Red Sky Alliance weekly wrap-up - Fusion Report 11 published

It’s been a busy week.  Fusion report 10 was published late last week and Fusion Report 11 on Monday night this week. Fusion Report 11 was identified as a high confidence tightly targeted attack against a tech company who only joined just two weeks ago. What timing!

We’ve got a lot of things going on.

·      We’re preparing to host our second quarterly face-to-face ‘Threat Day’. This one will be hosted at the end of the month at a member site outside of Philadelphia. Cocktails the night before will be at the Union League. It’s a great place for happy hour, and we’re looking forward to getting together with our members!

·      We’re working through integration of our Norman MAG2 Analyzer, and beginning the planning for our first big data node.

·      I attended AT&T’s security conference this week. Great group of folks. Absolutely enjoyed the conference! Good to catch up with several folks that I hadn’t seen in a while.

Anyone who knows me knows how much I love metrics! Earlier this week I was asked by a board member in another information sharing environment what our participation looked like. At the time I answered off the cuff, but after looking at our numbers this morning, here’s what I found out:

We kicked off (live) in mid-February of this year. At the time, the portal was an empty shell…. No data. Since then we’ve worked hard to sign up new trusted members, get communications moving, author fusion reports, etc. In May we noted a nice uptick in member adoption. Today we host approximately a dozen companies, and if I trust my math, 88% of our participants authored three or more entries in May. It may not sound like a lot, but let me tell you what that equates to since mid February:

·      Over 250 active threads with over 9000 page views and comments

·      11 Fusion reports have been read or commented on 757 times by 43 people

·      Since going live, our malware lab has received 42 submissions, received 1047 crowd-sourced comments from by 44 users, and resulted in nine Fusion Reports.

·      1280 qualified indicators of targeted attacks pushed to the membership with another several hundred spanning three years, submitted this week by a non-member.* We published the indicators, all of which are believed to be involved in targeted attacks against this company, but they're currently undergoing correlation and qualification.

* Interestingly enough, we’ve started receiving requests for assistance from non-members ---connections to others during incident response, non-members interested in pushing targeted attack information through our members, and requests for speakers. We’re happy to help.

Crowd sourcing analytics works. Collaboration works.

Until next time,

Jeff

Fusion Report 10 (FR12-010) published!

I’m happy to announce that we’ve just published our next Red Sky Alliance Fusion Report. I’ve been waiting for this one. I can’t believe we’re at ten pieces of finished technical analysis already.  FR12-010 discusses a remote access Trojan (RAT) used in some of the newer targeted attacks.

While not prompted by a member submission, we felt it necessary to analyze and report. This specific tool has been leveraged by one of the more sophisticated cyber adversaries today. Red Sky analysts provided signature and artifacts associated with this malware and also included a snapshot of the actor's methodology. The paper details our analysis, and provides our members with two new Snort signatures, and a couple of dozen new indicators of compromise that may be copy/pasted directly into their defense in depth infrastructure.

A couple of key stats (now that we're at report 10!)

• To date we've published over 1200 indicators of targeted attacks to the membership,  analyzed through crowd sourcing in the portal and via Red Sky analysis. 
• 59 member/analysts are now tracking over 220 active discussion threads all relating to targeted attacks and emerging threats.
• Inside the portal, members have logged over 5000 page views with the Fusion Reports topping the list. In fact, our last report (detailing the activities of one ISP) was one of our most popular. Visits to two areas in the portal - "Incident Response Corner" followed closely by "Security Intelligence" were next runners up.

Bottom line. This is exciting stuff and it's great fun to be an information security pro!  --a story... anyone who knows me will tell you I love to tell them...  I met Vint Cerf a few months back. I told him "Thank you!". Because of him, I've paid off my home, bought the car (a really nice car!), and made my career. Because of him (and the new threats), I'm cruising in on 50, balding, slightly overweight (ok, maybe more than slightly.. ), and finally cool! and you know what? So are all of the other 58 members that I talk to on a daily basis!! 

It's a fun time to be an Infosec pro!

Until next time,

Have a great week!

Jeff

 

Red Sky weekly update - pre-Memorial Day weekend

It's Thursday afternoon, and I'm expecting a very hectic day tomorrow so I thought I'd author my weekly blog today before heading into the Memorial Day weekend.

It's been a heck of a week!

Fusion Report 9 set off bells and whistles with a number of folks inside the membership. We've probably got a half dozen new ISPs just like the one we reported on Monday that are now going into the analysis queue.

The portal has been on fire this week... very busy! One of the best things is our newest addition. Yesterday one of the members asked for assistance in contacting an international company. Within an hour of the request we had JPCERT in the portal with an offer to assist. This morning we had one of their incident response analysts involved. You see, this is not just a US problem. It is a global problem. Red Sky wants international participation. It's critical.

Our team is growing!

• Chris Hall has accepted a position leading Technical Analytics. Many of you know Chris. He and I were together at the DoD Cyber Crime Center... I know what you're thinking. It's bad form to cherry pick your last employer. Well, for the record, I didn't. He'd moved on a year ago. He starts terminal leave in two weeks and will be coming into Red Sky after a short vacation. We're very excited! Chris will lead a team of analysts and will be both technical analysis lead and act as our community manager.
• We've brought in a new Business Development manager. This guys' a retired Navy Captain from the acquisitions/logistics community, but he's been doing big data integration projects for several years. We've had a number of approaches by vendor/partners who bring incredible capability to the table. We need someone who can drive these relationships to win-win solutions. I'm confident we've found the right guy!
• We've also brought in a new CIO. He's been handling IT Program Management for a medium sized defense contractor. Our portal is growing and so are the services, feeds, storage requirements, etc. We're happy (I'M happy!) to have someone managing our infrastructure -even if he is still part time with us.. for now!

Changing gears -

Every year I put on my Navy short sleeved whites (admittedly, I had to buy a bigger uniform a few years ago)  and take my kids to the Memorial Day Parade. I live in a small town in New Hampshire of about 3500 people, of which roughly 10% are Veterans and full members of the American Legion. We love the military up here, and the idea of putting on my old uniform, ribbons, clean hat, shined shoes, and then using Memorial Day as a teaching moment for my young girls is something I look forward to, and do, every year.

Please, in your own way, take a moment and remember our Veterans, active duty military, and their families this weekend. Freedom isn't free.

Until next time,
Have a great Memorial Day weekend!
Jeff

Weekly update; Fusion Report 12-009 was just posted

It’s been another great week in the Red Sky Alliance!  

This week was the week of the FS-ISAC meeting.  As a result, participation was a little light, but nonetheless, we had some pretty cool stuff happen.

Fusion Report 12-009 was just posted to the portal. It tells the story of an Internet service provider in the US whose only customers are apparently international (ahem) entrepreneurs, including details of one man’s empire of fraud, domains, and a laundry list of malicious activity. The report gives our membership over 400 new domains, malicious emails and subnets that they may now simply ‘block’. This report was interesting because it wasn’t based on an incident responded to by a member, rather translations of open source information by one of our analysis teams which suggested that an international "security professional" was using a rural US-based ISP for their service. The question ‘why?’ lead us to some interesting findings from the membership, and in the end, a great read!

On Wednesday, another Founding Member joined the Alliance and our Advisory Board; this one from the Defense Industrial Base. This is a smaller company ($1.5 billion in annual revenue and 300 federal contracts in intelligence, defense, homeland security and the aviation industry) but the company has a GREAT Infosec team that will make an incredible contribution. The cross sector nature of the Alliance is rounding out nicely! Welcome!

Also on Wednesday we analyzed a suspected targeted 0-day. Many of the Alliance members assisted, and the output will be a formal Fusion Report showing how it plays into the bigger scheme of the group using it. I’m very much looking forward to Fusion Report 10!

