Saturday, February 15, 2014

Red Sky Weekly (2/15/14): Introducing Allagash!

What is APT? What exactly does the term mean? Where'd it come from?

So I'm here to set the record straight...

(Then) COL Greg Rattray, now co-Founder and CEO of Delta-Risk, coined the term APT in roughly 2006 while crafting the (then) Air Force Partnership with Industry Program. APT, although absolutely meaning Advanced Persistent Threat, aptly described the problems at hand at the time --a phrase, which described the traits of the attacks/attackers/problem sets we were facing, but more simply, APT was nothing more than an unclassified term/phrase used to describe what we all knew (then) to be a classified set of circumstances. Bottom line? Other than a simple description, APT allowed us to talk at the unclassified level about problems known mostly by those in the classified realms without using the real names.

Today, APT has morphed into something much more. Bastardized, branded, marketed and abused, APT is a generic term used to describe the problems chased by the most paranoid. In all reality however, in nearly every case, when we bring someone to the lab, or do a presentation, APT has a very different meaning. It's still a generic acronym, but it's used to describe state sponsored cyber based espionage activities. When we use the term APT, we also include "Targeted Attacks" or "determined adversary" to describe those attacks not necessarily state sponsored, but very much in line with the same kinds of TTPs, and in many cases, some of the same actors.

Now that we've set the record straight on exactly what APT is and what APT isn't, we can all use the same dictionary --right? Of course.

So who/what exactly does APT encompass? Espionage actors from all corners of the world. Originally used to describe attacks from a very large country on the other side of the world, APT now includes actors from dozens of locations and countries all building and acting on offensive or espionage focused cyber activities. Could APT be used to describe US activities? Probably! I'd laugh and say that stuxnet probably puts us squarely in that category. But at the same time, dozens of groups act in this capacity --some state sponsored, others state contracted, many more up and coming. In fact, when I present today, I tell people that they should expect the worst in the future....

Why? Because as we track the explosion of new state sponsored cyber activities (there are several --we, Red Sky Alliance, have a junior analyst tracking this routinely), we know one thing -future cyber wars (we don't consider todays espionage activities to be war), are not going to be fought military on military, they'll be fought military on population. State sponsored cyber warfare will follow many of the same processes followed in kinetic warfare today, except in cyberspace. Energy producers, command and control, finance/logistics will all be targeted directly by actors from all corners of the world aiming at making it easier for physical access or troops. Be ready folks. The sky's not falling today, nor will it in the future, but as cyber military operations mature, collateral damage will include computers burned, infiltrated, and controlled by enemy actors --in power plants, telephone systems, cellular operators, port operations, healthcare, logistics, consumer electronics (think phones, pads, user devices, possibly appliances, 'things') and more. Targeting via cyber space is far easier than reaching out with airplanes, troops, and ships --with far less risk and a broader set of targeting will allow militaries the ability to affect a lot more than they do today.

Why the lesson in warfare? It's not normally my style to offer gloom and doom scenarios, but folks I'm here to tell you, it's only going to get worse before it gets better, as we achieve the new normality of future warfare. Every company and every organization will be affected. More likely, preparations will occur well in advance of the start of any conflict.

Companies today have MILLIONS of vulnerabilities. Attackers have every advantage...

How do you stay ahead of this?

Keep your head on a swivel - watch the horizon for threats:  I refuse to quote Sun Zhu, so lets try this... Anyone with a daughter can tell you that watching the environment is key to protecting her.. so think of your networks as your teenage daughter.  She doesn't know better. She has a ton of weak spots. And boys will come around. In cyber, pay attention to the threats. How do you know the threats? By talking with peers --hopefully mature peers who can guide you through the process of preparing your networks and helping figure out where the most likely, most serious threats will come from.

We realize not everyone can consume intelligence, so we've come up with additional offerings. Between the alliance and the lab, and now a web based tool called Allagash, users who want as much data as possible can get it. Those who want simple diagnostics can get it.

Red Sky Alliance: Red Sky Alliance hosts a group of very mature infosec teams. These guys want a LOT of data. They want all the context, and although they like our analysis and intelligence reporting, they generally want to create their own and much of it is obtained through sharing information in the collaboration.

Wapack Labs provides services for those who need, and can consume intelligence, but may be either to busy or don't feel confident in participating in the collaboration. Even when users engage Wapack Labs, they generally sign on with Red Sky Alliance as well. The lab helps them separate wheat from chaff, and the Alliance helps them with situational awareness.

And now... Allagash.

About five years ago, I sat with a VERY large defense contractor as they were considering go-forward strategies for dealing with their very first APT experiences. The only detection tools they had at the time were a help desk, and anti-virus. I offered a suggestion... what if I could give you a short set of diagnostic questions that a technician could ask during every help desk call? We came up with a set of about a dozen diagnostic questions that every tech answered during every help desk call. An escalation flag was set so the tech knew when to escalate, based on the diagnostic questions he or she answered. If three or more indicators were present, the help desk automatically escalated to the (then) two person Information Security team. When escalation tickets started piling up, the Infosec team was able to justify requests for funding from the affected businesses. 

As help desk escalation tickets grew (quickly) so did the infosec budget. 

So I thought.. why not offer a diagnostic tool, at a low cost (about $35/month per account), that could assist help desks with diagnosing APT, targeted cyber events, and other kinds activity?

Allagash: Allagash is for those who need fast diagnostics and clean information.  Simply cut and paste logs, system inventory information, files, IP addresses, etc., or upload a .txt file into a web based tool.  If anything matches things that we know about, we'll give you a list of what to look for in a very simple output; and if we know, we'll tell you which APT set it belongs to. In fact, we sold our first five early adopter accounts to a local company called --a premium help desk service built by the folks who ran the help desk for the Dartmouth Healthcare system. They'll be coming on with the lab on March 1st.  Allagash aint sexy. We're starting small and offering inexpensive early adopter service. Don't expect graphics, correlation engines, or spinning whoopee pies. Allagash is meant for fast diagnostics of bad stuff, offering a simple, but very usable output.

We're looking for about 20 additional early adopters who'll be offered early adopter pricing as we mature our processes.

Interested?  Sign up here 

We'll offer seats on a first come, first serve basis starting a the top of the list and working down.


It seems everyone this week was flat out. The portal is busy, membership requests were coming in like crazy, and I had the opportunity to talk to one of my former DoD customers' supply chain partners about how to think about the new Defense Federal Acquisition Requirements (DFAR).

If you didn't know,  DFAR now requires prime contractors to sign off and attest to the security of their supply chain subs. This is a pretty tall order.  Personally I think that if the government doesn't trust the security of a company, well, don't buy from them! From the prime's perspective however, their subs are going to need help.. both intelligence (remember the daughter?) and a partner who can help them go from 0-80% as fast as possible. It was a great talk, but these guys are in for a real eye-opener. We're here to help. Red Sky Alliance for those with mature infosec teams. Wapack Labs for those who prefer tailored subscription intelligence and analysis, and Allagash for those who only want to query a web based tool for diagnostics.

Want to know what that supplier looks like before you attest as prime? Are you a sub wanting to check your systems before the prime does? Send us a system inventory of your supplier and we'll tell you what we know! We're chugging through a 4T drive as we speak. It's roughly 30 days of stuff from a 75,000 person company.  It's bigger than what we normally do, and it takes a little time, but we'll be providing diagnostics back to this company in the next week or so.  

I love my job!

Until next time,
Have a great week!