Saturday, March 22, 2014

Red Sky Weekly: Threat Day Recap - March 2014

Anyone in the threat intelligence scene today knows that the best way to get information is to share information. And for that, personal contact, shaking hands, face-to-face conversation, and the ability to build relationships are required before building relationships online. And this is how we do it...

We hosted our March Threat Day this week at the Harvard Club of Boston. 

Thank you, everyone, for participating!

We started off on Wednesday evening when we met in the Commonwealth Lounge on the first floor of the Harvard Club. This was a bit different.. we combined our second annual Booz'n and Brainstorm'n session with the cocktail party that goes with the night before each Threat Day. 

With wine and bourbon flowing and chicken skewers and ribs piled high, a dozen Red Sky Alliance members mingled with about as many National Security Fellows from the Kennedy School at Harvard University. The National Security Fellows are members of various US Government agencies, such as Department of Defense, who spend a year studying at Harvard, afterward returning to their government roles – often in leadership positions. Conversations with this interesting group ranged from how to secure the nation’s electricity grid, to philosophical inquiries on the nature of identity and the future of personal identity. The evening ended with some of the guys smoking cigars in the parking lot and talking in greater detail.

The next morning, we all assembled on the third floor for a private breakfast and met our sponsors, CBTS and nCrypted Cloud. 

CBTS, also a Red Sky Alliance Associate Member, is a threat management service provider, headed up by the former CISO and incident response Director from GE Aviation –an APT Hardened group. These guys know APT, and have been building out capabilities to help others. nCrypted Cloud is a startup that provides an enterprise grade encryption service that connects to various collaboration environments -- securing information in Dropbox, Google Drive, One Drive, Box and more.

We kicked off at 9:00 with our day recorded for posting to the portal, and once we overcame small technical difficulties (gremlins!), a conference bridge. 

After a short introduction from Jeff, Chris Hall from Red Sky kicked us off with an overview of recent threat research -his analysis of MiniASP Remote Access Trojan. Chris and his team were able to dig deep into that threat after an Alliance member forwarded a clean sample for analysis. As part of his presentation, he showed how the Wapack Labs’ WhoisRecon tool was critical in his analysis.

A team of members presented next, describing some of the sophisticated attacks they encounter. One found a website where malware and malware distribution tools are marketed and sold. He shared an online exchange with an apparently Russian hacker, discussing how the hacker got started, how he performs his attacks, how he gets paid (game currencies), and his wish list for information and technology. 

Next up, Nick Hoffman from CBTS.  Nick presented a great lesson on building yara rules, and helped us all to understand best practices for making yara rules as good as they can be. YARA is a tool aimed at helping malware researchers to identify and classify malware families. Nick is funny, high-energy and playful – more playful than you’ve ever imagined anyone could be about yara rules. Fun. He amazed us with his analysis of Taidoor. He discovered the five loops that Taidoor often reuses. With YARA you can create descriptions of malware families based on textual or binary information contained on samples of those families. And nobody is more of a Yara geek than Nick!

Denis Borodin, a senior technology risk analyst, shared some of the techniques he uses to detect and analyze malware. He explained a subtle yet effective phishing campaign with a JAR attachment, and his view of Java Remote Access Tool jRAT, a particular pesky and difficult malware sample.

Rick Gamache recently lead a Wapack Labs team to author a great report aimed at describing the considerations in deploying outsourced datacenter services in Iceland. During this talk, Rick presented his analysis of Iceland’s society and critical infrastructure. He explained the pros and cons of Iceland as host to some of the largest data centers in the world, and massive bandwidth connecting all population centers of the globe. He described the datacenter, bandwidth, power and geopolitical considerations for companies considering Iceland as their offshore datacenter. And he talked about the up-and-coming cyber culture - the land of the ice and snow; from the midnight sun where the hot springs blow; and where hackathons are televised with the same energy and suspense as America’s Got Talent and televised winners are regailed as cyber security rock stars! 

Jeff Stutzman took us home with a discussion on collaborative and retained threat analysis –
what’s the current state and how is it evolving. Why Red Sky makes sense: our members have the ability buy, and do buy, any number of feeds and subscription services, but still lack the ability to talk in a trusted, private way about threats. That is what the Alliance provides. Jeff also took us on a journey through the future of the Red Sky portal and ways to make information sharing easier.

The entire day and previous evening were jam packed with relevant and intriguing problems and solutions. I look forward to the next one.

-       -Steve