Until next time,
Have a great week!

Jeff

Red Sky Weekly Update - 5/12/12

Morning all,

It's been another great week.

• On Monday we released our eighth Red Sky Fusion Report detailing a long known attacker group using of a new process! 17 pages of analytics and three pages of snort signatures and kill chain formatted indicators.
• We identified (on a hunch) a new ISP that after further analysis in the group, turns out to be a bad -really bad ISP. After posting requests for information to the portal, we had members submit several HUNDRED pages of data supporting our initial hunch.
• We were interviewed by Gartner this week after showing up in CSOOnline last week. I've known Anton through the Honeynet Project for years (and even before that!), so it was a really good talk. 

As of this week, we've closed Founding Memberships in the financial sector. Founding Memberships are still available outside of the Banking/Finance industry, but they're closing fast too. Want one of those framed Plankowner Certificates? Membership rate guarantee? Advisory Board member? Unfiltered access to the portal? Founding members receive all of this with a half price membership for a two year commitment.

It's a warm sunny morning in New Hampshire. Time to fire up the diesel Kubota and spend the morning mowing the lawn and cleaning up the orchard. So, until next time.

Have a great weekend!
Jeff

Published: FR12-008 – “Team Taidoor” with updated TTP

FR12-008 details targeted spear-phishing aimed at a Red Sky member. Red Sky is tracking this group of attackers under the name Team Taidoor.  Interestingly enough, Taidoor has been reported in open source for at least a year. FR12-008 includes a compiled list of more than 150 “Team Taidoor” indicators, with referencing in Kill Chain format, and details of what is believed to be a new downloader and possible updated team TTP. Red Sky analysts also crafted SNORT signatures to detect on the new downloader as well as the Taidoor variant.

Another interesting characteristic of Team Taidoor is their continued and persistent targeting of specific individuals. If at first you don’t succeed, try, try, again! Symantec reported the targeting of one individual, referred to as “Mr. X” who received over 20 emails originating from Taidoor actors during 2011. Another source reports a Taidoor target as being the recipient of over 175 malicious emails over the course of 2010 and 2011.

Another great week. Fusion Report 7 published, new participants, and great analytics!

This week was a banner week. While the week ended poorly for me –my car broke down landing me at a dealer in Greenwich, CT where I’m now typing my weekly update from a hotel room a mile away from the garage that now houses ‘Daisy’. It’ll be noon at least before I hit the road tomorrow. Luckily, my car is still under warrantee. I guess if something bad needed to happen to offset all of the good this week, I’ll take it!

Here’s what we had happen this week:

·      Fusion Report 12-007 was published

·      Analytics are being prepared discussing what started as a hunch, now developing into a full analytic on a service provider hosting malware

·      Three new (GREAT) companies are now involved with Red Sky and our activity is grown amazingly well!

Fusion Report was published earlier in the week. This one dealt with yet another group of sour apples. FR12-007 detailed the technical characteristics of the attacks, published three pages of qualified APT indicators in the kill chain format, and offered a bit of analysis on what we believe these sour apples were looking for. One thing I hear over and over is ‘whack a mole is hard’, so we’re now trying to help our Infosec members prioritize their efforts by pointing them (when possible) to targeted areas in their environments. I know when I was a CISO dealing with thousands of different technology areas, I would have greatly appreciated someone pointing me to the area that was being targeted… so we’re doing our best to do that now.

Presentations were made to two great tech companies in North Carolina –both of whom are now participating in Red Sky, and today on my way up 95 I stopped off to see some folks in northern NJ who are also now participating. These companies are going to make incredible additions to the Red Sky community, and one has already made significant contributions to a discussion around my next topic…

Earlier in the week we posted a blog entry on a ‘hunch’ about a service provider whom we believe might have been hosting some malicious content. The hunch was based on blog entries showing an overseas users utilizing a small, remote ISP on the other side of the world. I couldn't help but wonder why! After a few rounds of ‘RFIs’ and answers coming back, log snippets from multiple companies and analysis from the membership and Red Sky team, I think we can positively call it out. It was a pretty nice success so early on, but heck, we’ve got a great team of folks participating.

To date, we’ve created over 170 new threats for 1100+ comments/analytics/discussions, with 8000 page views in the environment. We boast nearly 50 (very smart) individuals representing analysts, incident responders, and engineers from nearly a dozen companies.

We’re doing well. Hopefully I’ll be so lucky when I retrieve Daisy tomorrow!

Until next week,
Jeff

You should check us out now!

I didn't post over the weekend as I normally would. Our next fusion report is going to hit sometime this week --a little off our pace of one per week. No problem. We're not pacing our reporting on the calendar, it's based on when we see something that we really think needs to be looked at deeper and would hold value to the members. So look for an announcement for our next report sometime this week.

In the mean time, there are several of you that I'd reached out to earlier in the year when we were kicking off. I explained the benefits of a collaborative analytic operation; talked of massive upside for your companies; the ability to obtain protections before the attacks occur in your industry; low false positive rates on indicators... the list goes on. And do you know what's happened since going live on February 11th of this year? I believe we've proven our point:

• Our very first fusion report detailed analysis detailed APT activity --from a simple request for malware analysis. 
• Our second and third discussed details of two different groups believed responsible for APT activities targeting two different industry segments. Report three, had it been received by the victim two years earlier when the other sector was being attacked, would have been protected.  Unfortunately they hadn't. They will next time.
• Our last fusion report assisted an external non-member group and added a non-technical "Threat Activity Report" to the mix showing not only how the attacks occurred, but potentially what the group was looking for.  Need to show your management what the threat is without all of the technical jargon? This is the report for you. It's two pages long, high level, non-technical, and clearly shows areas this APT group is targeting.

All in all, we've come a LONG way since February 11th. The portal is up and operating nicely. We still have features we'd like to add (and we will), but a bunch of companies are talking, and we're now tracking on about 165 threads, have published seven new reports and farmed, collaborated on, and published over 200 indicators of APT compromise (or early warning indicators if you haven't seen them yet!). We've built out our 'three pillars' of analysis - discreet (malware, pcap, etc.), all-source technical fusion, and non-technical all source intelligence analysis... and the results are amazing.

So my invitation to you. If I talked with you earlier, but you were afraid of jumping into a new company, well, I'd invite you to have a look now while we're still filling Founding level memberships.

If you'd like to re-look Red Sky, contact me at jstutzman@redskyalliance.org today.

Jeff

Just released - FR12-006

I wanted to see these analysis papers get released by the end of the weekend and by gosh, we made it just under the wire.

Fusion Report 12-006 was just published to the membership. It details targeting of the senior management team of a non-member group. About a week and a half ago we were asked to provide assistance. Our analytic team and members pitched in, offering a triage assessment the next morning. Today, after about ten days we provided a formal analysis of what we thought happened. Best? We were given only a few pieces of information and through the Alliance members (most of whom are currently analysts) and Red Sky analytic teams, we were able to come up with a couple of pages of new indicators, and confirmed that we believed it to be a known group of APT actors.

In addition (an added bonus!) FR12-006 was the starting point for a Threat Analysis Report (TAR12-001 - I'm not crazy about the name) which talks about what we believe may have been targeting objectives had penetrations been successful. It's interesting to hear members talk - they like micro-level indicators, but more importantly they all want to know "what are they looking for?". Infosec teams are growing tired of fighting the fight one IOC at a time. They're now asking "what do I need to protect first.. then second... then third."  TAR12-001gives members our thoughts on "What were they looking for?" and will hopefully help them prioritize their efforts and in time, help maximize their Infosec spend.

So... one more product in our tech fusion analysis line; one new product in our non-tech focused targeting and objectives. I'm loving the analysis. It's Sunday and I spent my day doing link analysis, one indicator at a time.

