Friday, February 01, 2013

FR13-003: A string of 0-days; NY Times, and a bit of a rant

The news is buzzing today with talk of the New York Times. I know how they feel, having gone through similar (many similar) experiences, I’d rather take a moment and blog about something not being talked about --the colleges and universities that are being used as hop points for many of these attacks.

For those of you who are surprised by attacks on our news and media outlets, (I read a comment yesterday suggesting “Our pillars of civilization are under attack!”), I’m sorry. You’ve been asleep for far too long.  These attacks are not new. The thought of our university system being used as the jump point may, however, be. Press (and Richard B at Mandiant) are reporting that the NY Times was victimized by attackers using a college or university (I suspect several) in carrying out the attacks which occurred, according to the press, four months ago, although suspicion is, it’s probably a lot more like a couple of years, not four months
as reported.

...So, I asked the question of our members. “How many of you are seeing colleges and universities used in attacks against your environment?”

I received feedback from two members today --they included a list of universities who’d been used as attack relay points over the course of the last two years. One was a DDoS that used the college as a proxy, with an estimated 5000 users on campus compromised and broadcasting packets uprange! Mine was a fast turn-around query, but it’s evident that whatever these colleges and universities are receiving for security intelligence isn’t giving them the whole picture.  The schools in this list were, absolutely, without a doubt, used in focused attacks at least this one defense contractor, but my suspicion is they’ve been used in others. It’s scary. These are not small, no-name universities. They’re large, with great budgets. 

 
So why is it that we are content to watch our colleges and universities be consistently p0wned? Watch their intellectual property (our future prosperity) roll out the door? Why is it that we see that the NY Times is hacked and the world turns upside down, but don’t seem to care if someone uses our colleges and universities as their proxy networks to break in and grab data (or worse!) from someone else?

I’m not sure
we’ll ever know, except that every college we’ve talked to on behalf of either Beadwindow or Red Sky seemed happy (content), knowing that they receive inputs from an information sharing and analysis center (ISAC), and feel they don’t need any more information. I’m a believer in REN-ISAC. I’m a huge fan of the Collective Intelligence Framework. They’ve done wonderful work in automating analytics... heck, I used some of their model in building DCISE. So the question is this: with such a wonderful engine as the REN-ISAC has put together (other ISACs can be included in this too), is it that they’re not receiving the ‘right’ information? Do they not get information that is analyzed and prioritized as either APT or Targeted? Why, with such a nice analytic engine, are the schools still not protected? I have two thoughts. Either the information they receive doesn’t include breakouts of prioritized threats and protective measures, or I suspect feeds from the ISAC may just be overwhelming the small information security teams at some of these schools. There’s no doubt that the CISOs I’ve met want to protect their networks, but at the same time, like everyone else, they’re strapped for resources --manpower and money.

CISOs everywhere must have two things to be successful:

  1. The right information which allows them to make the best possible decisions.
  2. The ability to actually act on that information.

So let’s get off this roller coaster. It’s time. Since 1996, as a Navy Officer at the (then) Fleet Information Warfa
re Center, I (personally) have witnessed colleges and universities become the best jump points --they’re generally fairly open network (students must share information) where experimentation is encouraged and the student networking is at best, heterogeneous, if not changing daily.

So
how do we get off the roller coaster? 

Better, smarter, faster information. CISOs and risk managers need better information, formattein in such a way will allow them to prioritize work based on the wolves closest to the sled... and they need it right now

Red Sky Alliance (and Beadwindow) facilitates forums for unique, peer, and voluntary, private to private information sharing to help companies protect themselves - not meet a USG requirement to "share info”. If someone observes suspicious or confirmed malicious activity, it's uploaded to the community, and within minutes, others offer their own comments, often times with explicit instructions for remediation and risk reduction.  I'd also say that Red Sky members' expertise, information & incident response capabilities are bigger, better & more adept than what currently exists within the construct of "one sector" information sharing that exists today in much of the ISAC structure. Red Sky members leverage the expertise of cross-sector peers with better capabilities, funding, tools, solutions & knowledge gleaned from paid conferences, premium feeds, and high-quality organic analysis.

If you don’t care about the strict privacy requirements of the Red Sky environment, the Beadwindow portal may be right for you. Beadwindow allows government users to share information private companies (or colleges) to share real time information about happenings in their environment. The rules limit data usage to information protection (not regulatory, or investigative), so members speak openly.

Interested? Drop us a note.

BT BT (this means Break Break for those of you without a military comms background)

Inside Red Sky this week:

  • This week we released our 3rd report for 2013 which provided campaign analytics on a recent string of attacks leveraging 0 day exploit code. This consisted of details on malware protocols and a large amount of related malicious infrastructure. Our analysts also provided tailored mitigations including SNORT signatures and YARA rules. On the portal side, we are bringing in new members daily and our user adoption has reached an all-time high.
  • This week we added a TON of new folks to the portals, and have increased our participation to record levels. What does this mean to you? It means you have a much broader group of people that can give you real time comments and analysis from a peer reviewed group. It means you make new friends, connect with new people, and share information in the member-only portals, now, not three days from now (when it might be too late).
  • Last, we scored some great space in Manchester, NH this week. We’ve been peppered with research requests, some related to Red Sky, many not. To separate these from Red Sky, we took a lease on space in the in the historic mills along the river. The new organization will operate as Wapack Labs (as a Red Sky Alliance company), and will do contract analysis/forensics, research, and other kinds of things that don’t fall nicely into information sharing construct of Red Sky Alliance. We’re looking for a Lab Director, so if you’re interested, don’t mind living in NH, and can live on next to nothing for a while (it is a startup!), drop us a note. Having a badge is a definite plus.

Enough for now.
Until next time, have a great week!
Jeff