Saturday, November 26, 2016

Who else knows?

We did a victim notification on the eve of Thanksgiving --about 8:30 PM EST, with a US-based online accounting firm. The firm boasts hundreds of clients on their website, although after looking at their data, I actually know how many clients they have. There are some good ones;  every one was listed in the financials shown in unencrypted emails that were harvested and sent from their systems, and although I didn't tell their customers that their outsourced, online accounting firm had suffered a data breach of nearly 80G of their accounting data, customer lists, and payroll information, at some point soon they're going to find out.

So after a call to their customer support line (my call was actually forwarded to a human), and two emails to the CEO, he called me on Thanksgiving morning.  I explained what'd happened.

So as we speak, on the weekend, two days after Thanksgiving, we're preparing a formal report for the accounting firm, detailing the simple actions that offered the penetration into this small scale systemic breach, with the names of those who'd been exploited and harvested.

Wait.. did I say simple actions? Yes. This breach, like many others, could have been prevented by two things... knowing that the activity was ongoing (this is called cyber threat intelligence), and by taking the appropriate actions to prevent it.  The malware (a key logger) that was used is widely recognized by many of the AV vendors out there today, but it was dropped onto the machine of a senior account representative  --a sales guy!

I scrubbed the name of the machine from the screenshot on the right, but the "Installed Anti-Virus:" and "Installed Firewall:" lines were both blank when we found it. This SaaS company didn't have even the most basic protection mechanisms on their sales guy's computer, and for that, they had a bad Thankgiving.

I realize that there's an amazing amount of data coming in, and it's really hard to recognize which to act on now, which to wait on, and which to simply pass on. This is not an uncommon scenario. A couple of weeks ago I spent some time with a group of CISOs --all of whom experience --and don't know what to do about, the sheer volume of information.  As incident response companies, big data companies, and open source lists offer more and more information, the CISO in the smaller companies (small meaning 1 - 10,000 employees) are drowning in data and literally have no idea what's important;

And while I always talk about intelligence and information sharing, many still don't understand what it actually is, or means.  That night I offered a view into information sharing, and what it is --early warning, prioritization, proactive response, all supported by a group who's only job it is, is to monitor threat profiles of the companies in the information sharing environment, and report when they see something bad happening.

In this case, the company was not a Red Sky member.  As with many interesting nuggets, we found his data while pulling threads related to something else we were working on.  He asked where the data came from, and then the dreaded question... "Who else knows?"  In our case, the "Who else knows?" is simple. We tell the members of Red Sky Alliance. Some of them use this service and we want them to know that one of their vendors has a problem.  They may be able to help.


You're going to see a few changes in messaging moving forward.  Red Sky Alliance and Wapack Labs had been, from the start, two different companies. As of the end of the year, they're becoming one and will operate as Wapack Labs.  The Red Sky portal will become the focal point and delivery for Wapack Labs intelligence, and when a company enters the environment, they'll be met with a team of Wapack Labs analysts ready to assist.  As a Red Sky member, you'll have access to our malware repository, our CRITS (currently in beta testing and loading data after the build), full access to our threat intelligence, the indicator database (Threat Recon) and the raw intelligence search API. Red Sky Alliance will be a cyber intelligence concierge; an analytic hub and information sharing environment. We provide the sources and tools, you bring the questions and the know-how. Don't know how? Our analysts are standing by and ready to help.  You'll see the changes taking shape as we move into the new year,  and already, we've had five new organizations jump in.

On that, I'm off.
Until next time. Have a great weekend!