Last,  I was asked the other day by a long time friend if I'd talk to her board of directors. She needs someone that can tell the story and help them understand the business implications of targeted threats. If you're interested in becoming a member, or if you'd like to have someone from Red Sky talk with your senior management team, CEO, or board, drop us a note. I'm preparing an educational piece for my friend as we speak and I'm a huge fan of 'write once use many'!

Until next time,
Jeff

Red Sky Aliance Weekly update

Another terrific week for the members of the Red Sky Alliance. Lots of activity, hopefully wrapping up sometime this weekend with our next fusion report. This week we added three new Associate Member analysts and a new Founding Member to the Red Sky ranks.

• Our first Associate Member provides the membership large scale open source translations from multiple languages and fuses the information with technical analysis to create reports to nicely compliment the Red Sky technical Fusion Reports. While Red Sky isn't as much interested in attribution as information assurance, understanding how attackers work, think, communicate, etc., is critical to being able to be proactive in protecting member networks, and allows Red Sky analysts and members to more accurately depict real threats to their companies and environments. 

• Through a second Associate dedicating analytic support, Red Sky added the ability to perform data mining through multiple open and premium sources. This new capability resulted in notification and cleanup of over 200 previously unknown compromised computers!

• Our newest member actually signed on late last week, but jumped in with both feed this week. We'd like to welcome this global 100 financial to the membership! 

Red Sky continues to receive queries for membership. We're preparing to wrap up our "Founding" Membership offering in the Financial and Defense Sectors (I believe we have one Founding Member seat available in each).  Founding memberships are still available in other areas of industry including energy, high tech, IT/Networking, Aerospace, Oil/Gas.

If you're interested, please drop me a note. 

Have a great weekend!
Jeff

Weekly status: Fusion Report five: "Subian" identified, named by Red Sky

Red Sky analysts posted Fusion Report 12-005 to the portal this week. FR12-005 details analysis of a previously unknown (by AV vendors) variant of Poison Ivy. Red Sky analysts have dubbed this version “Suibian”. The malware and TTPs associated with its use have been completely analyzed and posted to the membership for their inclusion in their own defense in depth. This is a great find!

Beyond that, here's a status for the end of the week:

• Yesterday we added a new member to the mix. This company is a Global 200 (a $45 billion global financial). Their team is going to bring great value to the rest of the membership.
• This week we assisted an external information sharing and analysis center understand a targeted attack by providing triage reporting and analysis. 
• We held our first Threat Day. I won't rehash the day, as I blogged it previously, but it was a small, very smart group. It was a GREAT day... and happy hour at the Ritz prior to was fun too!
• We've partnered with a new data source company, giving Red Sky two of the three pillar analytic capabilities that I've wished to integrate. I'm meeting with two companies next week for the third.

I keep getting questions about "Whats the difference between Red Sky and an ISAC?" One of them is bullet four. I believe that it's better to have smart people feeding us the right information rather than a feed of a lot of information. Think of Red Sky as a crowd sourced CIRT (without fly-away incident response teams), with both organic analysts and peer reviewed, trusted crowd sourcing inside the membership. Soon I hope to have automated 'tipping and queuing' offering warning services when a company shows up with unexpected peering, turns up in a blog entry somewhere, or data mining shows patterns of impending trouble. It's paying off. This week I was asked to present to DHS and one other analytic/sharing organization to help them with their own information sharing capabilities. I've been doing that a lot lately. I'm glad to help. I hope it does.

More next week.
Cheers!
Jeff

First Red Sky Threat Day

We just concluded our first Red Sky Threat Day. What an amazing day. We started with the least interesting presentation of the day (mine!) followed by a discussion on gaining "layered attribution" through malware analysis, and wrapped formal presentations with a discussion on automation-assisted open source intelligence collection and analysis.

The group was small (10 I think?) but it was great. A quick "cyber real estate" inventory of companies participating revealed that the four companies represented by attendees manage approximately a million computers in over 140 countries in the world. Through the Alliance, these members get new information to help them protect their respective enterprises, and those enterprises reach almost every corner of the world!

Last, ever wish you could translate a web page to know what was being said (about you) in a foreign language blog? What if you had the capability to read hundreds of blogs in multiple locations with multiple languages and had the capability to turn that information into actionable, fused reporting that could help protect your network.

Our small group witnessed this new capability yesterday... It's coming to the Red Sky Alliance.

Standby. More to follow.
Jeff

Weekly status: Red Sky Collaboration identifies entire malicious Class C

This week was another great week for the members of the Red Sky Alliance. It's funny. In my meetings with prospective members, they always ask about ROI and what they get for their membership fee. I talk of 'one stopped attack' and the cost of lost data with relative clarity.  I can say with relative surety that after this week, none of the current members are wondering what they get for their membership fee.

• Red Sky released Fusion Report 12-004 this week. Red Sky analysts reported an entire European Class C as malicious and the addresses used for a shell game. We found it during analysis of a Banking/Finance submission. The report offered full malware analysis and details of the Class C Subnet being used in the attacks. The submitter stated the Red Sky analysis was some of the best they'd seen. The analysis was performed using multiple sources, starting with the attack data as the trigger followed by fusing open source intelligence information with corroboration from a product called ScoutVision. Multiple sources make for higher confidence assessments. The company blocked the Class C and requested permission to share the analysis with the the FS-ISAC's Threat Intelligence Center.  Since the incident affected only this company we agreed.

• On April 3rd about 9PM UTC a Fortune 100 defense industry member reported spearphishing with "UPS C2". We know this TTP. While the company responded to the incident, Red Sky members performed analysis of malware, began victim notification/coordination with C2 and exfil machine owners, and coordinated identification of contact points from those companies where we had none. The submitter stated "nobody else offers this kind of service!". Red Sky knows the value of standing up command and control during incident response, but in this case the simple act of offering another set of eyeballs and external coordination went a long way. We called another well known company to tell them they'd had three machines being used in the attack. When the Director of Incident Response answered the phone, I stated my name and that I was with the Red Sky Alliance. She immediately said "I've heard of you. I think think this is something we should be involved in."

• Associate members Kyrus-Tech, Norman ANA, LookingGlass now have dedicated analysts participating in Red Sky. All proved their value week, and two have a new customer as a result. Vendors are welcome to join as Associate Members. Associate members pay a fee, participate in analysis, and are peer reviewed by readers just like any other member. Selling inside the portal is never allowed but if vendors really can do what they say, this is where they get to prove it. These companies are proving it; the Red Sky membership is benefiting from the great analysis; and the vendors are earning new customers. It's a win-win-win.

• This week Red Sky hired two new student interns and we're expecting a decision from a third by early this week. Two of the interns are Masters Degree students with the third a PhD. One will perform fusion report analysis, but the others are political science and criminal justice students (MS and PhD) who will begin authoring non-technical reports on targeting and trends. They'll be bringing experiences from studying violent criminal gang activities to the cyber realm!

That's it for now. As a reminder, Red Sky is hosting an invitation-only happy hour at the Ritz Carlton (DC/VA area) on Tuesday night and our first quarterly 'Threat Day' on Wednesday. If you'd like an invitation, please drop me a note.

Jeff

That's the way collaboration is SUPPOSED to work!

One of our members called "Wildfire!" today, meaning they were submitting information to the portal as they worked an incident. The member submitted log snippets showing exfiltration and C2 destinations as well as inbound sourcing, the malware, and a full copy of an email with the header intact.

Within minutes after the report, Red Sky began victim notification while the company worked the intrusion from the inside. When we needed a contact at an external company one of the other members chimed into the portal with a contact and then made an introduction. Victims responded to offending servers. The C2 and exfil paths were blocked by the member, and all external entities (except one, where we had to leave a VM) knew about the incident and were responding.

