Red Sky weekly wrap-up – 6/29/12

We held our offsite, starting with happy hour at the Union League of Philadelphia and a day of talks in the boardroom of one of our members in Delaware. The portal, as a result was slow. No fusion reports this week.

Regardless, our Threat Day was a fantastic success.

·      Early polling of the members suggest all left happy with the way the day went. I know this group was larger than last time, and this one, unlike the last was members only.

·      We issued our first “Plankowner Certificate” to our first Founding Member. The senior member of each team receives an 18” x 24” professionally framed, matted certificate.

·      We recognized our top 10% peer reviewed analysts. We do this each quarter, and at the end of the year they’ll receive a certificate and a certification good for one year. It goes like this: If a member peer reviews in the top 10% over the previous 12 months of their participation, they’ll be recognized as “Red Sky Certified” (RSc), and can use the designation as a certification behind their name. I like the idea of certification through peer review over the course of a year. 

·       We’ve got a couple of new research items – standardizing means of communicating, tests of linguist capabilities beyond the main threat areas, and the addition of new capabilities to the Red Sky portal.

So, positive trends, building face-to-face trusts, and growing collaborative capabilities.

Have a great weekend!

Jeff

Red Sky Alliance weekly wrap-up. FR12-013 released.

Another busy week for the Red Sky Alliance! FR12-013 released.

I’m almost glad it’s Friday night. I’m exhausted… although I’m having a heck of a lot of fun in my new job!

It's been a fun week. The work never stops. This is a major pace change from my previous life in the government. Work stopped at the end of the day. I slept, and went back at it. Now the lines seem to blur. It's 9:30 and I'm writing a blog and a paper. I was at it at 6:30 this morning, and nearly every waking minute is devoted to ensuring the success of the Red Sky Alliance.

What's been keeping me so busy?

·      Earlier this week we released our latest fusion report (FR12-013), which offered supplemental information on Team Taidor activities, including new malware and a slight shift in TTPs.

·      Following up from the Gartner conference last week, one new member has decided to join the Alliance. The prospective member (they still need thumbs up from our Advisory board) is another large Managed Security Service Provider. This will be two for us, and if you’ve heard me speak about scaling the protective capabilities of Red Sky, you’ve heard me talk about bringing MSSPs into the alliance.

·      We wrapped an important evolution in Red Sky. We’ve completed (with the exception of a few outliers) the integration of our new authentication mechanisms. As we head into the second generation portal, adding new services, this is going to be more and more important. We’re moving forward on a mission, and with a plan!

·      Last, we’re holding our quarterly face-to-faces next week with Happy Hour at the Union League of Philadelphia followed a one-day “Threat Day” in Delaware. We look forward to these sessions with our members, and this will be our first members-only event. So far we’re expecting about 20 people –a really nice size for great conversation!

So, it’s been a great week, and next week looks to be even more fun. I’m looking forward to seeing everyone in Philadelphia (drinks on me!) and the following day in Delaware.

Have a great weekend!
Jeff

Red Sky Weekly Wrap-up

I’m just back from nearly four full days at the Gartner Risk and Security Summit held at the National Harbor in MD. This is one of my favorite conferences. There’s SO much activity. If you don’t like the presentation you’re in, go next door. Chances are you’ll like that one! Besides coming home with the ‘conference crud’, this was a great week.

Gartner was terrific for me, and for Red Sky. For me personally it meant reconnecting many of the connections lost during my last couple of years working for the government. It’s easy to do, and I (inadvertently) let them go.  For Red Sky however, it was a very different story.  On my second day I sat in on an earlier session by Dan Blum. Dan was talking about information sharing. Much of his talk was really on ‘security intelligence’, or in my lexicon, aggregation of loads of data, but maybe not actionable knowledge.  I was just about ready to bail when he brought up the next slide and said he’d heard about a new group called the ‘Red Sky Alliance’ and it sounded promising.

I raised my hand and told him that I was the COO. There were several questions, and after the meeting I presented and demo’d to him and three others at a huddle table in the hotel.  I ran the presentation over my blackberry, but the slowness of my connection didn’t seem to bother them at all. They got it; and best of all, I think they loved it. Long story short? Seven new companies will be mailed our membership package this week. I fully expect all seven will come into the portal (I’ve already received confirmation from one!).

Why? The model produces actionable results.

·       This week we issued our newest Fusion Report. It is number 12. FR12-012 talks about another domain in the dynamic DNS category, but calls out more unique indicators of how to track, and mitigate the activity. This fusion report seems to have created a bit of a following inside the portal, as several companies’ contributing analysts have commented on how well done the reporting is, and have offered other pieces of information that might be added (we’re all about crowd-sourcing!).

