To quote the great Adam Carolla -
"Any restaurant is only three crappy meals away from failure".
If you go to your favorite restaurant on any given day and are
served a crappy meal, you will likely go back again because it’s your favorite
restaurant and they may have just had an off-day. You're willing to cut them
some slack.
Let’s say you go back again after your first lousy meal and
you get another one. You may still be willing to forgive because you have had
so many great meals there over the years. But after that third crappy meal, you
probably will never go back again.
So why are we talking about restaurants in a security blog?
Substitute meals with reporting and intelligence. No matter what your previous
track-record, you are only as good as your last three reports. With the time sensitive nature of
threat-intelligence, this becomes even more important. This is the reason we
take our reporting so seriously at Red Sky. Ask any Red Sky member and there is
a good chance they will tell you the same.
Don't get me wrong, we are not the para-militaristic "Hell’s
Kitchen" of the threat intelligence, but we take pride in our work and we don't
think that’s such a bad thing. If asked
for the ingredients in the recipe for a report that is relevant to today’s
persistent threats, I would argue that it’s the same three every time… for the
incident responder working on his eighteenth hour of slogging through pcap,
pulling images, searching through running memory dumps for the needle in the
stack of needles, there are three things running through their head… the three F’s:
·
Who the F
is it?
…and as the CISO heads for the CIO’s and CEO’s offices…
·
What the F
do they want?
…and as the Incident Responder stares at his screen, with phones
ringing off the hook and his/her inbox filling with reports of wide spread
problems…
·
How the F
do I stop them?
C-suiters right now are scrolling right now in search of the
‘unsubscribe button’ but the incident responders, the analysts, the forensic
folks and all of the other blue-collar geeks responsible for the long days of actually
working at the brown end of the stick are laughing heads off right now!
Fortunately, there’s a ton of data available to answer these
questions. Unfortunately, it’s located in disparate places, and you need to be
able to sort the puzzles that have been dumped from their boxes, lay on the
floor in front of you, and know how to pick the pieces to the puzzle you’re
trying to put together right now. This puzzle (todays puzzle.. tomorrow’s will
be different) is the same color are many of the others, and the size and shapes
are only slightly different than the rest. You’ll need a keen eye.
When the puzzles are laying on the floor, all mixed up, and
the CISO realizes his company is hemorrhaging data, and there’s not a damn
thing he can do about it; when the CIO realizes that his network built for
uptime, availability, and ease of use; when the CEO realizes he’s going to have
to report the issue to the board and in a SOX material breach report (and the
costs of responding will probably affect his bonus!); when all of these things
happen and there’s no end in sight, and no way to stop the bleeding without
completely disconnecting from the Internet –and you have no backup plan for
operating without it, well, we called this (in our Annual Report) the ‘Oh Sh*t’
moment.
Companies have these every day, in every country in the
world. If you’ve not had yours yet, you will. It’s just a matter of time. If
you make something that someone else wants, if you sell to customers that
others may want to exploit for their employment, if you build technologies that
go into other things, you have probably had yours already. If not, your company
may not be instrumented correctly to find it, may not have the skills in your
Infosec team to know, or, like many companies I’ve talked with in pitching Red
Sky membership, your CIO or Legal team believes that if they don’t know, they
don’t have to report. If they don’t know, cyber doesn’t have to show up in your
10K as a risk to business operations.
Regardless of the category you find yourself in, you should demand
the three F’s from any vendor. This is what makes it actionable... and good intelligence is only good if it helps with prioritizing your workload, or protecting you from wolves heading toward your sled. If you’re subscribing to a service, you should
demand this tailored information in your intelligence service. If they cannot
provide satisfactory answers, then it may be time to reach out to Red Sky.
In Red Sky, when we perform analysis, analytic rigor is key.
We’ve defined Priority and Standing Intelligence Requirements (questions) that
we answer on nearly a daily basis, privately inside the portal (where btw,
membership costs are about half of your current subscription price!). We post
PIR reports on nearly a daily basis, intent on pushing the information to the
far left of the kill chain, almost to the point of reading tea leaves, but only
reporting when we believe there’s an impetus for impending attack. Fusion
Reports are more retrospective in nature, but if you’ve not seen an attacker
coming after your crown jewels yet, then these fusion reports are proactive for
you… they protect you from a group that has yet to be tasked with stealing your
stuff… but they will soon, and you’ll be armed and ready.
Our PIR reporting is taken from open sourced reporting.. meaning
we read the news, web pages, blogs, social media, IRC, whatever, and then add our own analytics to it. The stuff we read might be in Mandarin, Spanish, Portuguese,
English, Russian, Arabic, or any one of a dozen others, but when we find
something that might result in cyber consequences, we tell our members. The
reports usually generate conversation in the portal, creating more information
and a sharper focus on what might become the problem.. our members work
together to help figure out what’s going on.. protect the guy next to you.
Interested in reading our PIRs? Set up an appointment for an
introduction to the Red Sky Alliance. We’ll help you answer the Three F’s.
- Red Sky
=> Business to Business
- Beadwindow => Are you a government IT worker? You’re eligible too. 2210’s or other non-Law Enforcement or Intel IT workers can access our Beadwindow portal.
- Need more? Wapack Labs can do some of the work for you. The lab offers a full analytic, R&D and forensic capability, as well as a simple cyber security operations and monitoring monitoring (Wapack cSOC) solution to help look for APTs or targeted attacks in your network.
Drop
us a note. Set up an appointment. Let us introduce you to our membership as
the next member of the Red Sky Alliance!
Until next time,
Have a great week!
Jeff
Jeff