When the dust settled, one of the companies has asked for membership information and felt they too should be a member of the alliance. I'll have that meeting next week!

That's the way collaboration is SUPPOSED to work!

Jeff is happy today.

Saturday night, and I'm VERY happy!

Why? I received a call yesterday from one of our members. We chatted about scale, automation, etc., but then I asked him how he liked our last Fusion Report? I was looking for feedback. There were some farming issues that we'll fix for the next one, but most importantly he told me "My team hates you!" (we're making them work!). When I asked if he was seeing anything from it, he told me "we're dropping all kinds of new stuff at our perimeter"

So why would such a simple sentence make me so happy?

• The APT set went cross sector into a new target type
• The guy who gave me the comment analyzes a LOT of indicators from a LOT of sources
• The company has over 100 independent business and probably 150,000 computers. They have a VERY large perimeter

It makes me VERY happy that on our third report a director in a company of this size and stature in the Infosec community says about Red Sky "I'm sold on Red Sky!"

Red Sky contributed directly to identifying a new issue that he was able to push to his team and experience new results!

It makes me VERY happy!

Have a great weekend!
Jeff

Red Sky Alliance: End of week status- Been a great week!

Good morning!

It's been a pretty great week for the Red Sky Alliance and I'm driving back to NH tomorrow, so I thought I'd post a snapshot of the week this morning.

• Two new members committed (one finance and one LARGE healthcare organization), and a third (Fortune 10) gave us the thumbs up on legal review!
• We posted Fusion Report 003 showing a longtime APT group that had previously targeted defense industrial base companies now modifying their tactics slightly and going after the government policy shop in a bank. This was HUGE. It validates our model of collaboration in a smart way across industries offering months (in this case years) of early warning. 
• We've got two new folks working on the backend of Red Sky as analysts, and the malware engine is coming along nicely.
• One of our Associate members (Kyrus Tech) was involved in the Zeus Botnet takedown! You guys should reach out and talk to these guys. Great skunkworks handling hard problems!
• We're now tracking on over 60 threads with companies from four industry sectors, and we've just opened discussion boards on HP/Arcsight and RSA/enVision.

It's been a great week!!
Jeff

Interesting developments

Two nights ago we posted a product inside the Red Sky portal based on an input from one of our more active members. At the time we thought it might be an early development, not associated with any groups, but authored the analysis anyway. When we were posting, we compared some of the IP space to other sources and found there might actually be a link. Yesterday we confirmed what we were looking at was not only an active APT set, but that they'd been active in the Defense Industrial Base companies for almost three years with little other activity, and now jumped to a completely new sector!

This is Red Sky's first real validation of what we've been talking about! Early warning comes from smart people talking to smart people in other sectors. When smart people share technical information, they tend to share better information than those receiving anonymized data or data in the aggregate.

Don't be a wall flower! It's about people talking to smart people!

Jeff
www.redskyalliance.org

New Red Sky Fusion Report: FR12-003.pdf : AS4808 Malicious Infrastructure and Malware

FR12-003.pdf: "AS4808 Malicious Infrastructure and Malware" was just posted to the Red Sky Alliance portal. This is our third fusion report. It came about from a seemingly innocuous report from a member reporting the incident. Upon further investigation by members, it appeared that the incident was more widespread than previously thought, and took advantage of individualized emails with different source addresses for each. One member reported approximately 700 emails in an environment of approximately 300,000 users.

"On 18 March 2012, a Red Sky member posted malware from a recent spear phishing incident to the Cyber Intelligence and Analysis Center portal. The malware called backed to malicious domain. Analysis of the domain revealed related infrastructure and open source malware samples. A total of three malware samples were analyzed: one provided by the partner, and two obtained from an open source malware dump. All three samples were linked to Autonomous System 4808 which is described in the report. Correlations between the various samples will be provided in the Malware Data section of this report. While no specific attribution was identified (we don't necessarily look for attribution, Red Sky focuses on IA), several of the IP addresses and domains used were tagged as APT address space by one of our sources."

At least two different sectors reported similar cases, but with individualized targeting characteristics.


If you're not receiving these reports, please contact us (jstutzman@redskyalliance.org) or sign up for our mailing list at launch.redskyalliance.org.

Collaboration is working!
Jeff

Status - Red Sky Alliance

Good morning all! It's Saturday morning and I've had an incredible week at the Honeynet Project Annual Workshop. This years event was held at Facebook out in Menlo Park. Nice. Even during travel, startups don't stop. It's been busy!

So here are this weeks updates to Red Sky Alliance:

• We've added new member! We're up to eight now, we more requesting our presentation and demo every week. This is great news!
• Hacked! This week our external facing website was hit with an iFrame redirect attack. We knew it would happen, and it did. The website was back online quickly, although the original sits on a machine in MD. We posted a one page marker until I get back tomorrow and upload the original. 
• Success! New malware was posted to the site by one of the members. Within an hour, two others posted analysis. One of them was Norman, using their new G2 Malware Analyzer. In both pieces of analysis, the submitting member was immediately given four new pieces of information which allowed them to block C2, and then do incident response. 
• Upcoming "Threat Day": Preparing to host a "Threat Day" on April 11th at Defense Group's Vienna facility. No vendors allowed; only members and presenters. This should be a great day. Doing happy hour at the Army Navy Club the night before.
• Our Norman G2 suite has shipped! We'll be online soon. Einar is hiring 15 new analysts/engineers and they're gearing up to support Red Sky Alliance. This is going to be a great partnership!

We've also posted a 'launch' site. We've only been online since mid-February (if you can believe it!). We've received a number of emails asking for more information, and I'm finding it easy to lose track and make sure everyone gets answered. To make sure I'm not dropping anyone through the cracks, I've added  launch.redskyalliance.org to allow folks to sign on if they've got interest. I'm hoping it'll help with my organizational skills!

That's it for now.
Have a great week!
Jeff

Last day for me...

Thursday morning. Blogging before packing while I prepare for my last half day with the Honeynet Project. I haven't (nor will I) post about some of the ongoings, but I'm here to tell you.. things really have changed since I started as a member in (ahem) '97? '98? Hell. I'm to old to remember I guess.

Regardless, we've gone from WU_FTP hacks to botnets. From 'step away from your keyboard' to botnet profiling, big data, SSH honeypots, Android exploitation/forensics, HPFeeds, and a dozen other topics I've kept in my notes but can't recall at 6:22AM. There were project members from 26 countries represented, and I've made it my mission to have a conversation with every one of them. I believe I've succeeded.

Anyway, this is going to be a short note. It's been terrific seeing everyone again. It's been five years since my last annual workshop (at Lance's house.. when things were much smaller). I hope to hear from you guys again, and see you next year.

Ciao (or should I say Cheers!, Kampi!, Proz!)
Jeff

Honeynet Annual Meeting (the day before)

I arrived about 2PM PST yesterday in San Jose. Even on a 'cold day', northern California is really nice this time of year.

I feel like I'm giving confession.. Forgive me Father,  it's been five years since I've attended a Honeynet Annual Meeting. My last was five years ago at Lance's house. I expected to walk into the hotel and see a bunch of aging guys, grey, bald, overweight (all of which happened to ME in the last few years!) but what I found was actually a nice surprise. Yeah, the old crowd was here, but we were WAY outnumbered by the younger crew. In the end I spent probably 30 minutes with Max Kilger -one of my favorite conversationalists. Max is a PhD behavioral psychologist. He and I were the two 'non-geeks' when the project kicked off years ago. We authored a paper called "Know Your Enemy: Statistics" outlining and demonstrating very simple early warning techniques for inbound attacks. Max specialized in behavioral trends. I focused on non-technical intelligence.