·      We’re tracking a new piece of code suspected of utilizing an 0-day. If true, it’ll be third we’ve identified.

·      We’ve got a couple of new threads going. One is a new group (at least for me); I don’t recall ever seeing this on in my past lives. Regardless, a member who has been tracking it for a few months, sent it in, and it is now a popular topic.

·      Our Associate Members from Kyrus, LookingGlass, and Norman are cranking up the analytic volume. This week we opened vendors to previously restricted analytic areas of the portal. For the last several weeks, members have been asking them for analysis, and they’ve come through nicely. I’ve talked with the vendors and they agree—no selling in the portal, but I can’t think of a better way to demonstrate capabilities to a high quality companies than actually doing real work for them! On top of that, they’re peer reviewing nicely and getting feedback on their work! Nice!

·      Last? Our blog is about to click past 10,000 hits since March! Wow!

So it’s been another GREAT week in the Red Sky Alliance! I know you’re probably tired of reading that, but the boards are on fire. Analysts are talking. New members (GREAT new members) want to come in. And, we’re being asked to speak to companies and their boards about how great companies operate with the threat of targeted attacks and APT.  We have people in St. Louis, Baltimore/Washington, and New England. We’re happy to schedule time to help.  

Until next time, have a great weekend.

Jeff

Red Sky Alliance weekly wrap-up - Fusion Report 11 published

It’s been a busy week.  Fusion report 10 was published late last week and Fusion Report 11 on Monday night this week. Fusion Report 11 was identified as a high confidence tightly targeted attack against a tech company who only joined just two weeks ago. What timing!

We’ve got a lot of things going on.

·      We’re preparing to host our second quarterly face-to-face ‘Threat Day’. This one will be hosted at the end of the month at a member site outside of Philadelphia. Cocktails the night before will be at the Union League. It’s a great place for happy hour, and we’re looking forward to getting together with our members!

·      We’re working through integration of our Norman MAG2 Analyzer, and beginning the planning for our first big data node.

·      I attended AT&T’s security conference this week. Great group of folks. Absolutely enjoyed the conference! Good to catch up with several folks that I hadn’t seen in a while.

Anyone who knows me knows how much I love metrics! Earlier this week I was asked by a board member in another information sharing environment what our participation looked like. At the time I answered off the cuff, but after looking at our numbers this morning, here’s what I found out:

We kicked off (live) in mid-February of this year. At the time, the portal was an empty shell…. No data. Since then we’ve worked hard to sign up new trusted members, get communications moving, author fusion reports, etc. In May we noted a nice uptick in member adoption. Today we host approximately a dozen companies, and if I trust my math, 88% of our participants authored three or more entries in May. It may not sound like a lot, but let me tell you what that equates to since mid February:

·      Over 250 active threads with over 9000 page views and comments

·      11 Fusion reports have been read or commented on 757 times by 43 people

·      Since going live, our malware lab has received 42 submissions, received 1047 crowd-sourced comments from by 44 users, and resulted in nine Fusion Reports.

·      1280 qualified indicators of targeted attacks pushed to the membership with another several hundred spanning three years, submitted this week by a non-member.* We published the indicators, all of which are believed to be involved in targeted attacks against this company, but they're currently undergoing correlation and qualification.

* Interestingly enough, we’ve started receiving requests for assistance from non-members ---connections to others during incident response, non-members interested in pushing targeted attack information through our members, and requests for speakers. We’re happy to help.

Crowd sourcing analytics works. Collaboration works.

Until next time,

Jeff

Fusion Report 10 (FR12-010) published!

I’m happy to announce that we’ve just published our next Red Sky Alliance Fusion Report. I’ve been waiting for this one. I can’t believe we’re at ten pieces of finished technical analysis already.  FR12-010 discusses a remote access Trojan (RAT) used in some of the newer targeted attacks.

While not prompted by a member submission, we felt it necessary to analyze and report. This specific tool has been leveraged by one of the more sophisticated cyber adversaries today. Red Sky analysts provided signature and artifacts associated with this malware and also included a snapshot of the actor's methodology. The paper details our analysis, and provides our members with two new Snort signatures, and a couple of dozen new indicators of compromise that may be copy/pasted directly into their defense in depth infrastructure.

A couple of key stats (now that we're at report 10!)

• To date we've published over 1200 indicators of targeted attacks to the membership,  analyzed through crowd sourcing in the portal and via Red Sky analysis. 
• 59 member/analysts are now tracking over 220 active discussion threads all relating to targeted attacks and emerging threats.
• Inside the portal, members have logged over 5000 page views with the Fusion Reports topping the list. In fact, our last report (detailing the activities of one ISP) was one of our most popular. Visits to two areas in the portal - "Incident Response Corner" followed closely by "Security Intelligence" were next runners up.

