Saturday, March 01, 2014

Red Sky Weekly: SkiCon, Advanced Persistent Trout '14?

I was invited up to Sugarbush for the weekend. I'm heading out in a few minutes, meeting a small group of CISOs and Infosec friends for a weekend of skiing, a rented condo and presumably a bunch heavy hops IPA. It's going to be cold, but the skiing will be great, and after-skiing will likely be better. In June, it's going to be fly fishing for a week on a river in the Tennessee Valley with another set of Infosec friends. One of the guys reserved a house with 2000' of river frontage and a guide to show us the right fly patterns for the native trout.

Why am I talking about skiing and fishing? Because these are friends. We call each other when we need something. We've followed each others careers over the years as we each mature into more senior positions, and now, we're skiing, fly fishing, and having a few beers.

So let me ask you a question. When was the last time you asked for help from a perfect stranger? During your last bout with wekby, APT1, or the massive loss of credit cards, did you Google for help and call someone you didn't know? Or did you ask a friend who they'd recommend first... or better yet, used themselves?

These same circles of friends that that I'm skying with tomorrow and fly fishing with in Tennessee in June are the same people I've all called at one point or another; and they've called on me. We've compared notes, shared incident response hours (many, many hours), begged for budget, screamed at each other over the conference table and played Guitar Hero in the middle of the night.. blurry-eyed from a dozen hours of analyzing pcap during the early days of APT --and two of the guys I'm skiing with tomorrow are founding members of Red Sky Alliance.

You see, people don't call strangers for help. They call friends first. Then they call those who've been recommended by friends. Yellow pages can't help you with cyber, and Google only gets you so far, so when you need help --finding the sleeper in your networks, pulling forensic images from all over the globe, begging for overtime for your team, or explaining to your CIO why you made your network an island when you watched the shift from the access team to the intel team --even for only a short period of time, and I'm betting a dollar that you won't do it without knowing what others did first, and the guys you ask first are your trusted friends in positions similar to yours, in companies you can point back to as credible.

And to add to that, most people I know in this space prefer small circles of trust. Thousands of people in a low-cost high volume portals, sharing information anonymously may give you that warm feeling of satiation (due diligence?) when you're gobbling IOCs as fast as you can shove them into your intrusion prevention systems, but there's a very high probability that much of the information you've stuffed into that little red box isn't going to do you much good. So what happens when you've spent all that money, and you've made your network an island, and your IPS screams for better stuff, and your team is burning out, but your CIO hasn't got anything left for you? Who are you going to ask for help? Here's an idea. Ask first.

Small trusted circles are WAY better than big... when we first started working APT issues (in about 2006), we were three companies under strict NDAs, sharing notes. That three company circle expanded to about a dozen who really knew what they were doing, and when it came time, we all helped each other. Many today consider that small group of highly trusted companies an amazing force multiplier. Most will tell you that they could never have hired all of the talent that they needed to fight the fight without sharing expertise in the then, first of it's kind, full attribution information sharing environment.

Wait. What? Full attribution?

You bet. Attribution and peer reviews keep even honest people honest.

Red Sky Alliance today is about 35 large enterprise companies. Those 35 companies all have highly mature information security teams that know what it takes to deal with the problems we all face, but only a few know how to survive. Not one of them has their head in the sand. There's no BS. They just help each other.

So, let me ask the question again.  When the stuff hits the fan, who will you trust?

Me? I'm going to ask my friends.

If you'd like to ask my friends too, drop me a note. We'll get you set up.

BT BT

Even with most of the Infosec folks I know at RSA, it was a busy week. Heck, maybe that's why it was so busy. Bad guys know that the the infosec teams are in San Francisco!
  • We don't typically perform victim notifications, but this week we were forced to notify two national CERTs of compromised accounts that were leveraged as part of an ongoing campaign from a known cyber espionage actor. Red Sky is currently receiving a number of APT spearphishes first hand though a collection of proprietary honeypots placed in very specific locations. Our members receive very fast notification of very early malware -often times, beta. In several instances we've been able to post mitigations within minutes of the honeypot capture! For those using spam defenses at the gateway, feeds from this data set can be pumped directly into your Ironport or other similar system.
  • This week we released FR13-006. This fusion report detailed recent campaigns leveraging an IE vulnerability described in CVE 2014-0322. The report described malware artifacts involved and provided tailored mitigations for a widely used RAT.
We're pushing hard to get Allagash up and running, and with the exception of one last change, we're ready for our first beta testers to jump on starting Monday. We're looking good. Our goal is 20 beta users. We're about half way there. If you're interested, sign on to our constant contact list. When your name comes up, we'll drop you a note.
Last, but certainly not last, our Threat Day is coming up in just a couple of weeks! We're doing cocktails the night before, with a day of presentations the following day. These things are always great, but we're going to have some fun with the National Security Fellows from the Harvard Kennedy School on the night before. I'll be great exchanging ideas in the old mahogany Commonwealth Bar. Smart folks, the Red Sky membership, and liquid brain lubrication. How can this not be fun?!

Ok. Off for now. I've got to get my skis on the car!
Have a great weekend!
Jeff