Saturday, November 14, 2015

Attribution counts. Good intelligence counts.

We've had one of the guys on the road for the the last week. He spent some time in the Nordics, and
http://world.edu
during one visit, he was told a story that I'd like to share (we have permission).

About two months ago we received a high priority request from an overseas bank.

They'd come to us with a fast-turnaround request for information on what they were seeing during their ongoing attack. We authored an (attribution) profile with the material we had, and a bit more that we needed to dig for, but by the next morning we were able to give them some pointed gouge. The bank used it to verify the guy, and within a very short window, used the intel to kill the accounts, turn off the attack, chase down the guy, and return the money.

When asked if there was money saved by the bank, the response was ‘a ton of money’ was saved, and the profile was the information they needed to kill the (at the time) live attack.

On our end, this was a small request. We turned-to for a few hours and pulled together what we had, but for the bank, apparently it meant much more. We talked with their security team, legal, and compliance --all grateful.

This is a great story of where good intel was able to help thwart an intrusion, track down a bad guy, and stop the bleed.  We have others. I'm a believer... Attribution counts.

Other analysts don't necessarily share my views on attribution. I'm good with that. Analytic differences almost always lead to better intelligence. In our case, we believe that by knowing the attacker we can track the way they operate, why they do what they do, and how they're likely to act.  We track several dozen intrusion sets and hundreds of thousands of high confidence indicators associated with them. For many of the intrusion sets, we've broken down the groups, individuals, and the tools they like to use. And because of that level of detail in attribution, we can (sometimes, not always) help companies get to the left of the Kill Chain but even when we can't, we almost always have information that can shorten response times.

There's value in good intelligence. There's value in attribution.

BT

We don't sell boxes. We don't sell infrastructure. We sell subscriptions. We live on customer dollars, not investor dollars, and nearly all who've subscribed or joined Red Sky remain with us today. 

So as we begin to wind down 2015, if you're thinking about buying a cyber intelligence service or joining an information sharing group, give us a call! In the mean time, get 1000 Threat Recon queries free per month, or, if you're a ThreatConnect customer, ask for your 30 day free trial.

Until next time,
Have a great weekend!
Jeff