Saturday, April 27, 2013

New Fusion Report; Intel Analysis; Go West Young Man!

One of our members posted data that lead to the discovery of a previously unobserved command and control (C2) infrastructure. What struck me was a call I received from (this very smart and strikingly handsome ;) member late Thursday afternoon... right after we published our Fusion Report. Evidently he'd turned in his pcap samples to Red Sky, the FBI, and a third analytic group. Red Sky did a full workup on the data, crowdsourced pieces as needed, and published (to the group) a Fusion Report with a full analysis and a list of Kill Chain formatted indicators. As of Thursday night, neither of the other groups had responded.  

On the membership side of the operation, we sent out membership packages to a bunch potential members and welcomed our latest newcomer into the Alliance.
  • Two Federal Civilian Agencies are evaluating membership -both currently in legal review, one DoD organization invoiced, and one more DoD organization finalizing paper. Just this week, a third Federal Civilian Agency contacted us for membership information, telling us they can't get good unclassified information elsewhere. We've heard this before. So we're hoping that within the next month, Beadwindow will see an infusion of new federal government analysts. 
  • On the Red Sky side of the house, we sent three new members to the Advisory Board to offer thumbs up/down before we go any further with them (all of our members are vetted through our Advisory Board before being offered membership). One was a referral from an old friend; another was a referral from a current member. We love referrals!
  • One new member was invited into the portal this week. The first guy from this credit card company's information security team needed high quality intel --stuff they're not able to get anywhere else. I'm sure they'll find it in Red Sky. In fact, we had one of our best analytic weeks going with two reports published this week. 
This weeks reporting: 
  • Fusion Report 13-011 published: A Red Sky member submitted details from an incoming spear phish. In the posting he included the email header and attachment. He's a smart guy. The attachment exploited a vulnerability from last year,  but the payload initiated and connected to a previously unobserved C2 infrastructure. 
  • As well, we published Intel Analysis Report 13-007, which drew comparisons between three RAT families and profiled one of the authors.

On top of the crazy pace this week, Jim announced at our weekly staff meeting that he's sold "World Headquarters" in St. Louis and is moving to Colorado! Our president (and his World Headquarters) HAS be closer to high quality fly fishing and great skiing. I'm keeping my fingers crossed hoping for my own wing! More importantly, this means we've now got representation in Denver, Colorado Springs and after next week, Steamboat. I had a great trip out to AFCEA a few months ago and can't wait to host our first booz'n and brainstorm'n at elevation in the Rockies! 

RE the Lab? We're in full swing looking for business.  Our first major gig was a RAID rebuild/restore..An IT consultant sent us a set of drives from a RAID array that they'd tried several times to fix. Their customer's entire business was located on these disks; one, a database full of customer information. We were able to identify, carve and rebuild almost all of the data, sending the results back to the consultant yesterday. While it's not sexy APT work, data restoration projects seem to be coming to us, and heck, the works good and the money is green, so we'll take it. We're expecting a 12Tb project this week. So for now, if you're looking to take the strain off of your already over-worked forensic shop, we'll happily take some of it off your plate. If your incident responders/forensic guys are swamped with HR, internal legal, restorals, send some of it our way. Those guys are busy enough with APT. We'll happily take some of the routine cases for you!

OK folks, until next time.
Have a great week!