Why? In every case it came down to trust. Our members need to feel like they share a relationship; they want to talk to people that they like and trust, and most importantly, believe when they speak.
Last week I blogged about asking friends for help. As well as in person, over beers, or as former shipmates, personal relationships translate directly to the online world. And when the connections are made, magic happens. But when trust is lacking, the relationship doesn't work. So even though these companies certainly have the ability to write checks, we didn't invite them in.
Red Sky Alliance is about being part of a small number of highly mature information security teams sharing information at a common, deep tech level. These guys all have great security teams. Information movement is high speed-low drag, and in the end, the return for their time in the environment offers the opportunity to significantly reduce their own workload --sometimes by weeks. We also have smaller companies who have really small infosec teams (like, two people) but those two person teams are also really smart, very hungry, and love exchanging observation and ideas. It's not about the size (of your security team), it's how you use it! (I know.. very junior high school... but I couldn't resist!)
The Results? The results have been amazing.
Our latest fusion report (posted last night) detailed findings from one of our own intelligence operations. Our internal analysts don't have access to incident response data from their vast internal enterprise, so we add value by using the intelligence cycle and cultivating sources that might be exploited for answers to specific questions. We don't look for volume of information, we look for quality of information. And while we've had a number of successes from these sources, I thought yesterdays was an especially cool report:
- FR14-007: Beginning in November of 2013, Wapack Labs began receiving numerous spear phishes. Analysis of the malicious emails revealed the use of a new cross site scripting tool. Dozens of separate attacks were observed originating from only three IP addresses. The majority of the emails were not captured by spam filters.
- Proactive defenses: In another case, we were able to cross reference information from a recent publicly disclosed attack, to find that the TTPs had been demonstrated in late last year. While a new 0-day was used for weaponization, delivery, malware, and C2 detailed in our October report may have prevented the breach that was in the news three weeks ago.
- Russia | Ukraine: We issued a PIR this week on cyber effects of the happenings between Russia and Ukraine. We've been tracking, at a very basic level, the GEOPOL temperature around the world and it's effects on cyber (think growth of state sponsored offensive capabilities matrix and context), and as a result, we were able to tap sources to identify increases, decreases, or indicators of what we believe may be happening in cyber as a result.
- Government activity ramping up: Last, this happens on occasion... I'm getting hit up by a number of government folks -a DHS contracted FFRDC, and a number of civilian agencies. They won't be coming into Red Sky's private company membership, but the added relationships will turn into additional sources and collaboration points that we'll all benefit from.
Have a great weekend!