Bottom line. This is exciting stuff and it's great fun to be an information security pro!  --a story... anyone who knows me will tell you I love to tell them...  I met Vint Cerf a few months back. I told him "Thank you!". Because of him, I've paid off my home, bought the car (a really nice car!), and made my career. Because of him (and the new threats), I'm cruising in on 50, balding, slightly overweight (ok, maybe more than slightly.. ), and finally cool! and you know what? So are all of the other 58 members that I talk to on a daily basis!! 

It's a fun time to be an Infosec pro!

Until next time,

Have a great week!

Jeff

 

Red Sky weekly update - pre-Memorial Day weekend

It's Thursday afternoon, and I'm expecting a very hectic day tomorrow so I thought I'd author my weekly blog today before heading into the Memorial Day weekend.

It's been a heck of a week!

Fusion Report 9 set off bells and whistles with a number of folks inside the membership. We've probably got a half dozen new ISPs just like the one we reported on Monday that are now going into the analysis queue.

The portal has been on fire this week... very busy! One of the best things is our newest addition. Yesterday one of the members asked for assistance in contacting an international company. Within an hour of the request we had JPCERT in the portal with an offer to assist. This morning we had one of their incident response analysts involved. You see, this is not just a US problem. It is a global problem. Red Sky wants international participation. It's critical.

Our team is growing!

• Chris Hall has accepted a position leading Technical Analytics. Many of you know Chris. He and I were together at the DoD Cyber Crime Center... I know what you're thinking. It's bad form to cherry pick your last employer. Well, for the record, I didn't. He'd moved on a year ago. He starts terminal leave in two weeks and will be coming into Red Sky after a short vacation. We're very excited! Chris will lead a team of analysts and will be both technical analysis lead and act as our community manager.
• We've brought in a new Business Development manager. This guys' a retired Navy Captain from the acquisitions/logistics community, but he's been doing big data integration projects for several years. We've had a number of approaches by vendor/partners who bring incredible capability to the table. We need someone who can drive these relationships to win-win solutions. I'm confident we've found the right guy!
• We've also brought in a new CIO. He's been handling IT Program Management for a medium sized defense contractor. Our portal is growing and so are the services, feeds, storage requirements, etc. We're happy (I'M happy!) to have someone managing our infrastructure -even if he is still part time with us.. for now!

Changing gears -

Every year I put on my Navy short sleeved whites (admittedly, I had to buy a bigger uniform a few years ago)  and take my kids to the Memorial Day Parade. I live in a small town in New Hampshire of about 3500 people, of which roughly 10% are Veterans and full members of the American Legion. We love the military up here, and the idea of putting on my old uniform, ribbons, clean hat, shined shoes, and then using Memorial Day as a teaching moment for my young girls is something I look forward to, and do, every year.

Please, in your own way, take a moment and remember our Veterans, active duty military, and their families this weekend. Freedom isn't free.

Until next time,
Have a great Memorial Day weekend!
Jeff

Weekly update; Fusion Report 12-009 was just posted

It’s been another great week in the Red Sky Alliance!  

This week was the week of the FS-ISAC meeting.  As a result, participation was a little light, but nonetheless, we had some pretty cool stuff happen.

Fusion Report 12-009 was just posted to the portal. It tells the story of an Internet service provider in the US whose only customers are apparently international (ahem) entrepreneurs, including details of one man’s empire of fraud, domains, and a laundry list of malicious activity. The report gives our membership over 400 new domains, malicious emails and subnets that they may now simply ‘block’. This report was interesting because it wasn’t based on an incident responded to by a member, rather translations of open source information by one of our analysis teams which suggested that an international "security professional" was using a rural US-based ISP for their service. The question ‘why?’ lead us to some interesting findings from the membership, and in the end, a great read!

On Wednesday, another Founding Member joined the Alliance and our Advisory Board; this one from the Defense Industrial Base. This is a smaller company ($1.5 billion in annual revenue and 300 federal contracts in intelligence, defense, homeland security and the aviation industry) but the company has a GREAT Infosec team that will make an incredible contribution. The cross sector nature of the Alliance is rounding out nicely! Welcome!

Also on Wednesday we analyzed a suspected targeted 0-day. Many of the Alliance members assisted, and the output will be a formal Fusion Report showing how it plays into the bigger scheme of the group using it. I’m very much looking forward to Fusion Report 10!

Until next time,
Have a great week!

Jeff

Red Sky Weekly Update - 5/12/12

Morning all,

It's been another great week.

