Saturday, November 30, 2013

Red Sky Weekly: USG, NGO hacked; two new RAT versions

I live in an apple orchard. Last summer, when mowing the lawn, I got stung by a bee... actually, I got
stung by lots of bees. Evidently, I got a little too close to the nest with the tractor and set off a swarm. Immediately, I began swatting... but that didn't do me any good with a couple hundred wasps heading my way. So I gunned the tractor and got out of the area as quickly as I could. I still didn't know where the nest was, and knew I was going to need to find it to be able to mow the lawn next time. So after the bees settled down, I walked the orchard to find the nest. That night, employing an old farmers trick, I built a torch with a kerosene-soaked rag wrapped around the end of a long stake. I drove the stake into the ground while it was still light, and in the middle of the night (when it's good and dark), I lit the rag on fire. The bees, drawn to heat and light, swarm to the fire while the nest was sprayed with a stream of high pressure wasp killer, from a distance.. no more bees.

Intelligence makes all the difference. What kind of bees do you want to kill? What do they want? How can they be baited? All good information to know.. all good intel -some tactical, some strategic. All must be known to stop the pain now, and keep it from happening again in the future. 

SO, who would you rather be? The guy getting stung? Or the guy lighting the torch? You have to be both. 

One of our members tells his story of 'intelligence driven information security'. He's a smart guy who's been in the intel/security space for a long time. I know him as an analyst, but he's done a lot of things really well for as long as I've known him. He takes a two step process in consuming intelligence, and I love the cleanness of the process. He's one of the few guys I know that can articulate it well, so I talk about it often.  He talks of 'priority intelligence requirements' -those things that he'll look for first thing in the morning.. things that are happening today... wolves closest to the sled.  He then looks for things that'll get him tomorrow, next week, and next year --First, tactical, then strategic. If he wants to stop the stinging, he knows, he'll have to have information (intel, the gouge, whatever you want to call it), that will help him figure out what's coming, not just what's here.

If you follow my blog, you know that Threat Analysis and Intelligence (I call it CTA&I) is something I'm passionate (fanatical?) about, and write about regularly.

When I think about intelligence, especially in the cyber space, it's easy to see how many could confuse actionable information with good intelligence. And, we find that many folks we talk to think they understand, but in reality, most do not. And some of those who do, often times have no real means of consuming and/or implementing that information. There was a great piece that came out from Gartner a couple of weeks ago. I'm not a Gartner member, but someone forwarded it to me last week. The piece, "How to Select a Security Threat Intelligence Service" (Published: 16 October 2013), takes on the sometimes contentious discussion of what intelligence is and what it isn't, and what should be considered when purchasing threat intelligence. It breaks intel down into two simple bins --Operational, and Strategic.

  • Operational Intel is intel derived through traditional IT tools. Operational Intel should be thought of as short term and tactical. It drives daily operations and will protect from what an old friend likes to call 'wolves closest to the sled'. Intel is delivered in machine readable formats by various subscription services, open source groups, commercial collaboratives (like Red Sky) or information sharing and analysis centers. 
  • Strategic Intel is used to affect longer term, strategic positioning of the organization and it's infosec team. 
Operational (Tactical) Intelligence helps you deal with the bees stinging you now. Red Sky members share information about things happening now. Companies are vetted before coming in. Accounts are issued by name. Once in, everyone is peer reviewed. Indicators lists are maintained in comma separated value format for easy consumption. Fusion reports give the story of how they were derived. Members participate in the analysis, assist with everything from false positive derivation to building tools. 

Strategic intelligence helps you deal with those things that might sting you tomorrow, next week, or next year.  Strategic intelligence, comes from Red Sky members participating in geopol discussions, sharing targeting information, objectives of attackers, etc. 

What's happening in Red Sky? This week...
  • Humanitarian NGO hacked: We posted analysis, and notified an international humanitarian organization that they'd been victimized. Wapack Labs (Red Sky's 'hands on' end of the operation) identifies and exploits sources of information not generally available to others. Through this source, we identified leads that lead us to this NGO. In coordination with an EU Computer Emergency Response Team, we were able to notify the humanitarian organization of the problem, and help them figure out what do to about it.
  • Two new RAT versions were identified, analyzed, and shared. Again, through the lab, information was received and shared to the Red Sky membership. It was then analyzed by the collaborative with indicators cleaned up, and posted.
  • Compromised US Government Certificates and Accounts: Wapack Labs received information from one of its HUMINT sources, raw, unevaluated information of US Government certificates and account compromises. We're receiving more and more information related to attacks on various governments and NGOs. Some of this stuff really isn't in our lane, so all information is posted to the Beadwindow portal where government users can download the information and act on it as needed. 
So yes.. it's been a good week. 

Why should you join us today? Because for slightly less than half the cost of a good subscription service, you get to access and share information with many of the original authors of much of the data that those subscription services analyze. What kind of information?
  • Incredible tactical information: The portal has been busier than ever. Tactical intelligence is growing and every minute you wait, you're losing valuable protection information.. information that would cost HOURS (if not days, weeks) to derive without help. From the tactical perspective, in both Red Sky and Beadwindow, you can quickly pull down:
    • Information of hacks in industries, how they acted, and how others protected against them.
    • Monitoring and sharing of network activity by others
    • Shared monitoring of open sources such as social media, Google groups, chat rooms and other forums
    • Analysis of artifacts - If you can't do this yourself, ask about Wapack Labs' malware analysis.
  • Strategic Intelligence.. at a very high level...
    • Who are these guys?
    • What do they want?
    • What will make them stop?
    • What exactly are they trying to do when they hack us?
    • How will you know? 
    • How can you prevent the attacks, or stop them in progress?
Come join us. Build your network! I was in a meeting a few weeks ago, when I (once again) heard the most common thing that I hear when talking with potential members of Wapack Labs customers.. "I got a guy". Every company that we work with has hired someone from the intelligence or law enforcement community. They think because they hired 'a guy', they're good. In fact, the 'guy' is almost always adorned with an 'intelligence' title but have dozens of responsibilities that don't include intelligence. Red Sky and Wapack Labs focus on intelligence. We have process. Use our process to compliment your team. The networks are huge, and pay off in spades!

Schedule a demo today. Our membership price is going up at the end of the year, and if you join now, you can lock in 2013 prices. We offer flexible payment options, and every minute you wait is another piece of information that won't get used in your network today. Drop us a note to schedule your demo.

Until next time!
Have a great week!