Last night we had the opportunity to compare notes five years later. I'm sure we'll have more, but last night was fun. Max is writing models to code data to predict cyber activity in today's world. Wow. I've always taken the 'keep it simple stupid' approach -measuring defects, looking for anomalies. Max on the other hand has a world of data at his fingertips to mine, twist, and see what comes out. Wow.

Anyway, it's 5:41AM. I'm still on EST, so I've been up for a while. It's time to hit the showers and get ready for the day. I'm excited to see what these new young Honeynet thinkers have in store for me!

J

Did you experience "large scale phishing" last night?

Good morning!

At approximately 8PM (UTC) last night a member of the Red Sky Alliance posted a note and initial snippets of a 'large scale phish'. It turned out the phish affected multiple companies across the membership. Three of them and two analysts from Red Sky Alliance team came together to quickly diagnose the event as a team.

This phish is still under monitor in the membership and we'll wait to see what happens over the weekend, but we had four participants from three industry sectors looking at 'large scale phishing'. At least two different mails went were received. Both showing different senders for each of thousands of emails received.

Threat analysts and incident responders in real time communications with threat analysts and incident responders in other companies, in other sectors, comparing notes and quickly diagnosing issues they're seeing on their networks.

Great job to all involved! This is exactly what the Red Sky Alliance is all about!

Jeff

Posting our second Fusion Report!

Red Sky just posted our second Fusion Report. The report offers an analysis of a set of APT actors, how they operate, and indicators to both identify, and protect from their current MO. 

What is the Red Sky Alliance? Red Sky Alliance is a real time private cyber neighborhood watch (42 second video) and when needed, an out of band ‘war room’.  Inside the portal members share information about current advanced threats and assist each other with analysis, best practice, and preventing future attacks. On the back end, Red Sky analysts use the information to author Fusion Reports that detail, in a clear and cohesive way, all information known about the subject. The Fusion Report includes an executive summary, detailed analysis, mitigation recommendations, and a list of indicators in an easy to use Kill Chain format. 

It's a small start, but this is our second fusion report in as many weeks. You asked for value beyond simple collaboration..  we're delivering... and we're going to keep delivering.

Jeff 

Great day! Great week!

This has been a long week for me. I'm back in the DC area talking to just about anyone who will listen about Red Sky Alliance and the need to be able to talk CISO-to-CISO, Analyst-to-Analyst, Incident Responder-to-Incident Responder in a private forum. The phones have been ringing. Beside the sheer amount of interest, we've had a few really good things happen this week:

• One new company requested membership. The company handles (get this) one million one millions of dollars in transactions every day! This is a great company with a great infosec team. They're going to make a super addition to the growing list of high quality infosec teams now participating.
• I spent this morning at Senate. I've been asked to provide inputs to pending cyber (IA) legislation --how (or if) government should have a role, what it might look like (from a real world perspective), and what the biggest issues are in sharing this kind of information. 
• We kicked off a new discussion in the group this week under the heading "Tips, Tools, and Taxonomy". One of the best guys in the space has a pilot running to aggregate and describe (in incredible detail) how cyber indicators can be shared in a machine to machine format. The best part? It's not about the amount of data, it's about extracting the RIGHT data to allow good decision making. Evidently this gent talked Red Sky Alliance in another information sharing partnership, and we've started receiving calls from them! 
• We posted our first analysis (we call it a Red Sky Alliance Fusion Report) based on a member submission. The analysis detailed what happened, how it can be stopped in the future (with a snort signature), and aggregated a simple list of indicators in a format that allows a reader to simply copy and paste them into a sensor. You asked for analysis and we delivered. And we're going to keep delivering! 

It's been a great week --and it's not even over yet!

Jeff

Red Sky Alliance status report

Good evening all!

This is my second week as a full time employee with the Red Sky Alliance, so I thought I’d offer a status report. So I’ll start from the top:

• The site went live on February 1st. It looks great. There are still some features that we’re working through - better authentication, encrypted instant messaging, and automated means for collecting information from the site, correlating it, and parsing it into a kill chain format. All three are well underway. 

• Since going live, we’ve had a group of hand picked expert analysts from several great companies participating in the site, providing feedback, and sharing current indicators about the newest APT activities.

• On the 10th, as you may know, I wrapped up as the Director of the DoD/DIB Collaborative Information Sharing Environment and became Red Sky’s COO/VP for Collaborative Research and Analysis. On my first day, I flew to Tokyo with the folks from Delta Risk, World Bank, Lockheed Martin, and US-CERT to speak with the JPCERT and several of its members about the importance of sharing attack information.

• Last, in response to member requests, we’re adding features to the portal, and adding strategic alliances as “Associate Members”.  

• A malware analysis capability is being added to the backend of the Red Sky portal. I’m happy to announce that we’ve inked a deal with Norman to purchase the Norman G2 Malware Analyzer suite of tools. Norman has also agreed to support the Red Sky Alliance membership with analysis provided by the Director of their Malware analysis shop –an old friend and long time Honeynet member, Einar Oftedal. Once fully online, we’ll be able to process up to 40,000 pieces of malware per day.
• Kyrus-Tech has been added as an Associate Member in the “Vendors and Consultants” space. Kyrus-Tech created Carbon Black — a slick way of doing desktop forensics remotely. Again, I’ve known Mike Tanji for a long time. He’s a smart guy with a smart team.
• Detla-Risk has been added as an Associate Member. Delta-Risk performs Anti-APT strategies. Adam Lange came from AFCERT and is a great source of ‘APT best practice’ information. Adam can be found in the “Vendors and Consultants” space. (NOTE: Associate Members are restricted to non-analytic spaces in the portal, but are available for questions. Please feel free to peer review their information as you would with anyone else in the portal!) 
• I’m sitting a panel at Georgetown where we’ll be discussing cyber, public-private partnerships, and APT in the financial services community. 

My calendar is quite busy. It's a good thing. I’m back in NH with membership conversations with two companies by phone and one in-person along the way. I’ll be in and out of Boston and Hartford over the next week or so, responding to membership presentation requests.

Kampi!
Jeff

Turning the page to the next chapter!

I write this with both great anticipation and great sadness. Most, when leaving work, author an email telling everyone how much they've enjoyed working with them, leaving behind one parting message to their teammates as they head out into the sunset. I didn't do that. In fact, for the last month or so, I've prepared my team as best I can, with written turnover guidance and a RACI chart for the next Director. If he/she is new, I want them to at least know the battle rythm and who to talk to during the course of normal business, and if they find themselves in crisis mode. I think it's a holdover from my Navy days when officers created turnover guides for their successor. I like the practice, and left a binder with the 5Ws for the next guy on my desk.

That said, while I am extremely happy about moving on, I'm also saddened about leaving my current job. You see, for the last three years I've run a group of analysts at one of DoD's hidden jewels -- the DoD Cyber Crime Center (DC3 for short). DC3 is about as large as the lunch staff in one of the larger organizations, but cranks out some of the most amazing digital/multimedia forensic, cyber analysis, cyber training, R&D and outreach work that I've seen. This is by far, one of the best jobs I've ever had, and for all of you geeks, one of the best places to work if you want to bury yourself in data and want to have the flexibility to run with your own ideas. It's an amazing place! My piece was as the Director of the DoD/DIB Collaborative Information Sharing Environment (DCISE --an acronym only DoD could come up with.. say 'dice' for short). DCISE is comprised of the Defense Industrial Base-Computer Emergency Response Team (DIB-CERT), two other deep analysis technical teams,  and an intrusion analysis section in the lab of about 20 malware analysts and forensic examiners. Since 2008, DCISE analyzed and published findings on over 1000 APT-focused incident reports and produced over 21,000 early warning, or indicators of compromise to 36 of the largest defense contractors, a dozen or so of the largest banks and DoE labs.... over 7 million computers are managed by the partnership we served! Wow! I had the opportunity to build this.. my way. What a ride! It's now operating smoothly, and a few months ago, went through the appraisal for CMMI. It's going, stable, funded, and well positioned for the future!

