Saturday, November 09, 2013

Red Sky Weekly - Life is hard, but it's harder with bad intel!

You'll probably recognize the saying. That’s not really how the saying goes, but it’s pretty much the same point… Let me explain.

I spent some time this week with an old friend from the Defense Industry, who, like many of us, has moved on. His new company, not defense related, joined Red Sky Alliance last week. We had great conversation with him and his new team. We shared war stories of using creative ways to find attackers living in their networks. And as with any good series of incident response war stories, they always turn to harder cases. You know the ones. They’re the ones where you’ll never find (or stop) attackers by using indicators of compromise (IOCs) alone. As an example, we talked about one case where a virtual VPN server was set up inside a network, allowing attackers the ability to simply log in using encrypted comms over the port left open for normal encrypted web traffic (SSL). Once in, the proxy was used as a jump point to into other virtualized attacker installed servers. Attackers built their own virtual network on top of the company network, and used it as their workspace and the activity entering and leaving the actual network looked just like normal employee activity!

The question I get (nearly on a daily basis!), with regard to intelligence, is ‘how good is it, and how can you tell?”

Let’s try this...

When dealing with targeted infections, every company does three simple things simultaneously:

  1. They must stop current infection(s) (an infection is a set of compromised machines, and might be expressed as a percentage of your network --in large enterprise, it might be 1-2% per infection);
  2. They must stop the current infection(s) while maintaining current operations and allowing the business to continue to operate;
  3. And they must plan for how they’ll maintain operations into the future over now untrusted networks (and you won’t, ever, trust them again).

From our perspective, and the way I push my team and train analysts, is this.. Intelligence is analyzed data that will be used to present the answer to a specific question relative to strategy… futures.  “Intelligence” has been used to describe IOCs (Indicators of Compromise), forensic analysis (from a previously hacked machine or machines), reverse engineering, and many other past tense, or current state activities. But from our perspective, IOCs are required information, and will help you find and stop activity now, but Intelligence tells you what IOCS to use next. Intelligence is about futures.

So without getting into the religious wars over what intelligence is and what it isn’t, let’s get back to the questions.

How good is your intelligence?

How can you tell?

Intelligence has many traits, but in my opinion, you can tell good intelligence by looking at a couple of simple things. In fact, try measuring these:

  • Intelligence should be actionable. Intelligence that you can’t act on isn’t intelligence, it’s analyst porn;  it’s a ‘self licking ice cream cone’; it’s intelligence for the sake of intelligence; it’s research time spent to make the analyst smarter (not a bad thing), possibly offer situational awareness, but doesn’t necessarily create returns on your intelligence spend.
  • Intelligence should be sourced. This doesn’t mean users need to know every source, but the author needs to be able to express both confidence in the source, and quality of reporting. For example: Red Sky considers its finished analysis (fusion reports) high confidence information relating to targeted events. This is because we practice, and expect, peer review on our products. Our products are sourced, allowing readers to check our work, and we practice something an old friend used to pound into me --analytic rigor. Analytic rigor is the act of identifying multiple sources that point at one conclusion (or sometimes not!). When we correlate data, we typically compare Red Sky derived data to multiple sources through our own private collections of CIF data, malware, crowdsourced data and potentially dozens of others. This gives us “layers of analytic confidence”. We can quickly compare high confidence data (fusion report drafts) to open source data (CIF) to primary sourced data (data off the wire from the members). Source quality counts.
  • Intelligence should make your future life easier, not harder. When you drop an intelligence derived IOC into an IPS, does it make bad things stop? What’s the false positive rate? Do you know? Red Sky members receive snort signatures and Yara rules when possible. In the snort signatures, we label the rule with the Red Sky report that it came from. That way, you can easily measure the effectiveness of rules published in Red Sky reporting. While every rule may not fire immediately, the idea is that it will in the future. You may not have seen that activity yet. We don’t necessarily get feedback on which rules fired where, but we do get feedback from CISOs who tell us that they use EVERYTHING we give them, and that they’re renewing because we give them information that they don’t get elsewhere… both great compliments!

So lets go back to our original example.

The FBI shows up on your doorstep one day and tells you that your network is phoning home to .  When you look at the traffic (assuming you have the ability to do so), you find a machine pumping data through port 443 from a machine on your internal network, using an internal non-addressable IP address. It’ll look pretty much normal --maybe one that matches your DHCP addressing but the machine name doesn’t necessarily match your naming convention.  Whadya gonna do? You’ll want IOCs, but you’ll also want intel. IOCs will give you the machine name, internal IP and other information to help with the immediate infection, and without them you’d probably spend days (weeks?) scouring your network for others that might be talking to this first virtual machine… and when you identify those comms, they’ll become encrypted, or move! This is where good intel will help you with what’s coming next….

Assume you’ve pulled IOCs from one of your sources (I hope it’s Red Sky Alliance!). You find the invading virtual environment. In every case the activity will escalate. Once you learn to protect from the immediate activity, the tactics will change. How will you know what’s coming? INTELLIGENCE. And what must that Intelligence be? Actionable, timely and correct. Without it, your future life is about to become really hard. It should make your future life easier, not harder.

That’s how you can tell good intelligence.

ACTIONABLE, TIMELY, AND CORRECT.

BT BT

  • We had two new members join us this week --our first large law firm, and another one of the large cloud providers.
  • We posted another new intelligence analysis reports and a priority intelligence report.
  • We’re preparing for our 4th quarter threat day.

It’s been busy. We like it that way!  Christmas is busy for Santa and hackers, and our membership price will increase at the beginning of the year. A December membership will let you lock in your rate for up to three years, so if you’re thinking about joining us, do it now. We’re happy to schedule a demo. Just drop us a note!


Until next time,

Have a great week!

And for you veterans. Happy Veterans Day! Enjoy the weekend. You (we!) deserve it!
Jeff