• On Monday we released our eighth Red Sky Fusion Report detailing a long known attacker group using of a new process! 17 pages of analytics and three pages of snort signatures and kill chain formatted indicators.
• We identified (on a hunch) a new ISP that after further analysis in the group, turns out to be a bad -really bad ISP. After posting requests for information to the portal, we had members submit several HUNDRED pages of data supporting our initial hunch.
• We were interviewed by Gartner this week after showing up in CSOOnline last week. I've known Anton through the Honeynet Project for years (and even before that!), so it was a really good talk. 

As of this week, we've closed Founding Memberships in the financial sector. Founding Memberships are still available outside of the Banking/Finance industry, but they're closing fast too. Want one of those framed Plankowner Certificates? Membership rate guarantee? Advisory Board member? Unfiltered access to the portal? Founding members receive all of this with a half price membership for a two year commitment.

It's a warm sunny morning in New Hampshire. Time to fire up the diesel Kubota and spend the morning mowing the lawn and cleaning up the orchard. So, until next time.

Have a great weekend!
Jeff

Published: FR12-008 – “Team Taidoor” with updated TTP

FR12-008 details targeted spear-phishing aimed at a Red Sky member. Red Sky is tracking this group of attackers under the name Team Taidoor.  Interestingly enough, Taidoor has been reported in open source for at least a year. FR12-008 includes a compiled list of more than 150 “Team Taidoor” indicators, with referencing in Kill Chain format, and details of what is believed to be a new downloader and possible updated team TTP. Red Sky analysts also crafted SNORT signatures to detect on the new downloader as well as the Taidoor variant.

Another interesting characteristic of Team Taidoor is their continued and persistent targeting of specific individuals. If at first you don’t succeed, try, try, again! Symantec reported the targeting of one individual, referred to as “Mr. X” who received over 20 emails originating from Taidoor actors during 2011. Another source reports a Taidoor target as being the recipient of over 175 malicious emails over the course of 2010 and 2011.

Another great week. Fusion Report 7 published, new participants, and great analytics!

This week was a banner week. While the week ended poorly for me –my car broke down landing me at a dealer in Greenwich, CT where I’m now typing my weekly update from a hotel room a mile away from the garage that now houses ‘Daisy’. It’ll be noon at least before I hit the road tomorrow. Luckily, my car is still under warrantee. I guess if something bad needed to happen to offset all of the good this week, I’ll take it!

Here’s what we had happen this week:

·      Fusion Report 12-007 was published

·      Analytics are being prepared discussing what started as a hunch, now developing into a full analytic on a service provider hosting malware

·      Three new (GREAT) companies are now involved with Red Sky and our activity is grown amazingly well!

Fusion Report was published earlier in the week. This one dealt with yet another group of sour apples. FR12-007 detailed the technical characteristics of the attacks, published three pages of qualified APT indicators in the kill chain format, and offered a bit of analysis on what we believe these sour apples were looking for. One thing I hear over and over is ‘whack a mole is hard’, so we’re now trying to help our Infosec members prioritize their efforts by pointing them (when possible) to targeted areas in their environments. I know when I was a CISO dealing with thousands of different technology areas, I would have greatly appreciated someone pointing me to the area that was being targeted… so we’re doing our best to do that now.

Presentations were made to two great tech companies in North Carolina –both of whom are now participating in Red Sky, and today on my way up 95 I stopped off to see some folks in northern NJ who are also now participating. These companies are going to make incredible additions to the Red Sky community, and one has already made significant contributions to a discussion around my next topic…

Earlier in the week we posted a blog entry on a ‘hunch’ about a service provider whom we believe might have been hosting some malicious content. The hunch was based on blog entries showing an overseas users utilizing a small, remote ISP on the other side of the world. I couldn't help but wonder why! After a few rounds of ‘RFIs’ and answers coming back, log snippets from multiple companies and analysis from the membership and Red Sky team, I think we can positively call it out. It was a pretty nice success so early on, but heck, we’ve got a great team of folks participating.

To date, we’ve created over 170 new threats for 1100+ comments/analytics/discussions, with 8000 page views in the environment. We boast nearly 50 (very smart) individuals representing analysts, incident responders, and engineers from nearly a dozen companies.

We’re doing well. Hopefully I’ll be so lucky when I retrieve Daisy tomorrow!

Until next week,
Jeff

You should check us out now!

I didn't post over the weekend as I normally would. Our next fusion report is going to hit sometime this week --a little off our pace of one per week. No problem. We're not pacing our reporting on the calendar, it's based on when we see something that we really think needs to be looked at deeper and would hold value to the members. So look for an announcement for our next report sometime this week.

