Saturday, January 12, 2013

Red Sky Weekly: Penny Wise, Pound Foolish...

The story of one CIO’s “oh sh*t” moment.

Earlier this week I received a call from a Chief Security Officer of a company many of us know. It’s not a DIB, nor critical infrastructure, rather a very cool company that does about half a billion per year manufacturing non-computer related hardware.

The CSO told me that the IT director had found the networks had been compromised. Roughly 1000 machines had been found with malware and shares were being killed all over the company. The CSO asked if we (I) could help. Unfortunately my skills as an incident responder are a little long in the tooth
so I introduced him to an old friend who now runs a small, highly skilled company (and a Red Sky Associate Member --Kyrus Tech). Kyrus offered a proposal, at the “Friend of Jeff” price. It was very generous. The CIO, however, even with the great price for such a skilled crew thought it to high. He wanted to go it alone.

His company had been compromised (discovered) roughly a month ago. Since that time, IT (not a security team) has been chasing the mole, whacking it every time it popped up. His team is tired. The CIO is frustrated because every time he fixed something, another infection popped up. If you’ve worked as an incident responder lately, you know the pain this team feels. We’ve all been there. The CIO holds a heavy personal connection to his networks, having built many of them himself. He continued to believe he could fix this on his own. He can’t. I hate to say, there’s a high probability this CIO will never view his networks as safe again. Kyrus is responding, only after the frustration the CIO felt when he came to work again this morning and found, yet again, another infection.


Here’s the lesson. If you’ve not dealt with these types of infections before, and you find one in your network, don’t go it alone. Red Sky Alliance is here to help. Information sharing
in one of our portals offers two great communities to ask questions and get help. We have relationships with several qualified incident responders that can offer personal assistance if needed. This CIO caught it early (hopefully). This CIO was smart. It only took him a month to realize (forcibly or not!), that he needed help. Good for him!

Now for Red Sky. 2013 is off with a bang! Here’s what happened this week:

  • Fusion Report 13-002: Analysis in the portal kicked back into gear this week with several new malware samples in the queue including payloads from recent 0 day attacks. New malware from a known group was also received and employed multiple anti VM evasion techniques. We were able to quickly triage the sample and provide attribution and behavioral details.  
  • New Members!
    • We’ve delivered our terms and conditions and an invoice to our first potential Federal member. Pending legal review this major cyber center will hopefully be joining Beadwindow very soon.
    • Another financial member is joining Red Sky. We presented. They loved what they saw, checked with current members for reference, and this new global Financial Institution is expected to be in the portal very soon.
  • We’re growing!
    • We’ve hired two new Senior Members of our Technical Staff (SMTS). Both have great backgrounds in cyber intelligence. One, a former CISO from a large enterprise company we all know; the second an experienced intelligence analyst.
    • We’re looking for a couple of good Business Development Executives and possibly one Channel Exec. If you’ve been selling security products or services into large enterprise customers or State/Local governments, check us out on UpLadder, or shoot me a resume directly.

Beadwindow was slow going in 2012, but we intend to put a bit more energy into it this year. With our first Federal Cyber Center potentially coming in in the next couple of weeks, and a dedicated, SMTS we’re looking for results there as amazing as we was last year from the private portal. 2013 is starting off nicely!

Until next time,
Have a great week!
Jeff