapack Labs does. Red Sky is where we put that intelligence. Wapack Labs is where we develop and analyze it.
What kind of intelligence are we talking about? Cyber defense obviously, but also insider threats, competitive intelligence, M&A, and self examination as starters. With enough smart guys (we're keeping it small), we could easily go into dozens of others, but these are really fun so we'll focus here for now!
So beyond the cyber that we push to the portal, here are a couple of examples of non-cyber focused work that we end up obtaining as part of the process:
- Insider Threats: Last week we had the ability tell a global consumer electronics company that they have an insider threat problem. We had done research supporting cyber defense. This work that lead us to conversations (open source of course) of a specific group. One of the guys does security consulting work in a number of companies, and we had a conversation with one of them last week. This work has lead us to start an insider thread in the portal.
- Mergers, acquisition, or outsourcing: Would you buy or use a company without doing due diligence? Since earlier this spring, we've answered questions from companies about possible merger and acquisition targets, and this week we're being contracted for the third time to answer questions about a bunch of companies who're being looked at for large scale IT outsourcing by a non-member. The questions usually go something like "We're thinking about using
tell us what you know about them."
- Infrastructure: While not necessarily intelligence focused, the Lab has received a number of requests where companies want to know about themselves! Our last paper went something like this... "We've been through a number of acquisitions and divestitures. What do you guys know about our infrastructure?" We're not into mapping networks, but the answer might be more along the lines of "We found that you still have web servers and a DMZ residing
." -or- "we found a dozen or so of your addresses registered as VPNs with a (ahem) third party." (This isn't a good thing.) Interestingly enough, there's a TON of open source, free information out there that can be used to find out about a company's infrastructure and if you know how, you don't need to even touch the network to find it and answer questions like this.