In the mean time, there are several of you that I'd reached out to earlier in the year when we were kicking off. I explained the benefits of a collaborative analytic operation; talked of massive upside for your companies; the ability to obtain protections before the attacks occur in your industry; low false positive rates on indicators... the list goes on. And do you know what's happened since going live on February 11th of this year? I believe we've proven our point:

• Our very first fusion report detailed analysis detailed APT activity --from a simple request for malware analysis. 
• Our second and third discussed details of two different groups believed responsible for APT activities targeting two different industry segments. Report three, had it been received by the victim two years earlier when the other sector was being attacked, would have been protected.  Unfortunately they hadn't. They will next time.
• Our last fusion report assisted an external non-member group and added a non-technical "Threat Activity Report" to the mix showing not only how the attacks occurred, but potentially what the group was looking for.  Need to show your management what the threat is without all of the technical jargon? This is the report for you. It's two pages long, high level, non-technical, and clearly shows areas this APT group is targeting.

All in all, we've come a LONG way since February 11th. The portal is up and operating nicely. We still have features we'd like to add (and we will), but a bunch of companies are talking, and we're now tracking on about 165 threads, have published seven new reports and farmed, collaborated on, and published over 200 indicators of APT compromise (or early warning indicators if you haven't seen them yet!). We've built out our 'three pillars' of analysis - discreet (malware, pcap, etc.), all-source technical fusion, and non-technical all source intelligence analysis... and the results are amazing.

So my invitation to you. If I talked with you earlier, but you were afraid of jumping into a new company, well, I'd invite you to have a look now while we're still filling Founding level memberships.

If you'd like to re-look Red Sky, contact me at jstutzman@redskyalliance.org today.

Jeff

Just released - FR12-006

I wanted to see these analysis papers get released by the end of the weekend and by gosh, we made it just under the wire.

Fusion Report 12-006 was just published to the membership. It details targeting of the senior management team of a non-member group. About a week and a half ago we were asked to provide assistance. Our analytic team and members pitched in, offering a triage assessment the next morning. Today, after about ten days we provided a formal analysis of what we thought happened. Best? We were given only a few pieces of information and through the Alliance members (most of whom are currently analysts) and Red Sky analytic teams, we were able to come up with a couple of pages of new indicators, and confirmed that we believed it to be a known group of APT actors.

In addition (an added bonus!) FR12-006 was the starting point for a Threat Analysis Report (TAR12-001 - I'm not crazy about the name) which talks about what we believe may have been targeting objectives had penetrations been successful. It's interesting to hear members talk - they like micro-level indicators, but more importantly they all want to know "what are they looking for?". Infosec teams are growing tired of fighting the fight one IOC at a time. They're now asking "what do I need to protect first.. then second... then third."  TAR12-001gives members our thoughts on "What were they looking for?" and will hopefully help them prioritize their efforts and in time, help maximize their Infosec spend.

So... one more product in our tech fusion analysis line; one new product in our non-tech focused targeting and objectives. I'm loving the analysis. It's Sunday and I spent my day doing link analysis, one indicator at a time.

Last,  I was asked the other day by a long time friend if I'd talk to her board of directors. She needs someone that can tell the story and help them understand the business implications of targeted threats. If you're interested in becoming a member, or if you'd like to have someone from Red Sky talk with your senior management team, CEO, or board, drop us a note. I'm preparing an educational piece for my friend as we speak and I'm a huge fan of 'write once use many'!

Until next time,
Jeff

Red Sky Aliance Weekly update

Another terrific week for the members of the Red Sky Alliance. Lots of activity, hopefully wrapping up sometime this weekend with our next fusion report. This week we added three new Associate Member analysts and a new Founding Member to the Red Sky ranks.

• Our first Associate Member provides the membership large scale open source translations from multiple languages and fuses the information with technical analysis to create reports to nicely compliment the Red Sky technical Fusion Reports. While Red Sky isn't as much interested in attribution as information assurance, understanding how attackers work, think, communicate, etc., is critical to being able to be proactive in protecting member networks, and allows Red Sky analysts and members to more accurately depict real threats to their companies and environments. 

• Through a second Associate dedicating analytic support, Red Sky added the ability to perform data mining through multiple open and premium sources. This new capability resulted in notification and cleanup of over 200 previously unknown compromised computers!

• Our newest member actually signed on late last week, but jumped in with both feed this week. We'd like to welcome this global 100 financial to the membership! 

Red Sky continues to receive queries for membership. We're preparing to wrap up our "Founding" Membership offering in the Financial and Defense Sectors (I believe we have one Founding Member seat available in each).  Founding memberships are still available in other areas of industry including energy, high tech, IT/Networking, Aerospace, Oil/Gas.

If you're interested, please drop me a note. 

Have a great weekend!
Jeff

Weekly status: Fusion Report five: "Subian" identified, named by Red Sky

Red Sky analysts posted Fusion Report 12-005 to the portal this week. FR12-005 details analysis of a previously unknown (by AV vendors) variant of Poison Ivy. Red Sky analysts have dubbed this version “Suibian”. The malware and TTPs associated with its use have been completely analyzed and posted to the membership for their inclusion in their own defense in depth. This is a great find!

