Saturday, December 14, 2013

Red Sky Weekly (12/14/13): Bridging the gap from user to analyst to protection

We were having lunch yesterday. Nice place. Sitting at the bar, I noticed two guys sitting next to me... phones going, both had laptops open. The one next to me was reading email in Outlook, and the conversation was all business. I thought, what a wonderful spot to grab competitive intelligence, so I fired up a sniffer just to check out the wireless... open.

Maybe presumptuous, but I passed the pair a business card, told them what I did for a living, and offered a very short, very impromptu, very polite cyber safety lesson on using open wireless access points. The restaurant was packed.

The guy next to me responds "My brother works for Symantec. He talks like you do. I know the risks, but just don't care." I was floored. He explained... "I travel a lot. If my banking or credit cards get stolen, the banks pay. I need access and don't want to pay the tethering fee for my phone."

On the other side of the coin we have analysts who want to analyze everything. They want to know where the guy filled up his car before buying a bag of Cheetos that he ate with his left hand. Every detail counts. Situational awareness is a must.

So how is it that we have such a massive disparity between what Joe (Jane?) consumer does at a bar in a nice restaurant, and those of us who'll spend days analyzing data to try and help those who don't care if they're being helped? (The guy told me he does have Lifelock! Wuhoo!)

At the same time...

We run into so many analysts who analyze for the sake of analysis, and frankly, although I know they're working hard, are really smart, and have great gouge... But sometimes make me really tired! How much of that work actually will keep that unsuspecting, unknowing, uncaring guy from losing control of his computer?

So tell me...
  1. How much analysis is enough? Now that you've pulled that malware sample apart, spent three months analyzing it, and spent who knows how much money, what did you get from it? Would you have obtained the same results by running it through a simple sandbox and recording the results... in about a minute? How do we push these results (fast) to the user in the restaurant?
  2. Attribution: We know who you are.... now what? Gonna have somebody killed? Jailed? Probably not. But if we can recognize the 'swing' of an attacker, and we know who he/she/they are, do we really need to prove it every time? 
  3. What exactly do you need to know? Why? How fast? What defines a priority intelligence requirement?  I've heard two people explain it really well... one guy is the newly named CISO of a medium sized DIB company. He defines priority intel requirements as those things that will most likely  hurt him today. Another holds a weekly meeting where teams nominate priority requirements that then get assigned out through a standardized collection process (I like this process very much!). 
  4. Keep it simple, stupid! Last, but certainly not least, besides the readers inside the government beltway, or those who've been named honorary govvies, how many of you can tell me what a Taxonomy is without looking it up on How many of you also know what taxonomies are available to you in the cyber realm? I'm watching with baited breath to see which one comes out on top, and when it does, we'll use it, but in the mean time, we prefer the Keep It Simple Stupid taxonomy... The guys over at Lockheed came up with Kill Chain a few years ago.. Not really anything new, but they did a great job. We like it, and we use it. Comma separated value text and not a lot of overhead. It allows a broad audience to be able to read, understand, and use the data for maximum protection.. fast.
Intelligence is supposed to help with futures. Are we spending time on the right activities? Can you show a clear line between the number of analytic hours you spend digging through data and reductions in successful attacks, reduced incident response cycle times, faster forensics or more targeted infosec spend?  How do push this down to that guy at the bar? Change his behavior without sacrificing usability and features?

We've found that in Red Sky, one of the value propositions is the simple recognition of not just IOCS (you can get IOCS anywhere these days), but in the context. IOCs without knowing the sources, and confidence in the sources can mean high false positives, and therefore, high labor costs in your incident response and forensic teams. If you could reduce this cost by simply participating in a crowdsourced, high confidence environment where you know the sources, can qualify the quality through peer reviews of those sources, and can get the data in a usable, keep it simple stupid format, well, why wouldn't you do it??


It's been an amazing week.

  • We held our 4th quarter threat day this week. The presentations were AMAZING, covering all kinds of topics from proprietary commercial SIGINT operations to case studies to new tools. Thank you to the host, and for all those who travelled to attend. What a great day!  
  • Next, we sent two press releases out this week. We haven't sent one in over a year, and then bang! two in one week! In both cases, we're partnering with some amazing folks:
    • Wapack Labs is stepping into a cyber threat analysis and intelligence role for the FS-ISAC starting at the beginning of the year.
    • Wapack Labs was chosen by CBTS to assist with intelligence requirements for their customers and CBTS joined Red Sky Alliance 
  • We're delivering TIAD this week, with analytic training in a National Level CERT. My guy is traveling as this gets published, and the team is standing by in Manchester to support. 
  • On Monday we're being visited by another ISAC, and Tuesday a group of techies (and their VC) from MIT.
It's coming up on the end of the year. We've got three weeks before our 2014 rate increase, so if you're spending end of year money, and have a need for great threat intelligence next year, or simply want to make your current small team more efficient, call us! We'd love to show you what we do!

Ok all, until next time, 
Have a great weekend!

Post a Comment