Jeff is off on a much deserved
break so he’s left me in charge of the blog.
As you may be well aware of by
now, Wapack Labs, Red Sky Alliance’s threat intelligence arm, has released its
first iteration of Threat Recon via a web enabled API. The response this week has been tremendous! With hundreds already signed up and more each
day, the feedback we’ve received among the many people throughout the cyber
security community has been both helpful and supportive and for that we are
very grateful.
Here’s a real world example of
how we’re using Threat Recon in our everyday analysis. While preparing a presentation I have to give
this week for some folks in the financial sector, I had some questions about Zeus
Game Over botnet. Wapack Labs is very
familiar with this campaign and our Near East intelligence people watch the activity
closely. Wanting to illustrate the
pervasiveness, I opened the API and did a search on a particular set of
indicators I know are bad and in a matter of seconds and I had enough context to
fill up and hour of presentation time and new stuff I hadn't seen before!
What is particularly powerful
about the results out of Threat Recon is the context is both technical in
nature and context rich, allowing me to scale the presentation to the level
that the attendees are most interested in.
But that’s not the real cool part!
The best part was, I was able to pivot off that information and see how
newly contextualized indicators were being added from the wide dragnet of collection
techniques we use every day in the lab.
Result? A much deeper understanding
of Zeus Game Over’s activity and the people behind it! Members
of Red Sky are going to love the resulting reports from our findings. :)
When we started Red Sky Alliance
in 2011, our focus fell squarely on quality
of analysis that the contributing members and not the quantity of the
threads. In fact, in the Red Sky
community, all analysts are peer reviewed as to the accuracy and quality of
their analysis and that continues to this day.
This quality-over-quantity approach
has proved to be an extremely valuable tool for both our Red Sky members and
Wapack Labs customers. Our high quality,
high confidence, indicators gives first responders’ laser focused information
on what threats they’re dealing with when the alarms start pinging. At the same time, the rich context of our
reports allows CISO’s to quickly sum up the crisis as they prepare to brief the
C-suite to the things they really need to know.
Over the past three years, we’ve
seen the discussion of intelligence turn into a question of “How much data do
you have?” Despite that, we’ve stayed
the course and continued to focus on qualified, highly actionable intelligence.
Through Wapack Labs, we’ve
develop a robust collection effort, but we’ve never lost sight about our core
belief that intelligence must be
contextualized and you can never
remove the human element from the process. If you’re one of the many who have used
Threat Recon already, you’ll notice that every query with a result, returns
context to help you pivot off for deeper analysis.
When I’m asked, as I often am,
“How many indicators do you have?” My
response is generally met with some incredulity because it sounds like a small
number compared to other “intelligence” companies publicly claiming to host
many millions of indicators; however, when I explain how we collect and process
our intelligence, and I mean the full spectrum of cyber intelligence, HUMINT,
OSINT, SIGINT, and TECHINT we conduct on a daily basis, it commands
attention.
If the old saying goes, “We’re
looking for a needle in a stack of needles” and I can confidently tell you that
one needle is slightly smaller than all the others, I’m pretty assured you’d
want to know about it and find that information useful in your search. This alone, is what differentiates Threat
Recon from any other analysis tool you’ve ever used.
The debate about the usefulness
of Big Data will be around for a long time and the jury is still out but here’s
something to think about. If you’re like
almost most the incident responders I
talk to, there’s very little time in the day and too few resources to sift
through false positives. Would you
choose four million indicators with little or no context or half a million high
confidence, vetted indicators, many supplied with full attribution to focus
your effort and assets? How you respond
to Zeus will most likely be far different than how you respond to ZXshell. Context
is king, when you have limited resources!
If you’re interested in what we
have to offer, see for yourself. Threat
Recon is available now through our web API and can be found at https://threatrecon.co Join the many that are already using it to
help them in their cyber security efforts.
BT BT
Red Sky Alliance has entered a formal
partnership with Threat Connect and is moving Red Sky’s public-to-private
portal “Beadwindow” to the Threat Connect platform. We’re excited to move forward on our plans
on making this portal an ever better tool for incident responders, analysts, researchers,
and CISOs. Beadwindow members include
federal, state, local agencies as well centers of higher education and the
medium to small businesses who can’t dedicate a lot of time to cyber security
analysis.
Through Beadwindow, you’ll have access to a managed community and the participation from some of the best minds, analysts, and security strategists in the business as well as all reporting we’ve published in the last three years. If you’re interested in becoming a member, email to me directly at rgamache@wapacklabs.com .
Through Beadwindow, you’ll have access to a managed community and the participation from some of the best minds, analysts, and security strategists in the business as well as all reporting we’ve published in the last three years. If you’re interested in becoming a member, email to me directly at rgamache@wapacklabs.com .