Beyond that, here's a status for the end of the week:

• Yesterday we added a new member to the mix. This company is a Global 200 (a $45 billion global financial). Their team is going to bring great value to the rest of the membership.
• This week we assisted an external information sharing and analysis center understand a targeted attack by providing triage reporting and analysis. 
• We held our first Threat Day. I won't rehash the day, as I blogged it previously, but it was a small, very smart group. It was a GREAT day... and happy hour at the Ritz prior to was fun too!
• We've partnered with a new data source company, giving Red Sky two of the three pillar analytic capabilities that I've wished to integrate. I'm meeting with two companies next week for the third.

I keep getting questions about "Whats the difference between Red Sky and an ISAC?" One of them is bullet four. I believe that it's better to have smart people feeding us the right information rather than a feed of a lot of information. Think of Red Sky as a crowd sourced CIRT (without fly-away incident response teams), with both organic analysts and peer reviewed, trusted crowd sourcing inside the membership. Soon I hope to have automated 'tipping and queuing' offering warning services when a company shows up with unexpected peering, turns up in a blog entry somewhere, or data mining shows patterns of impending trouble. It's paying off. This week I was asked to present to DHS and one other analytic/sharing organization to help them with their own information sharing capabilities. I've been doing that a lot lately. I'm glad to help. I hope it does.

More next week.
Cheers!
Jeff

First Red Sky Threat Day

We just concluded our first Red Sky Threat Day. What an amazing day. We started with the least interesting presentation of the day (mine!) followed by a discussion on gaining "layered attribution" through malware analysis, and wrapped formal presentations with a discussion on automation-assisted open source intelligence collection and analysis.

The group was small (10 I think?) but it was great. A quick "cyber real estate" inventory of companies participating revealed that the four companies represented by attendees manage approximately a million computers in over 140 countries in the world. Through the Alliance, these members get new information to help them protect their respective enterprises, and those enterprises reach almost every corner of the world!

Last, ever wish you could translate a web page to know what was being said (about you) in a foreign language blog? What if you had the capability to read hundreds of blogs in multiple locations with multiple languages and had the capability to turn that information into actionable, fused reporting that could help protect your network.

Our small group witnessed this new capability yesterday... It's coming to the Red Sky Alliance.

Standby. More to follow.
Jeff

Weekly status: Red Sky Collaboration identifies entire malicious Class C

This week was another great week for the members of the Red Sky Alliance. It's funny. In my meetings with prospective members, they always ask about ROI and what they get for their membership fee. I talk of 'one stopped attack' and the cost of lost data with relative clarity.  I can say with relative surety that after this week, none of the current members are wondering what they get for their membership fee.

• Red Sky released Fusion Report 12-004 this week. Red Sky analysts reported an entire European Class C as malicious and the addresses used for a shell game. We found it during analysis of a Banking/Finance submission. The report offered full malware analysis and details of the Class C Subnet being used in the attacks. The submitter stated the Red Sky analysis was some of the best they'd seen. The analysis was performed using multiple sources, starting with the attack data as the trigger followed by fusing open source intelligence information with corroboration from a product called ScoutVision. Multiple sources make for higher confidence assessments. The company blocked the Class C and requested permission to share the analysis with the the FS-ISAC's Threat Intelligence Center.  Since the incident affected only this company we agreed.

• On April 3rd about 9PM UTC a Fortune 100 defense industry member reported spearphishing with "UPS C2". We know this TTP. While the company responded to the incident, Red Sky members performed analysis of malware, began victim notification/coordination with C2 and exfil machine owners, and coordinated identification of contact points from those companies where we had none. The submitter stated "nobody else offers this kind of service!". Red Sky knows the value of standing up command and control during incident response, but in this case the simple act of offering another set of eyeballs and external coordination went a long way. We called another well known company to tell them they'd had three machines being used in the attack. When the Director of Incident Response answered the phone, I stated my name and that I was with the Red Sky Alliance. She immediately said "I've heard of you. I think think this is something we should be involved in."

• Associate members Kyrus-Tech, Norman ANA, LookingGlass now have dedicated analysts participating in Red Sky. All proved their value week, and two have a new customer as a result. Vendors are welcome to join as Associate Members. Associate members pay a fee, participate in analysis, and are peer reviewed by readers just like any other member. Selling inside the portal is never allowed but if vendors really can do what they say, this is where they get to prove it. These companies are proving it; the Red Sky membership is benefiting from the great analysis; and the vendors are earning new customers. It's a win-win-win.

