Saturday, October 19, 2013

Security is a team sport!

We went through an exercise this week proving just this. 

It seems that in nearly every meeting I’ve had in the past several weeks, someone asks a question about what Red Sky Alliance knows about Insiders. It’s true, we focus on corporate espionage and APT events, but clearly insiders –at least one class of insiders, falls easily into the ‘determined adversary’ category… and for that, we’re on it!

So what constitutes an insider?  I have an old friend who’s studied this for years.  Dawn Capelli left Carnegie Mellon (maybe a year ago?) where she built and spearheaded the insider threat group at SEI. She’s the expert, and she’ll tell you that insiders come in many shapes and sizes.

So what which category are we talking about?  I’m not talking about Snowden. In fact I’m growing tired of reading about him in TechDirt (the “all Snowden all day” RSS feed!), but more about others, whom we know to be wearing the white hats by day, turning gradually darker as the evening draws close, and finally pure, pitch black after hours.
 
We realized that for the last several months we’ve been authoring not only the fusion reports that I talk briefly about in my weekly blogs, but in May we began writing ‘priority intelligence reports’. For those of you in the IC, think Intelligence Information Reports, based on both priority and standing requirements. For all others, PIRs talk of ‘wolves closest to the sled’.  Anyway, in going through the last few months, we’ve come to realize that many of the individuals that we’ve identified through our research are both smart guys by day, and by night, cyber thugs stealing IP, coaching newbies, testing their 0-days and pushing their way through the corporate walls.  Heck, maybe they do it by day to.  Not sure, but here’s what I do know…  we presented to one company this week where we showed them a picture of a really smart guy by day, but a really bad guy by night. He advertises the fact that he works, as a security consultant for their company, in an IT Security consulting role. We know him from his involvement in other things…  He, in my mind, is an insider threat. 

He’s one case. We have a few others. And what’s interesting to me is that there are some interesting correlations that seem to be appearing:

  • Many of these guys are doing double duty
  • There is targeting employed as part of the group(s) that they belong to
  • And by watching employment by some of these Jekyll and Hyde’s we can get a pretty good idea of not only who many of these folks are, but who they work for.  And if we’re right, we know why some of these guys are getting very specific jobs. 


How does this work in the real world?  We played out an example just this week. Someone we know (from our research) was hired by a company in the US. This is a great company, and they hired a smart guy, but at the same time, some may consider some of his off-hours associations questionable.  Those associations often times make for a great intel sources, but at the same time they could also significantly increase the risk that this guy could also be a really efficient insider, placed in this company to deepen information known about this company’s customer base or security posture.  It’s not unheard of.  Dawn had probably documented hundreds of these cases before leaving SEI. In our case, our early assessment wasn’t perfect, but by the end of the day after sharing notes and talking with members, we had a pretty good idea where we had gaps.  We’ll continue tracking, asking our members for information, keeping the conversations moving… and over time, the assessments will become clearer.

Security IS indeed a team sport.

We been getting really good about talking together about information security threats, but should insiders be another topic? 

BT BT

The guys have been busy this week. The portal never stops moving. It’s great! Here are a couple of the highlights:

  • Fusion Report 27: Red Sky analysts issued our 27th fusion report of the year. FR13-027 presented findings about a previously unknown malware variant observed in the wild. The report provided analysis on the infrastructure and presented technical analysis of two of what we’re calling “Backdoor.Baby” variants.
  •  Intel Report 18: This week we updated our analysis of “Flower Lady” with our 18th intel report of the year. IAR13-018 builds upon work in two recent Fusion Reports analyzing infrastructures and malware attributes --connecting the dots from attacks as far back as 2011.



It's been a busy week. 
I'm going fishing.
Have a great weekend!
Jeff