Anyone in the threat intelligence scene today knows that the best way to get information is to share information. And for that, personal contact, shaking hands, face-to-face conversation, and the ability to build relationships are required before building relationships online. And this is how we do it...
We hosted our March Threat Day this week at the Harvard Club of Boston.
Thank you, everyone, for participating!
We started off on Wednesday evening when we met in the Commonwealth Lounge on the
first floor of the Harvard Club. This was a bit different.. we combined our second annual Booz'n and Brainstorm'n session with the cocktail party that goes with the night before each Threat Day.
The next morning, we all assembled on the third floor for a
private breakfast and met our sponsors, CBTS and nCrypted Cloud.
CBTS, also a Red Sky Alliance Associate Member, is a threat management service provider,
headed up by the former CISO and incident response Director from GE Aviation –an APT Hardened group. These guys know APT, and have been building out capabilities to help others. nCrypted Cloud is a startup that provides an enterprise grade encryption service that connects to
various collaboration environments -- securing information in Dropbox, Google Drive, One
Drive, Box and more.
We kicked off at 9:00 with our day recorded for posting to the portal, and once we overcame small technical difficulties (gremlins!), a conference bridge.
After a short introduction from Jeff, Chris Hall from Red
Sky kicked us off with an overview of recent threat research -his analysis of
MiniASP Remote Access Trojan. Chris and his team were able to dig deep into
that threat after an Alliance member forwarded a clean sample for analysis. As part of his
presentation, he showed how the Wapack Labs’ WhoisRecon tool was critical in
his analysis.
A team of members presented next, describing some of the
sophisticated attacks they encounter. One found a website where malware and
malware distribution tools are marketed and sold. He shared an online exchange with an apparently Russian hacker, discussing how the hacker got started, how he
performs his attacks, how he gets paid (game currencies), and his wish list for
information and technology.
Next up, Nick Hoffman from CBTS. Nick presented a great lesson on
building yara rules, and helped us all to understand best practices for making yara
rules as good as they can be. YARA is a tool aimed at helping malware researchers to identify and classify malware families. Nick is funny, high-energy and playful – more
playful than you’ve ever imagined anyone could be about yara rules. Fun. He amazed
us with his analysis of Taidoor. He discovered the five loops that Taidoor
often reuses. With YARA you can create descriptions
of malware families based on textual or binary information contained on samples
of those families. And nobody is more of a Yara geek than Nick!
Denis Borodin, a senior technology risk analyst, shared some
of the techniques he uses to detect and analyze malware. He explained a subtle
yet effective phishing campaign with a JAR attachment, and his view of Java
Remote Access Tool jRAT, a particular pesky and difficult malware sample.
Rick Gamache recently lead a Wapack Labs team to author a great report aimed at describing the considerations in deploying outsourced datacenter services in Iceland. During this talk, Rick presented his analysis of
Iceland’s society and critical infrastructure. He explained the pros and cons
of Iceland as host to some of the largest data centers in the world, and massive bandwidth connecting all population centers of the globe. He described the datacenter, bandwidth, power and geopolitical considerations for companies considering Iceland as their offshore datacenter. And he talked about the up-and-coming cyber culture - the land of the ice and snow; from the midnight sun where the hot springs blow; and where hackathons are televised with the same energy and
suspense as America’s Got Talent and televised winners are regailed as cyber security rock stars!
what’s the current state and how is it evolving. Why Red Sky makes sense: our members have the ability buy, and do buy, any number of feeds and subscription services, but still lack the ability to talk in a trusted, private way about threats. That is what the Alliance provides. Jeff also took us on a journey through the future of the Red Sky portal and ways to make information sharing easier.
The entire day and previous evening were jam packed with
relevant and intriguing problems and solutions. I look forward to the next one.
- -Steve