We went through an exercise this week proving just
this.
It seems that in nearly every meeting I’ve had in the
past several weeks, someone asks a question about what Red Sky Alliance knows about
Insiders. It’s true, we focus on
corporate espionage and APT events, but clearly insiders –at least one class of
insiders, falls easily into the ‘determined adversary’ category… and for that,
we’re on it!
So what constitutes an insider? I have an old friend who’s studied this for
years. Dawn Capelli left Carnegie Mellon
(maybe a year ago?) where she built and spearheaded the insider threat group at
SEI. She’s the expert, and she’ll tell
you that insiders come in many shapes and sizes.
So what which category are we talking about? I’m not talking about Snowden. In fact I’m
growing tired of reading about him in TechDirt (the “all Snowden all day” RSS
feed!), but more about others, whom we know to be wearing the white hats by
day, turning gradually darker as the evening draws close, and finally pure,
pitch black after hours.
We realized that for the last several months we’ve been
authoring not only the fusion reports that I talk briefly about in my weekly
blogs, but in May we began writing ‘priority intelligence reports’. For those
of you in the IC, think Intelligence Information Reports, based on both
priority and standing requirements. For all others, PIRs talk of ‘wolves
closest to the sled’. Anyway, in going
through the last few months, we’ve come to realize that many of the individuals
that we’ve identified through our research are both smart guys by day, and by
night, cyber thugs stealing IP, coaching newbies, testing their 0-days and
pushing their way through the corporate walls. Heck, maybe they do it by day to. Not sure, but here’s what I do know… we presented to one company this week where we
showed them a picture of a really smart guy by day, but a really bad guy by
night. He advertises the fact that he works, as a security consultant for their
company, in an IT Security consulting role. We know him from his involvement in
other things… He, in my mind, is an
insider threat.
He’s one case. We have a few others. And what’s interesting
to me is that there are some interesting correlations that seem to be
appearing:
- Many of these guys are doing double duty
- There is targeting employed as part of the group(s) that they belong to
- And by watching employment by some of these Jekyll and Hyde’s we can get a pretty good idea of not only who many of these folks are, but who they work for. And if we’re right, we know why some of these guys are getting very specific jobs.
How does this work in the real world? We played out an example just this week.
Someone we know (from our research) was hired by a company in the US. This is a
great company, and they hired a smart guy, but at the same time, some may
consider some of his off-hours associations questionable. Those associations often times make for a
great intel sources, but at the same time they could also significantly
increase the risk that this guy could also be a really efficient insider,
placed in this company to deepen information known about this company’s
customer base or security posture. It’s
not unheard of. Dawn had probably
documented hundreds of these cases before leaving SEI. In our case, our early
assessment wasn’t perfect, but by the end of the day after sharing notes and
talking with members, we had a pretty good idea where we had gaps. We’ll continue tracking, asking our members
for information, keeping the conversations moving… and over time, the
assessments will become clearer.
Security IS indeed
a team sport.
We been getting really good about talking together about
information security threats, but should insiders be another topic?
BT BT
The guys have been busy this week. The portal never stops
moving. It’s great! Here are a couple of the highlights:
- Fusion Report 27: Red Sky analysts issued our 27th fusion report of the year. FR13-027 presented findings about a previously unknown malware variant observed in the wild. The report provided analysis on the infrastructure and presented technical analysis of two of what we’re calling “Backdoor.Baby” variants.
- Intel Report 18: This week we updated our analysis of “Flower Lady” with our 18th intel report of the year. IAR13-018 builds upon work in two recent Fusion Reports analyzing infrastructures and malware attributes --connecting the dots from attacks as far back as 2011.
Jeff