So, what's next for me? I like fixing broken things and building new.

Tomorrow I'm traveling to Japan to talk to the JPCERT about the benefits of sharing cyber information, and about the Red Sky Alliance. The Red Sky Alliance is a closely woven group of trusted incident responders and security pros sharing and comparing notes on intrusions they're seeing.. all in real time in the privacy of their own portal. It's still early, and the portal has some growing to do, but we've got several companies participating today, and have about a dozen more in the pipeline heading toward the membership process. While that gets off the ground, I'll be working part time for a company called Delta-Risk where I'll be authoring anti-APT strategies, working with Infosec teams, and whatever else comes along. Regardless, next week is JPCERT. The following week is a speaking engagement at Georgetown and then, Mad River Glen for some 'Ski it if you can!" time with the kids!

So, by the time this posts later today, I'll no longer be Jeff Stutzman, DCISE Director, DAFC. I'll be Jeff Stutzman, CIO and VP Collaborative Research and Analysis at Red Sky Alliance. I look forward to talking with many of you about joining over the coming days, weeks and months.

Jeff

Red Sky Alliance Portal is live!

It took us a couple of months, and there are still a couple of features I'd like to see added, but the Red Sky Alliance collaboration site is finally a reality! The site went live today and has representation from four companies with great infosec teams. What a concept, give great teams a place to let them talk in private, give them tools, and share infosec data from the people who fight the fires every day!

There is an endless supply of news, research by marketing firms, vendor hype and (ahem) expert analysis. I'd rather have a talk with a smart incident responder than a market analyst any day!

Jeff

Banking/Finance well represented in Red Sky Alliance!

We're preparing to go live with the Red Sky Alliance portal. We've been working hard to invite the right companies to participate --they must participate, contribute, and be interested in building a smart, interactive community to share data on hard problems they face -espionage, fraud, theft.

I'm happy to say that we've received commitments for three large financial institutions to kick off the membership as Founders. I'm most happy that these institutions are  known to have great infosec shops who already know each other, and offer the highest possible probability of sharing high quality threat and incident data. Our Founding memberships will be rounded out soon for Banking/Finance, but we still have a couple of openings in other areas.. We currently have membership invitations out to members of the Defense, Energy, and Retail sectors both in the US and abroad. We're not chasing critical infrastructure, and encourage international participation. So if your company is experiencing APT, denials of service, theft of data, or other hard problems, don't go it alone! Join the Red Sky Alliance and get some help!

Interested? Request an invitation.  jstutzman@redskyalliance.org or jmckee@redskyalliance.org

Happy New Year all!
Jeff

EXCELLENT report by ENISA

The European Network and Information Security Agency released publicly today

Proactive detection of network security incidents, report

This report describes available external sources of information and internal monitoring tools which can be used by CERTs to improve their capabilities to detect network security incidents.

This is one of the best reports I've read in a while. Bravo Zulu (that's Navy for great job!) to the authors!

This report is co-authored by a number of folks that I recognized immediately.. many are FIRST (maybe all?) but one of the best things in the report is how CERTs share information, detailing the pros and cons. In the end however, the document calls out data sharing as the most effective way to proactively stop attacks before they're allowed to occur. Powerful stuff. Easier said than done however. 

Data formats must be lite and low in false positives;
Legal constraints are ALWAYS an issue;
Trust between participants is critical... tech feeds without knowing who's on the other end don't work;
The right information must be share in the right way... protected;
Information sharing organizations are less effective when the memberships don't know each other.


It's a long read, but a must read. 
Great job to the authors.


Jeff

Survey - Smartphone security

Please take a moment and answer this one question survey for me? I'm interested in understanding public perception of smartphone security.

http://linkd.in/vGeahI

Thanks,
Jeff

Red Sky Alliance is growing!

The Red Sky Alliance is growing!

• Three new companies are expected to join us -one more large bank, one small bank, and a nuclear energy plant have all committed and are in various stages of entering the membership.
• One new executive has been added to the ranks of our advisory board. A more formal announcement will be made later, the but our newest board member is an EVP with a Fortune 100 financial institution and currently serves as their head of their Threat and Intelligence organization.
• Red Sky now has a LinkedIn Group, and with only a few days online, boasts an impressive constituency of nearly half from the Infosec CXO and VP ranks and a rest, a few hand selected consultants (for their ability to add real value to Infosec disussions).

So please, jump in. The Red Sky Alliance is only as good as the membership it serves. You can join the group, follow us on Twitter (@redskyalliance), or check out our website (www.redskyalliance.org).

I look forward to seeing you in the boards!
Jeff

Red Sky® Alliance named Industry Partner of the CISO Executive Network for Private Information Sharing and Collaboration

This is great news! As many of you know I've been doing a bit of consulting to the Red Sky Alliance. The Alliance is a private social networking site where members can talk to each other in a trusted forum (The theme song to "Cheers" is  running through my head right now). The site is set up with mature rules for vetting new members, and complete peer review for anyone participating. Enjoy private instant messaging, running forums, even private groups (that don't show up in search results) inside the system that may be used for out of band communications for, well, choose your occasion.. incident response perhaps?

That said, building trust online begins with building trust in person. The CISO Executive Network has done amazing work in bringing CISOs from all kinds of companies into trusted forums in person, and is now recommending the Red Sky Alliance as a venue to extend those relationships online for private collaboration.

Press Release:

11/21/2011 - Red Sky® Alliance named Industry Partner of the CISO Executive Network for Private Information Sharing and Collaboration


Red Sky® Alliance is happy to announce that it has been named an Industry Partner of the CISO Executive Network.

Building trust between companies starts with building trust between people. “CISO Executive Network has done amazing work in developing trusted relationships among information security executives,” said Jim McKee, President, Red Sky® Alliance. These relationships are central to the trust required when sharing highly sensitive threat information in the Red Sky® Alliance private networking environment. “We can’t begin to emphasize how important these personal relationships are when building collaboration among companies,” notes Bill Sieglein, Founder and CEO of CISO Executive Network. “We are pleased to recommend Red Sky® Alliance for private collaboration among our members.”

About CISO Executive Network: The CISO Executive Network is a peer-to-peer organization dedicated to helping information security, IT risk management, privacy, and compliance executives to be more successful. It accomplishes this mission by providing opportunities for those professionals to meet periodically in their local cities to share with one another and hear from industry experts.

======================================

More to follow later on Red Sky Alliance, but for now know, we've got world class analysts in the backend to 'keep the conversation moving', analyze activity (and malware), and help companies strategize on how best to cope with the new threats.

www.redskyalliance.org

Cheers!
JLS

Blackberry Playbook.. Number 8 turkey? Not in my book!

It's Thanksgiving morning. I'm watching the Macy's parade and had vowed that I wouldn't open my computer. Well, we know how that goes.. it's like crack. And speaking of crack, I just read an article that offered up the ten 'turkeys' of 2011. Most I agree with except one... (this is where I get to the crack part)...