• This week Red Sky hired two new student interns and we're expecting a decision from a third by early this week. Two of the interns are Masters Degree students with the third a PhD. One will perform fusion report analysis, but the others are political science and criminal justice students (MS and PhD) who will begin authoring non-technical reports on targeting and trends. They'll be bringing experiences from studying violent criminal gang activities to the cyber realm!

That's it for now. As a reminder, Red Sky is hosting an invitation-only happy hour at the Ritz Carlton (DC/VA area) on Tuesday night and our first quarterly 'Threat Day' on Wednesday. If you'd like an invitation, please drop me a note.

Jeff

That's the way collaboration is SUPPOSED to work!

One of our members called "Wildfire!" today, meaning they were submitting information to the portal as they worked an incident. The member submitted log snippets showing exfiltration and C2 destinations as well as inbound sourcing, the malware, and a full copy of an email with the header intact.

Within minutes after the report, Red Sky began victim notification while the company worked the intrusion from the inside. When we needed a contact at an external company one of the other members chimed into the portal with a contact and then made an introduction. Victims responded to offending servers. The C2 and exfil paths were blocked by the member, and all external entities (except one, where we had to leave a VM) knew about the incident and were responding.

When the dust settled, one of the companies has asked for membership information and felt they too should be a member of the alliance. I'll have that meeting next week!

That's the way collaboration is SUPPOSED to work!

Jeff is happy today.

Saturday night, and I'm VERY happy!

Why? I received a call yesterday from one of our members. We chatted about scale, automation, etc., but then I asked him how he liked our last Fusion Report? I was looking for feedback. There were some farming issues that we'll fix for the next one, but most importantly he told me "My team hates you!" (we're making them work!). When I asked if he was seeing anything from it, he told me "we're dropping all kinds of new stuff at our perimeter"

So why would such a simple sentence make me so happy?

• The APT set went cross sector into a new target type
• The guy who gave me the comment analyzes a LOT of indicators from a LOT of sources
• The company has over 100 independent business and probably 150,000 computers. They have a VERY large perimeter

It makes me VERY happy that on our third report a director in a company of this size and stature in the Infosec community says about Red Sky "I'm sold on Red Sky!"

Red Sky contributed directly to identifying a new issue that he was able to push to his team and experience new results!

It makes me VERY happy!

Have a great weekend!
Jeff

Red Sky Alliance: End of week status- Been a great week!

Good morning!

It's been a pretty great week for the Red Sky Alliance and I'm driving back to NH tomorrow, so I thought I'd post a snapshot of the week this morning.

• Two new members committed (one finance and one LARGE healthcare organization), and a third (Fortune 10) gave us the thumbs up on legal review!
• We posted Fusion Report 003 showing a longtime APT group that had previously targeted defense industrial base companies now modifying their tactics slightly and going after the government policy shop in a bank. This was HUGE. It validates our model of collaboration in a smart way across industries offering months (in this case years) of early warning. 
• We've got two new folks working on the backend of Red Sky as analysts, and the malware engine is coming along nicely.
• One of our Associate members (Kyrus Tech) was involved in the Zeus Botnet takedown! You guys should reach out and talk to these guys. Great skunkworks handling hard problems!
• We're now tracking on over 60 threads with companies from four industry sectors, and we've just opened discussion boards on HP/Arcsight and RSA/enVision.

It's been a great week!!
Jeff

Interesting developments

Two nights ago we posted a product inside the Red Sky portal based on an input from one of our more active members. At the time we thought it might be an early development, not associated with any groups, but authored the analysis anyway. When we were posting, we compared some of the IP space to other sources and found there might actually be a link. Yesterday we confirmed what we were looking at was not only an active APT set, but that they'd been active in the Defense Industrial Base companies for almost three years with little other activity, and now jumped to a completely new sector!

This is Red Sky's first real validation of what we've been talking about! Early warning comes from smart people talking to smart people in other sectors. When smart people share technical information, they tend to share better information than those receiving anonymized data or data in the aggregate.

Don't be a wall flower! It's about people talking to smart people!

Jeff
www.redskyalliance.org

New Red Sky Fusion Report: FR12-003.pdf : AS4808 Malicious Infrastructure and Malware

FR12-003.pdf: "AS4808 Malicious Infrastructure and Malware" was just posted to the Red Sky Alliance portal. This is our third fusion report. It came about from a seemingly innocuous report from a member reporting the incident. Upon further investigation by members, it appeared that the incident was more widespread than previously thought, and took advantage of individualized emails with different source addresses for each. One member reported approximately 700 emails in an environment of approximately 300,000 users.

