Why am I talking about skiing and fishing? Because these are friends. We call each other when we need something. We've followed each others careers over the years as we each mature into more senior positions, and now, we're skiing, fly fishing, and having a few beers.
So let me ask you a question. When was the last time you asked for help from a perfect stranger? During your last bout with wekby, APT1, or the massive loss of credit cards, did you Google for help and call someone you didn't know? Or did you ask a friend who they'd recommend first... or better yet, used themselves?
These same circles of friends that that I'm skying with tomorrow and fly fishing with in Tennessee in June are the same people I've all called at one point or another; and they've called on me. We've compared notes, shared incident response hours (many, many hours), begged for budget, screamed at each other over the conference table and played Guitar Hero in the middle of the night.. blurry-eyed from a dozen hours of analyzing pcap during the early days of APT --and two of the guys I'm skiing with tomorrow are founding members of Red Sky Alliance.
You see, people don't call strangers for help. They call friends first. Then they call those who've been recommended by friends. Yellow pages can't help you with cyber, and Google only gets you so far, so when you need help --finding the sleeper in your networks, pulling forensic images from all over the globe, begging for overtime for your team, or explaining to your CIO why you made your network an island when you watched the shift from the access team to the intel team --even for only a short period of time, and I'm betting a dollar that you won't do it without knowing what others did first, and the guys you ask first are your trusted friends in positions similar to yours, in companies you can point back to as credible.
And to add to that, most people I know in this space prefer small circles of trust. Thousands of people in a low-cost high volume portals, sharing information anonymously may give you that warm feeling of satiation (due diligence?) when you're gobbling IOCs as fast as you can shove them into your intrusion prevention systems, but there's a very high probability that much of the information you've stuffed into that little red box isn't going to do you much good. So what happens when you've spent all that money, and you've made your network an island, and your IPS screams for better stuff, and your team is burning out, but your CIO hasn't got anything left for you? Who are you going to ask for help? Here's an idea. Ask first.
Small trusted circles are WAY better than big... when we first started working APT issues (in about 2006), we were three companies under strict NDAs, sharing notes. That three company circle expanded to about a dozen who really knew what they were doing, and when it came time, we all helped each other. Many today consider that small group of highly trusted companies an amazing force multiplier. Most will tell you that they could never have hired all of the talent that they needed to fight the fight without sharing expertise in the then, first of it's kind, full attribution information sharing environment.
Wait. What? Full attribution?
You bet. Attribution and peer reviews keep even honest people honest.
Red Sky Alliance today is about 35 large enterprise companies. Those 35 companies all have highly mature information security teams that know what it takes to deal with the problems we all face, but only a few know how to survive. Not one of them has their head in the sand. There's no BS. They just help each other.
So, let me ask the question again. When the stuff hits the fan, who will you trust?
Me? I'm going to ask my friends.
If you'd like to ask my friends too, drop me a note. We'll get you set up.
Even with most of the Infosec folks I know at RSA, it was a busy week. Heck, maybe that's why it was so busy. Bad guys know that the the infosec teams are in San Francisco!
- We don't typically perform victim notifications, but this week we were forced to notify two national CERTs of compromised accounts that were leveraged as part of an ongoing campaign from a known cyber espionage actor. Red Sky is currently receiving a number of APT spearphishes first hand though a collection of proprietary honeypots placed in very specific locations. Our members receive very fast notification of very early malware -often times, beta. In several instances we've been able to post mitigations within minutes of the honeypot capture! For those using spam defenses at the gateway, feeds from this data set can be pumped directly into your Ironport or other similar system.
- This week we released FR13-006. This fusion report detailed recent campaigns leveraging an IE vulnerability described in CVE 2014-0322. The report described malware artifacts involved and provided tailored mitigations for a widely used RAT.