Saturday, April 19, 2014

Red Sky Weekly: What's happening in Wapack Labs?

Heartbleed? Yeah, we're watching too. We try hard to identify and talk about things others don't. There's a ton of messaging on Heartbleed, and I don't want to just repeat what others have already said, so this week I'm going to talk a bit about Wapack Labs. 

As a bit of a primer, Wapack Labs is an independent company located in Manchester, NH. We recognized early that as facilitators of information sharing in the Red Sky portal, our abilities as incident responders, forensic guys, auditors, or whatever background we came from, would quickly rust if we didn't find ways to participate in a material way, and keep those skills sharply honed. So we started Wapack Labs as a forensic shop hoping to use it to support the membership. We created it as a separate company because it didn't fit nicely into the information sharing construct, and manned it with a couple of new folks, in a new lease in Manchester, with its own ecosystem and infrastructure. We realized quickly however that we weren't going to make a living on forensics, so rather than blow off the remainder of the lease, let the people go, and sell all of the gear, we decided to focus the lab on our core competency --intelligence and analysis. We still have a forensic capability, and we have a great guy manning that con, but the core competency of the lab is managing and operating an intelligence cycle and publishing results to various customers --Red Sky Alliance, the FS-ISAC, and dozens of companies. Today, nearly all analysis that goes into Red Sky Alliance from our participation comes from primary sourced data, collected to answer specific questions, using great process... in Wapack Labs.

And while the portal remains busy, the analytics coming out of the lab have just been amazing lately, so I thought I'd share some of it, getting back to our roots of summarizing weekly happenings in our analytics, and not just Jeff sharing stories, ideology and lessons.

At the macro cyber-geopolitical perspective, we've got a couple of folks dedicated to tracking significant happenings in the world today:

  • Ukraine and Russia: There's a serious lack of press on this topic, but we know theres no shortage of cyber activity. The cyber conflict currently lies between the two countries, but we monitor for escalation, spill-over that might affect our members/customers, and for lessons learned about future protections against government sponsored cyber activities targeting individuals or companies. Guys in the lab are keeping a close eye on developments. One of our analysts is a native Russian speaker and we use him to translate and provide running commentary. This week, the team, based on his work, drafted a timely and relevant profile on a suspected Intelligence group operating within Ukraine, including their use of cyber tactics. The report offers details and analysis that have yet to be captured in Western Media. We believe that we will see more activity from these guys as Russia escalates its operations in Eastern Ukraine... and we will continue to monitor and report to our Red Sky Alliance members and Wapack Labs customers.
  • Country studies: The guys are working working through our second country study. The idea is to assist organizations in planning their security, based on their geographic diversity, customer base, technical resources, network environment, and infrastructure conditions. Our first study was Iceland. It's a great little spot in the north Atlantic with a TON of power, great bandwidth, and dirt cheap datacenter space. We wrapped that up about two months ago. Our second will be announced in May, but as with Iceland, this is a research project that considers the factors that affect cyber, decision making, threats and risks -from a number of sources- intelligence, geographic, political, and cyber. 

At the micro level, we continue to be busy. Work keeps coming.
  • New botnet: This week we pushed out a "part one of two" technical report. Part one provides details on several new IRC botnet seen targeting the financial sector. Part two will be published next week, offering an inspection and details of the related infrastructure. 
  • Targeting Korean Banking: Our second report this week detailed a family of popular Chinese malware that was re-purposed for targeting Korean banks and the banking infrastructure. Fortunately, the mitigations that we developed and published, not only protect against this variant, but all variants of the parent malware family. 


If you're detecting a slightly different tone in my messaging this week, it's because there is in fact a slightly different tone in my messaging. I've been making the rounds, talking with Red Sky members, asking them what they like, don't like, and how we might do better. 

The overwhelming answer is this "We love what you do! We but we don't always like having to get it from a portal!" So on that, even only about a third of the way through the interviews, it appears that the deep techies who use the portal regularly, love the portal. But that leaves about 58% of our user base need who need alternative delivery mechanisms. So ask, and you will receive!  

Our messaging has shifted a bit from "Come be part of our information sharing environment!" to "We (Wapack Labs) author intelligence and analysis.. and we can deliver it how you need it." Want to share information, compare notes? We have that! The Red Sky Alliance portal isn't going anywhere, and assuming qualification and Advisor approval, subscribers to services through Wapack Labs will receive access to one of the portals. Only want access to an automated system to query indicators, we have that too. Subscription service? The lab can tailor your subscription to just about any requirements, and output just about any format you want --STIX/TAXII, Snort signatures, SIM packages.. whatever. 

We author great intelligence and analysis.. and we'll deliver it in any format you need. 

I promised to keep it short. 
Until next time, have a great weekend!