"On 18 March 2012, a Red Sky member posted malware from a recent spear phishing incident to the Cyber Intelligence and Analysis Center portal. The malware called backed to malicious domain. Analysis of the domain revealed related infrastructure and open source malware samples. A total of three malware samples were analyzed: one provided by the partner, and two obtained from an open source malware dump. All three samples were linked to Autonomous System 4808 which is described in the report. Correlations between the various samples will be provided in the Malware Data section of this report. While no specific attribution was identified (we don't necessarily look for attribution, Red Sky focuses on IA), several of the IP addresses and domains used were tagged as APT address space by one of our sources."

At least two different sectors reported similar cases, but with individualized targeting characteristics.


If you're not receiving these reports, please contact us (jstutzman@redskyalliance.org) or sign up for our mailing list at launch.redskyalliance.org.

Collaboration is working!
Jeff

Status - Red Sky Alliance

Good morning all! It's Saturday morning and I've had an incredible week at the Honeynet Project Annual Workshop. This years event was held at Facebook out in Menlo Park. Nice. Even during travel, startups don't stop. It's been busy!

So here are this weeks updates to Red Sky Alliance:

• We've added new member! We're up to eight now, we more requesting our presentation and demo every week. This is great news!
• Hacked! This week our external facing website was hit with an iFrame redirect attack. We knew it would happen, and it did. The website was back online quickly, although the original sits on a machine in MD. We posted a one page marker until I get back tomorrow and upload the original. 
• Success! New malware was posted to the site by one of the members. Within an hour, two others posted analysis. One of them was Norman, using their new G2 Malware Analyzer. In both pieces of analysis, the submitting member was immediately given four new pieces of information which allowed them to block C2, and then do incident response. 
• Upcoming "Threat Day": Preparing to host a "Threat Day" on April 11th at Defense Group's Vienna facility. No vendors allowed; only members and presenters. This should be a great day. Doing happy hour at the Army Navy Club the night before.
• Our Norman G2 suite has shipped! We'll be online soon. Einar is hiring 15 new analysts/engineers and they're gearing up to support Red Sky Alliance. This is going to be a great partnership!

We've also posted a 'launch' site. We've only been online since mid-February (if you can believe it!). We've received a number of emails asking for more information, and I'm finding it easy to lose track and make sure everyone gets answered. To make sure I'm not dropping anyone through the cracks, I've added  launch.redskyalliance.org to allow folks to sign on if they've got interest. I'm hoping it'll help with my organizational skills!

That's it for now.
Have a great week!
Jeff

Last day for me...

Thursday morning. Blogging before packing while I prepare for my last half day with the Honeynet Project. I haven't (nor will I) post about some of the ongoings, but I'm here to tell you.. things really have changed since I started as a member in (ahem) '97? '98? Hell. I'm to old to remember I guess.

Regardless, we've gone from WU_FTP hacks to botnets. From 'step away from your keyboard' to botnet profiling, big data, SSH honeypots, Android exploitation/forensics, HPFeeds, and a dozen other topics I've kept in my notes but can't recall at 6:22AM. There were project members from 26 countries represented, and I've made it my mission to have a conversation with every one of them. I believe I've succeeded.

Anyway, this is going to be a short note. It's been terrific seeing everyone again. It's been five years since my last annual workshop (at Lance's house.. when things were much smaller). I hope to hear from you guys again, and see you next year.

Ciao (or should I say Cheers!, Kampi!, Proz!)
Jeff

Honeynet Annual Meeting (the day before)

I arrived about 2PM PST yesterday in San Jose. Even on a 'cold day', northern California is really nice this time of year.

I feel like I'm giving confession.. Forgive me Father,  it's been five years since I've attended a Honeynet Annual Meeting. My last was five years ago at Lance's house. I expected to walk into the hotel and see a bunch of aging guys, grey, bald, overweight (all of which happened to ME in the last few years!) but what I found was actually a nice surprise. Yeah, the old crowd was here, but we were WAY outnumbered by the younger crew. In the end I spent probably 30 minutes with Max Kilger -one of my favorite conversationalists. Max is a PhD behavioral psychologist. He and I were the two 'non-geeks' when the project kicked off years ago. We authored a paper called "Know Your Enemy: Statistics" outlining and demonstrating very simple early warning techniques for inbound attacks. Max specialized in behavioral trends. I focused on non-technical intelligence.

Last night we had the opportunity to compare notes five years later. I'm sure we'll have more, but last night was fun. Max is writing models to code data to predict cyber activity in today's world. Wow. I've always taken the 'keep it simple stupid' approach -measuring defects, looking for anomalies. Max on the other hand has a world of data at his fingertips to mine, twist, and see what comes out. Wow.

Anyway, it's 5:41AM. I'm still on EST, so I've been up for a while. It's time to hit the showers and get ready for the day. I'm excited to see what these new young Honeynet thinkers have in store for me!

J