The Blackberry Playbook. My crackberry only better. I'm here to tell you, this is one of my favorite tech toys. When I used to carry my MacBook everywhere I went (I'm a crazy Mac fan.. have been since WAAAYYYY before it was cool), I now leave the MacBook at home and carry the Playbook everywhere I go. Let me tell you why... For $300 I bought a device that mimicks my favorite phone -the Blackberry Torch 9810 --the 4G model. Between the two devices -my phone which tethers to the Playbook as a 4G modem and the Playbook with a slightly larger screen, I get 4G speeds on the same plan as my phone (I could have cracked it with free 4G but chose not to). So it falls under the same all you can eat plan I had before, all of the applications of the Blackberry Torch (which I also love --mostly the tactile touch of the keyboard) and now full functionality of a tablet with 4G, an incredible display, and at a great price. Last, as a long time Infosec guy, I got to see the OSD Deputy CIO speak at the ACT/IAC Executive Leadership Conference in Williamsburg last month. Rob stood in front of an audience of about 800 of us at lunch time and told us how and why he believed Blackberry to still be the safest mobile platform. I'm not going channel Rob or try and recount the quotes, but I've seen the presentation a couple of times now. I'm a believer.

Ok, it's off my chest. I love my Macs, but I also love my Torch/Playbook combo. 4G ( ...yes, I know what the H+ means on my display), all of my blackberry apps, the tactile touch of the keyboard if I get so frustrated on the glass that I absolutely MUST have it, and the ability to manage/edit documents on a slightly smaller more convenient platform than others --all wrapped in a more secure platform (as described by sources I tend to believe) to be more secure than the iPad and Android platforms? I'm a happy guy.

Happy Thanksgiving everyone! I'm going back to the Macy's Parade :)

JLS

Infosec and beer! It's a hit!

A bit of a hickup last night. In my invitation I called out the Westin but gave the link to the Sheraton. The hotels are side by side up in Linthicum Heights. None the less, it was a great turnout and happy hour was terrific. It was really good seeing many of you again! Who knew Delta flight crews were so Infosec savvy?

Anyway, next time we'll pick a non-hotel venue.. I'm thinking maybe Max's Taproom in Fells Point? Any suggestions?

Jeff

Happy hour tonight?

Sheraton Linthicum Heights, MD

http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=1495

5:30 ish?

See you there!
Jeff

Three days of CISO summits...

I've spent the last three days in two different information sharing forums, having no less than four industry segments talk about what's happening in APT in their environments. Tuesday and Wed were spent with about 150 of my closest DIB, banking/finance, and communications sector friends, and yesterday with healthcare CISOs at the CISO Executive Network Annual Healthcare Summit.

My sample size is only about 100 companies across the four sectors, and not exactly scientific in my methods, but here's what I found out:

1. Every CISO wants to do the right thing.
2. Most know about APT, but only a few actually have the resources to protect themselves.
3. The hype can be overwhelming. While many know, APT means a lot of things to a lot of people, including now a subset of APT - Anti-Exploitation Threats (AET) --those anti-forensic techniques taken by attackers. I'm not sure they're actually different, but I am sure a new name is being tossed around.
4. CISOs don't know how to talk their management about APT, and therefore can't articulate the need for resources.

Here's the good stuff:

1. There was an entire presentation yesterday about how CISOs can articulate gaps in defenses using compliance language and graphics. I learned something new, and will probably call the company for a demo!

2. CISOs want to do the right thing!

3. Information sharing works! When CISOs can get in a room, either physical or virtual, without threat of oversight, regulatory pressures, etc., they talk! And when they talk, everyone gets something.

Before I leave.. I've got a few RSVPs for Happy Hour on the 15th. Drop me a note!

JLS

In search of Infosec talk and beer... two of my favorite things!

It's Saturday morning. I'm having coffee and doing my required reading looking for opportunities to have happy hour next week with a few information security folks in the S. Baltimore area. Thought it might be fun to get a small group going to share insights over a beer and wings.

My first stop was LinkedIn. I have to say, I love LinkedIn. I'm a long time user. Don't really care for Facebook or the others but I like LinkedIn.  I thought I might send a note to a few of my contacts who are close enough to not have to go out of their way, but also who might actually have fun sharing information and experiences with others in my network. So I pulled four names from my contacts list. I'm generally pretty good about vetting those with whom I connect with, so those names are rock solid. They're all either CISOs or have been CISOs, but all have mad analysis skills, and frankly, are just plain fun to talk to!

Then I thought it might be fun to expand my search to figure out who might be in local groups that might share similar experience. While I'm not really interested in having a full blown morning conference, it might be fun to at least see who's around that might be fun to chat with another time. What'd I find? I found great stuff -I'm a daily reader of Cyber Aurora. Love it. I also found some not so great stuff. I'm not sure I'd like to out groups -they seem to thrive, but there's just SOOO much crap out there. In groups that would seem like no-kidding groups of smart folks, the marketing hype is knee deep! I remember once seeing someone with their arm over their head. I asked what he was doing. He replied he was saving his watch because the crap was rising fast (he used a different word!). It's what I'm seeing in many of the Infosec groups, and much of the noise we're hearing from vendors, a ton of startups, and seemingly in the news. One news guy I used to know (a CNN guy) used to say "If it bleeds it leads!". APT bleeds. One might also add to that... "If it bleeds it leads, and generates revenue!". I believe most vendors (based on personal experience in hearing the pitches) don't have any experience fighting APT. I'll tell you, I heard one L7 content monitoring and filtering (a data protection company) tell thirty CISOs in a conference room that his product (and his product alone) could stop all APT exfiltration. Hmmm.

So here's the deal. I'm looking for a few folks to pull together a local happy hour meet-up. Heck, I'll buy the first round. Here's what I'd ask.. Be a commercial infosec practitioner (I talk to government people all the time!). Have an opinion! I'd love to hear your thoughts on infosec (especially APT), trends you're seeing, products you use..

Join me? I'm looking at Tuesday 11/15 about 5. Location TBD.. I'm open to suggestions.

Jeff

Information Sharing... part 3/3

This is the third part of a three part post. I started with "you don't know what you don't know" moved to "pick one!", and now I'm moving into sharing of information.

I built, and now operate a cyber information sharing organization. While I can give you a 100% guarantee that I've not gotten it 100% right (yet), I know from recent feedback that every one of them enjoys the broadened situational awareness and each and every one has improved their security postures. They share cyber analysis, stories, and data. More than that, the vast majority now run 24/7 security operations centers who look for and act on data coming from the information sharing environment and each other! Sharing information helps the tactician identify and act, it helps the manager allocate resources on the most pressing issues, and it helps senior managers measure themselves against baseline. Best of all? It makes you safer by knowing what the other guys are seeing and allows you to take advantage of strengths/skills in other organizations that you may not be able to fill yourself.

Bottom line? If you're not talking to your peers, you're already two steps behind in this cyber environment.

So where can you go?

Immediate thoughts:

• SANS Internet Storm Center has been around since Y2K (I was there! I was one of the first watch standers keeping vigil and maintaining comms during the transition). The Storm Center is one of the better places to share information, although data can be time-late. The ISC is a free service offered by SANS.
• The Information Sharing and Analysis Centers (ISACS) represent nearly every segment of industry and are operated through membership fees. One issue I have with the ISAC structure is the requirement to anonymize all submissions. This results in the loss of ability for an analyst to actually ask questions of the originator.
• Red Sky Alliance is a newcomer. I've watched from the sidelines and offered a bit of pro bono consulting in the past couple of weeks. I also sold them a trademarked name and domain ;) I like the idea. The thought is real time sharing of information in a private setting with a trusted membership and a small cadre of back-end analysts to keep things moving. Again, Red Sky Alliance will be operated through membership fees. I don't believe the company has the site operational yet, but there is a video and demo site running and I know they've been signing on Founding Members. I'd expect to see them go live sometime in November of this year.
• The Forum of Incident Response and Security Teams (FIRST) and Government equivalent (GFIRST) have also been around for a long time. I was an early member of FIRST during my days as an analyst at the Navy's Fleet Information Warfare Center in 1996, and again as the head of Cyber Threat Analysis and Intelligence at Northrop Grumman from 2007-2009. FIRST hasn't changed much. They require an up-front inspection of your security operation, issue a PGP key, and let you participate in multiple lists. I'm not convinced FIRST has kept up with the times in terms of information dissemination but they get the word out and do share information.. and they offer a pretty cool technical conference!

