Saturday, March 22, 2014
Anyone in the threat intelligence scene today knows that the best way to get information is to share information. And for that, personal contact, shaking hands, face-to-face conversation, and the ability to build relationships are required before building relationships online. And this is how we do it...
We hosted our March Threat Day this week at the Harvard Club of Boston.
Thank you, everyone, for participating!
We started off on Wednesday evening when we met in the Commonwealth Lounge on the first floor of the Harvard Club. This was a bit different.. we combined our second annual Booz'n and Brainstorm'n session with the cocktail party that goes with the night before each Threat Day.
The next morning, we all assembled on the third floor for a private breakfast and met our sponsors, CBTS and nCrypted Cloud.
CBTS, also a Red Sky Alliance Associate Member, is a threat management service provider, headed up by the former CISO and incident response Director from GE Aviation –an APT Hardened group. These guys know APT, and have been building out capabilities to help others. nCrypted Cloud is a startup that provides an enterprise grade encryption service that connects to various collaboration environments -- securing information in Dropbox, Google Drive, One Drive, Box and more.
We kicked off at 9:00 with our day recorded for posting to the portal, and once we overcame small technical difficulties (gremlins!), a conference bridge.
After a short introduction from Jeff, Chris Hall from Red Sky kicked us off with an overview of recent threat research -his analysis of MiniASP Remote Access Trojan. Chris and his team were able to dig deep into that threat after an Alliance member forwarded a clean sample for analysis. As part of his presentation, he showed how the Wapack Labs’ WhoisRecon tool was critical in his analysis.
A team of members presented next, describing some of the sophisticated attacks they encounter. One found a website where malware and malware distribution tools are marketed and sold. He shared an online exchange with an apparently Russian hacker, discussing how the hacker got started, how he performs his attacks, how he gets paid (game currencies), and his wish list for information and technology.
Next up, Nick Hoffman from CBTS. Nick presented a great lesson on building yara rules, and helped us all to understand best practices for making yara rules as good as they can be. YARA is a tool aimed at helping malware researchers to identify and classify malware families. Nick is funny, high-energy and playful – more playful than you’ve ever imagined anyone could be about yara rules. Fun. He amazed us with his analysis of Taidoor. He discovered the five loops that Taidoor often reuses. With YARA you can create descriptions of malware families based on textual or binary information contained on samples of those families. And nobody is more of a Yara geek than Nick!
Denis Borodin, a senior technology risk analyst, shared some of the techniques he uses to detect and analyze malware. He explained a subtle yet effective phishing campaign with a JAR attachment, and his view of Java Remote Access Tool jRAT, a particular pesky and difficult malware sample.
Rick Gamache recently lead a Wapack Labs team to author a great report aimed at describing the considerations in deploying outsourced datacenter services in Iceland. During this talk, Rick presented his analysis of Iceland’s society and critical infrastructure. He explained the pros and cons of Iceland as host to some of the largest data centers in the world, and massive bandwidth connecting all population centers of the globe. He described the datacenter, bandwidth, power and geopolitical considerations for companies considering Iceland as their offshore datacenter. And he talked about the up-and-coming cyber culture - the land of the ice and snow; from the midnight sun where the hot springs blow; and where hackathons are televised with the same energy and suspense as America’s Got Talent and televised winners are regailed as cyber security rock stars!
The entire day and previous evening were jam packed with relevant and intriguing problems and solutions. I look forward to the next one.