Saturday, June 21, 2014

Red Sky Weekly: We're STIX!

I'm happy to announce that we are now providing indicators in the STIX format.
https://stix.mitre.org/
Two weeks ago we pushed our first STIX package to the Red Sky portal. While not perfect, we received some good implementation feedback during our threat day this week. Next step? TAXII. I'm a huge fan of sharing information machine-to-machine, so this is very exciting!

Why'd we do it? Let me tell you a story. I promise, it'll come back to STIX!

About a year ago, we happened upon the entire active directory structure for a very large European company. Like a drunk who drives the back roads throwing their cans out the window into the woods as they drive, some sloppy cyber litterbug dropped a bunch of stuff on a couple of open nodes --that we then picked up as we walked along the road looking for clues. 

The data we'd acquired suggested that the company was compromised --and I mean completely compromised --caught, cleaned, and gutted, and had been so since probably mid-2008. There was a lot of stuff. Some of the information we saw suggested also that this company had sold an application to another ...and when this application was used, it was sending data from the application to computers outside of the company. So we tested the encryption with passwords we knew to be used in previous APT events, and were able to view enough files to know that the company used the application to make big things that float, fly, and sink themselves intentionally. 

Neither of the companies were involved with Red Sky Alliance, but we knew who they were, so we thought we'd be a good neighbor and let them know that we'd found their stuff on the endpoint of a command and control (C2) node. The European CISO was nowhere to be found. We know the company has one; we know they participate in security forums, but nobody would take our call. The second? We visited them in person. I know the CISO. We showed them (quietly) our story, but alas, their team is small. 

That was a year ago. In the last two years we've done victim notifications with private companies, federal agencies, supply chain partners, K-12 school systems, manufacturing/machining companies, security companies, universities, and more. Companies range from global in size to very small, in hundreds of industry segments. Our smallest notification - four people doing a half million dollars per year in business. The funny thing is, the smallest company that we notified hung up the phone with us and called the FBI (not on us!). We referred a local incident response company (a known - a Red Sky Associate Member) to assist with the clean-up, and I believe that as we speak, they're well into their get-well plan. 

So why do I tell this story? A year later? We're moving into the era of full automation. While I'm not necessarily a fan of full automation, I am a fan of stripping any and all barriers to a company's use of protective information. STIX puts data into format. TAXII moves it from company to company. The next step is moving data from that company repository directly to defensive tools. In every case where we've done victim notification, if we had this automation in place I could have simply shared data to the compromised company. They'd receive our indicator bundle, push the 'easy button', drop it into their defenses, and move along. Of course it's not that easy, but you get the idea. 

We're moving in the right direction!

BT BT

What's happening in Red Sky this week?


  • First, as mentioned, we're now STIX! Members (and Wapack Labs subscription customers) can now get their indicators in .csv or STIX format.
  • We issued a warnings this week to about a dozen companies. They're targeted, and we believe they'll be hit in about two weeks. The warning also included an analysis of the tools that will be used, and how to protect against them.
  • We had our quarterly threat day in Tampa this week. We had cocktails and food at the Pebble Creek Country Club, with a day of meetings at a member location on Tuesday. What a great two days!
  • Last, we continue tracking cyber activities between Russia and Ukraine. You just can't make this stuff up. The Christian Science Monitor ran a story on this as well. Since our original post, we've authored several more blog posts inside of Red Sky, and issued three priority analysis reports aimed at offering good situational awareness and defenses to our members who have business interests in the area. 
Last but not least - I just heard that the days will start getting shorter after today.
So please, enjoy the solstice! 

Until next week,
Have a great weekend.
Jeff