In many worlds, the phrase "publish or perish" rings true. Many careers have been made and lost on the publish or perish paradigm. I'd suggest publish or perish is also going to hold true in information security as we move forward and APT threats become more and more ubiquitous. Publish, talk, compare notes with your peers and others. Don't be afraid to go outside of your peer group for information that you may not have been exposed to.

Talk, publish, listen, compare notes, protect your environment. 

JLS

Pick a standard and stick to it

Over the course of the last 15 years, I've watched information security grow and mature as a practice. One thing I've come to realize however is that the process end of the infosec business is more important than ever - especially in light of the new APT landscape.

Here's the story of two companies:

Company A and B are Global Tech companies.. Four years ago both companies were worth approximately $16B each.

Both companies suffered APT attacks over the course of the last four years.

Company A stuck their head in the sand hoping it'd go away.

Company B developed world class process using ISO for their infosec guidelines. They participated in information sharing with their peers, built a SOC, practiced response. The company created amazing process, practiced them, measured everything and fine tuned them until they got it right. When the attacks hit, they were prepared. The global organization is now wired for information security.

What happened?

Company A is still alive, but struggling. They lost the lions share of their stock value!

Company B is landing contracts all over the world, teaching others how to do best practice information security.

Who would you rather be? Not Company A you say? Take the following lessons learned and and go do it starting today!

Great information security organizations invest in three things...

    •    People
    •    Process
    •    Technology

People: My tale of two companies is very similar to another as told by Alan Paller of SANS. Alan talks of the "Story of Two Agencies".  I've seen it a couple of times. In short, he talks of two teams, both hit by APT actors. One team had solid technology but didn't have operating guidelines, training, analytic curiosity, or direction. The second team had basic technology with a highly trained, very curious team with practiced incident response processes... who do you think faired best? The second team of course! The team stopped the attacks with minimum damage, shared indicators with their peer community and was able to quickly implement controls to stop future attacks. Team one was completely owned. I hear this story repeated at least weekly, and heard it again today from companies I've been working with for the last couple of years. 

Process: Great process leads to great results. It's that simple. Information security teams who know what to do under 90% of the circumstances they will encounter -and have practiced those actions operated under the premise (a military phrase) "command by negation". Command by negation means that during conflict commanders can do whatever needed according to predefined rules/processes and have a pre-specified deep, practiced understanding of how they must execute. Information security teams must also have this same pre-specified deep, practiced understanding of how they must execute, and must not allow variance in process during times of attack. Pick your infosec model. ISO, NIST, ITIL, whatever.. just pick one. Then build your organization using sound process around one of these models. Do it right from the start. Get management buy-in, find your early wins, and don't stop normalizing the way you do business.

Technology: Tools and toys don't cut it. Knowing how to get the most out of your current tools by understanding exactly where they fit in your strategy, and as importantly where your gaps are, are critical. Find places where technology can replace repetitive manual processes (SE/IM, manual correlations, lookups, etc.), and leverage your people where they're strongest -analytics, response, operations.

How do you create a mature organization that can survive the fog of war created by persistent threats? By creating an organization who knows what to do every time. Plenty of options exist today... ISO, NIST 800, or ITIL are great places to start. For my day job, I 'matured' my organization by using the Capability Maturity Model Integration Services provider model (CMMI-SVC). Over the course of the last two years we undertook an aggressive process engineering and training agenda. When we started this undertaking, it took my team over 44 days to perform a single triage analysis of an APT event. Today it takes less than five and we're heading quickly to 72 hours with added automation.  For me, the recognition that we were a service provider of information security analysis services (we do only APT analysis in a public/private information sharing organization) lead me to the belief that process was every bit as important as the technologies used to manipulate data, and that if I didn't have people curious enough to work the process, nothing else matters. My team will fail. I've also watched CISOs in some very large organizations (approx 60 of them) go through similar process engineering exercises. Those who picked a standard (for information security) and implemented solid, repeatable process around those ISO, NIST, ITIL, etc., practices, are FAR more successful at battling APT today than those who don't. Don't be fooled into thinking you can survive without it. You can't. APT actors practice solid command and control and process. You must as well.

 More next time!
JS

On Information Sharing... Most companies don't know they've been had!

I saw an interesting piece of text from Mandiant the other day. It was prepared for testimony (I'm presuming to Congress) discussing APT. It went something like this...


“More than 90 percent of the breaches Mandiant responds to are first detected by the government, not the victim companies.” (Kevin Mandia, CEO of cyber security firm Mandiant Corp., in prepared testimony).

Dozens (probably more) examples prove this statement. Search the news. Generally companies fall into two main categories when they find out.. denial, or they fight. Denial rarely works, and fighting it results in rapid escalation. Regardless, your business is in danger.

So what's a company to do? Start thinking strategically. Come up with a plan for mitigating current badness already in the environment, WHILE maintaining business operations, AND planning for future strategies for minimizing or mitigating future attacks, AND ensuring you'll be able to operate in your new-found understanding that your networks are now untrusted.

This is where we start thinking about steps two and three in my previous post...

2.  Build solid process (for operation and incident response). Pick a model and stick to it.
3.  At this point you MUST start talking to your peers, and others. You wouldn't try and sell a product without knowing what your competitors (peers) are selling (what sells, and what doesn't). Why would you try and implement strategy without knowing how well your chosen processes will work (what works and what doesn't, before you spend any money!).

For now, start looking around... there are lots of public sources of information.. SANS, NCFTA, FIRST, and a newcomer, RedSkyAlliance.org. From a government assistance perspective DHS/US-CERT.

Be prepared. It's not a question of 'if', or 'when'. It's 'what are you going to do when someone tells you there's a problem?'

More next time.
JS

On Information Sharing...

Going to tell you.. I'm a long time straight stick IT guy, gone Intel/Information Warfare then Information Security (for the last 15 years or so?), and I've not had so much fun, nor realized the value of Information Sharing until my last three years running an information security sharing organization wrapped around a CERT and Analysis shop. I'm not going to take a lot of time to tell you what that is. You can check out my bio and look at the web page; rather I'd like to take a moment and tell you about the value proposition I've come to realize over the course of my tenure.

Not a day goes by without a new story in the news depicting company losses from (ahem) Advanced Persistent Threats (APT) - a term coined by a guy named Greg Rattray several years ago during his active duty career. At the time, the term APT seemed pretty spot-on. Since however, those APT threats have become far more ubiquitous, and now I'm more convinced they should be called  Omnivorous Persistant Threats --OPT. Malware, computers beaconing, and bandwidth consumed is becoming more common than not, and most importantly, the vast majority of companies don't even know they've been successfully attacked!

I'm here to tell you, the most valuable information security lesson I've ever learned has been learned in the last five years --INFORMATION SECURITY PRACTITIONERS MUST STOP LISTENING TO VENDORS AND START TALKING TO EACH OTHER. Vendors want to sell you stuff. Your peers are working hard to stop the same attacks you are. More importantly, the threats change as your ability to protect yourself changes. Even the most sophisticated shops lack the 100% capability to foil every attack.

I'm preparing to speak at a conference for healthcare CIOs. I'm going to give them three words of wisdom:

1. Most companies attacked by APT don't know it until someone else tells them they've been owned.
2. Pick a standard infosec model, implement solid processes,  do it well, and don't shoot at protecting everything. Protect that information most important to your organization and build solid controls around the rest.
3. Talk to your peer companies. They're getting hit with the same things you are. Lone wolves starve in the cold. The packs survive.

More next time. I've got to update the block list in my UTM.

JS