Saturday, March 29, 2014

Red Sky Weekly - "You don't know what you don't know"

We've been looking at a lot of data lately. Government, commercial, big company and small. Tests, logs, diagnostics, pre-audit, you name it. And in every case, the owners of the network are shocked. Most had no idea that so much activity is going on in their networks. Why? How could they not know? Hundreds of non-sensical domain names associated with port 53/UDP (hint - crimeware) on IP addresses used to allocate the movement of (ahem) a LOT of money, VPN over DNS in nearly every environment we look at, and worse, Windows Credential Editor - a tool that steal valid credentials from Windows web services --back to the last reboot.  

Without exaggeration, nearly every organization that we look at has hidden services like these running in their environment, and there's almost no way the owners will know unless someone like us tells them about it.

This a frequency analysis from a FireEye Blog from May through September 2012It's one of my favorite graphics. It represents the problem perfectly. I show this graphic in the first slide of nearly every presentation I do. It showcases nicely why companies might not have any idea of the sheer volume of activity. In fact, I'd argue some of this is simply above the capabilities of many CISOs. (And by the way, NIST 800-53 was good in 2004, but it's not going to help you here...) 

Let me explain...

The red and blue lines across the bottom are detects and drops of inbound malicious links and attachments. The orange line is the outbound command and control --the remote control connection that the human at the other end of the connection uses to tell the victim computers what to do. The red and blue lines are knowns. The FireEye box was able to identify and stop these, as they were the orange --but what about the rest? The FireEye blog calls out the idea that there were obviously other things happening in the environment. Malware may have been in the environment before FireEye was loaded, or it may be that there is just so much stuff happening in the network that one box can't catch it all. Or perhaps one company doesn't have the necessary skills to identify all of the variations of activity that might occur. Maybe the company that bought this machine doesn't really know how to use it! Regardless, there's a ton 'o stuff happening in this network. 

FireEye is a great product, and the idea here isn't to take a swipe at a fellow security company. I like the company. The graphic shows clearly the problems we all face. CISOs don't know what they don't know. And the unknowns are going to kill them. It takes dozens of skillsets to identify the right information to be loaded into our sensors to make the pain stop. And even then, if you've got something they want --computing power (or hiding spots) for botnets, identity stealing malware, products, intellectual property, mergers & acquisition data (yes, law firms scare the hell out of me) or military secrets, the activity isn't going to go away... and the information that you need as the vaccination for your network probably resides elsewhere. 

That's cyber Intelligence.

So where do you get it? 

First, you need to know what you need. Cyber Intelligence is comprised of two basic elements:
  • Indicators of  Compromise - IOCS (...although Indicators of compromise seems to late. I think I'd rather have a vaccine!). IOCs are things like domain names, IP addresses, email addresses of senders of malicious email, etc. Depending who you ask, there might be a hundred or so different kinds of IOCs.
  • The context by which you prioritize your work: You need a way to know which of those millions of IOCs you implement in your network first, then after that, and what you need to think about next month (or which ones you tell your MSSP to implement on your behalf). This is really hard. The context by which you prioritize your defenses can mean the difference between a normal Monday - Friday, ten hour workday, or seven-day, 22 hour work day week with a short nap, a Mountain Dew and a bag of Cheetos before starting all over again.
Interestingly enough, over the last two years, analysts on the backend of Red Sky Alliance have sought out, identified, and now collect and analyze sources of information unique to our problem sets. In fact, the primary focus of Wapack Labs is intelligence and analysis. We use the lab to support the FS-ISAC, a bunch of companies, and the Red Sky Alliance. 

Wapack Labs sells intelligence and analysis. 

And we can deliver it in just about any format you need it. 
  • Want intelligence through a collaborative? For those who know the value (it's HUGE btw), we have that in Red Sky Alliance and Beadwindow. Our members get the analysis produced by the lab, and when needed crowdsource the analytics. Sometimes they simply have more to add. It's very cool, and works like you wouldn't believe!
  • Need answers to hard problems?  We do research and author point project reports. In one case, we identified an application sold by one large company to another --and 15G of exfiltrated, encrypted .rar files from what we believe was the trojan'd application. In another, we authored a country study on Iceland -for those considering using Icelandic datacenters as an offshore option.
  • Looking for context for your SE/IM? We can help with that too. We're collecting information from about 500 highly targeted honeypots, adding more daily. The information we get is high confidence, nearly no latency, in many cases, 0-day. This stuff is the perfect feeder for gateway anti-virus, DLP, email filtering, and spam solutions. Yes, we can feed your Arcsight --and your brain.
Give me a shout. Let me show you. Red Sky Alliance collaboration, log diagnostics, high confidence targeted threat intelligence and analysis. We have something that can help you too. Want to know more about Wapack Labs? Drop me a note or sign up for our mailing list

Until next week. I'm off for a run.
Go Bruins!
Jeff