Saturday, August 02, 2014

Red Sky Weekly: Would you respond to Zeus differently than ZXshell? Why, context is king.

Jeff is off on a much deserved break so he’s left me in charge of the blog.

As you may be well aware of by now, Wapack Labs, Red Sky Alliance’s threat intelligence arm, has released its first iteration of Threat Recon via a web enabled API.  The response this week has been tremendous!  With hundreds already signed up and more each day, the feedback we’ve received among the many people throughout the cyber security community has been both helpful and supportive and for that we are very grateful.

Here’s a real world example of how we’re using Threat Recon in our everyday analysis.  While preparing a presentation I have to give this week for some folks in the financial sector, I had some questions about Zeus Game Over botnet.  Wapack Labs is very familiar with this campaign and our Near East intelligence people watch the activity closely.  Wanting to illustrate the pervasiveness, I opened the API and did a search on a particular set of indicators I know are bad and in a matter of seconds and I had enough context to fill up and hour of presentation time and new stuff I hadn't seen before!

What is particularly powerful about the results out of Threat Recon is the context is both technical in nature and context rich, allowing me to scale the presentation to the level that the attendees are most interested in.  But that’s not the real cool part!  The best part was, I was able to pivot off that information and see how newly contextualized indicators were being added from the wide dragnet of collection techniques we use every day in the lab.  Result?  A much deeper understanding of Zeus Game Over’s activity and the people behind it!   Members of Red Sky are going to love the resulting reports from our findings. :)  

When we started Red Sky Alliance in 2011, our focus fell squarely on quality of analysis that the contributing members and not the quantity of the threads.  In fact, in the Red Sky community, all analysts are peer reviewed as to the accuracy and quality of their analysis and that continues to this day.  This quality-over-quantity approach has proved to be an extremely valuable tool for both our Red Sky members and Wapack Labs customers.  Our high quality, high confidence, indicators gives first responders’ laser focused information on what threats they’re dealing with when the alarms start pinging.  At the same time, the rich context of our reports allows CISO’s to quickly sum up the crisis as they prepare to brief the C-suite to the things they really need to know. 

Over the past three years, we’ve seen the discussion of intelligence turn into a question of “How much data do you have?”   Despite that, we’ve stayed the course and continued to focus on qualified, highly actionable intelligence.  

Through Wapack Labs, we’ve develop a robust collection effort, but we’ve never lost sight about our core belief that intelligence must be contextualized and you can never remove the human element from the process.  If you’re one of the many who have used Threat Recon already, you’ll notice that every query with a result, returns context to help you pivot off for deeper analysis.

When I’m asked, as I often am, “How many indicators do you have?”   My response is generally met with some incredulity because it sounds like a small number compared to other “intelligence” companies publicly claiming to host many millions of indicators; however, when I explain how we collect and process our intelligence, and I mean the full spectrum of cyber intelligence, HUMINT, OSINT, SIGINT, and TECHINT we conduct on a daily basis, it commands attention. 

If the old saying goes, “We’re looking for a needle in a stack of needles” and I can confidently tell you that one needle is slightly smaller than all the others, I’m pretty assured you’d want to know about it and find that information useful in your search.  This alone, is what differentiates Threat Recon from any other analysis tool you’ve ever used.

The debate about the usefulness of Big Data will be around for a long time and the jury is still out but here’s something to think about.  If you’re like almost most  the incident responders I talk to, there’s very little time in the day and too few resources to sift through false positives.  Would you choose four million indicators with little or no context or half a million high confidence, vetted indicators, many supplied with full attribution to focus your effort and assets?  How you respond to Zeus will most likely be far different than how you respond to ZXshell.   Context is king, when you have limited resources!

If you’re interested in what we have to offer, see for yourself.  Threat Recon is available now through our web API and can be found at   Join the many that are already using it to help them in their cyber security efforts.


Red Sky Alliance has entered a formal partnership with Threat Connect and is moving Red Sky’s public-to-private portal “Beadwindow” to the Threat Connect platform.   We’re excited to move forward on our plans on making this portal an ever better tool for incident responders, analysts, researchers, and CISOs.  Beadwindow members include federal, state, local agencies as well centers of higher education and the medium to small businesses who can’t dedicate a lot of time to cyber security analysis.  

Through Beadwindow, you’ll have access to a managed community and the participation from some of the best minds, analysts, and security strategists in the business as well as all reporting we’ve published in the last three years.  If you’re interested in becoming a member, email to me directly at .