Red Sky Weekly - Research Libraries... Rich targets?

Imagine this: You go to the research library after receiving an assignment to prepare a brief for 9:00 Tuesday morning. You’ve been tasked with preparing thoughts regarding the acquisition of a new company and its technology, and you’re waist deep in due diligence by 2:00 Saturday morning --with no end in sight until that Tuesday morning presentation. You'll be pulling all-nighters through the weekend. You’ve got financials spread out all over the table, legal documents describing issues associated with purchasing companies in this part of the world, reference material and patent searches to confirm value of the intellectual property and you’re exchanging email with researchers elsewhere, as you and your virtual team pull together the deck and details you’ll be presenting in just a few days.

Now imagine this... those library computers, electronic searches, public internet access, probably wireless access that you connect to with your personal laptop, store all of those communications and queries somewhere -if not only in simple memory or cache. Every time you enter a query, search for a reference, send an email, receive an email or prepare work product on that library network or one of their public computers, you give a would-be competitive adversary a clear view into your specific research, sources, intellectual property review, etc. If that library hasn’t done the necessary work to ensure the privacy of their visitors, and don’t have ways of maintaining security, you might be giving away more research than you're getting. I would argue that librarians are not security people, and probably don’t know the value of the electronic treasure trove that exists in these otherwise quiet, relatively uneventful places of business.

Why might I think this? Last week I told the story of a billion dollar defense company that maxed out their cyber insurance policy and now gets harvested monthly for updated technologies or those missed during earlier visits. That blog post, within one week, became my most read page since the blog's inception. Interestingly enough however, this isn’t the first time I’d heard this story. I heard exactly the same story three or four months ago in a conversation with a consultant that I’ve known for several years. The consultant lead a team of security people who did work in a large research library for about a year. He described the routine harvesting of electronic library queries, emails in/out of the library, etc., as “APT Day”. Apparently once every week, on the same day, the library is harvested for all of the previous weeks queries, emails to researchers, and work product residing on its own, and its public-use computers. Who would have thought!?  A LIBRARY!? Attackers, in one fell swoop, learn what is being researched, what forward thinking is happening here, and all of the sources used by the researchers!
We’re all at risk. If data, data about data, or communications about data exist, and someone wants it, there’s a pretty good chance they’re going to get it. Today, malware isn’t necessarily required. There are companies out there who sell VPN services using legitimate (but stolen) credentials. Bad guys are in your network using your remote access user name and password. The only way to know about them and defend your networks, computers and intellectual property is to talk with someone else who’s gone through the pain of defending against it already. You mustn't be shy. Attackers work in well orchestrated teams, choose their targets, operate with precision, and get what they want. They only have to find one way in. You have to defend every way in. This is Sun Tzu upside down, so forget that lesson of 'best to have a defensive position' and start asking questions of others -before it's too late.


BREAK BREAK

Red Sky had another terrific week. Here goes:

• Fusion Report 25 released: FR12-025 discusses the PlugX malware leveraged in the recent IE 0 day attacks. The report included an in-depth analysis on the malware's functionality and capabilities. We also identified likely targets for the 0 day activity and provided information on related infrastructure that has a high-likelihood of being leveraged in the near future. The queuing for the analysis came from a private company member who wishes to participate to both portals. As a result, the report was published to both the Red Sky private portal, and the Beadwindow private/public portal where our current state/local members can also access it.

• Beadwindow “Hoot ‘n Holler” call: We held our first Hoot ‘n Holler conference call with our Beadwindow members. The call included members from the Red Sky team, one state government and the CSO from a major metropolitan city. During the call, we assisted the government users with understanding the new TTPs from this week's Fusion Report, explained what they actually meant, and talked about how to protect from them.

• New Members: This week we signed one new member and a second was invoiced and is now in legal review. The first is a high tech/defense company, with about a billion dollars in annual revenue. The company has already started contributing to the portal and will be attending our Threat Day next week. The second is going through legal review as we speak, and when they come into the portal, they’ll bring the management lessons and visibility of their three million computer environment. The company is diversified with majority holdings in global retail, technology, real estate and energy. We’re very happy to have both companies join us in the Alliance!

So for the last several months I’ve been keeping you up to speed on the progress, growth, and significant happenings in Red Sky Alliance. The other day I was asked during lunch to quantify our membership, our business, and where we are in relation to others entering the information sharing space. I’ve done this informally before and here’s what I tell people:

We began bringing members into our empty portal in mid-February. Since then the participation has been terrific.  While the numbers are an estimate based on an informal survey of the members, we believe they’re pretty close, and very telling of the community we’re growing:

• As of today Red Sky Alliance hosts 15 large enterprise, and four associate (analytic) members. Our current membership includes major telecom, several global banks, several high tech internet companies, one global engineering/construction company, and a couple of large enterprise diversified companies engaged in everything from airplane manufacturing to electronics to energy production.
• We have five companies currently in various stages of the membership process. When these companies complete the process, we estimate that these 20 member companies will control close to 20 million devices in over 140 countries in the world in dozens of industry segments, including a global energy production, retail, real estate, and managed IT and security services. (Yes, we like MSPs. They help us scale protection while at the same time maintain opsec.)
• Financial members in Red Sky process the vast majority of credit card transactions in the world today, and manage the lion's share of money moved between stock exchanges and their clearing houses.

On the Beadwindow side, in less than a month, we’ve added a couple of new members, and now include:

• Three major US cities
• One state government
• One global bank
• One  ISAC
• One global Internet company

So, Red Sky is cooking with gas. The portal activity is picking up again post-summer, and solid activity is coming out of it. Fall is always busy until around Christmas. We’re geared up to handle it.

The Beadwindow portal is also doing well. New members mean new education. State and local governments (my first impression.. I’m learning too) seem to have very small information security budgets and little organization around managing across agencies. One CSO told us that his (one) IT Security guy was just moved out from under IT, and that neither the IT folks or the city government departments will let him look at data to perform his analysis. Whew. That must be exhausting, and a real morale dumper for the guy who’s going to be held responsible when something really does hit the fan (and it will!). There’s a major learning curve coming for these poor guys! We’re on it. We’ll do our best to help.

That’s it for now. Have a great weekend!
Jeff

Red Sky | Beadwindow - One Week Down, many more to go!

For those of you are new to Red Sky, you may not be familiar with Henrybasset’s “Red Sky Alliance” blog published each week by Red Sky co-founder, Jeff Stutzman.  As an extension to that blog, we will are publishing a second blog, Beadwindow.  This companion blog will communicate the weekly activity of the Beadwindow community.  As things grow, so too will the discussions and information.  It is our sincerest hope that you find this blog both informative and a reaffirmation that collaboration and information sharing DOES work and IS the model for success in fighting the TTP threat.

Beadwindow?  As the new CIO for Red Sky, one of my first tasks was to get the Beadwindow portal up and running and to immediately help our community members with collaboration in defining the threats they are seeing on their networks.  This is not an easy objective. Having come from the government sector, sharing information is not a natural habit.  Beadwindow, being private-public cyber partnership, is pushing those longtime cultural behaviors aside and providing both a means and trust to break through the barriers that have plagued the government sector.

With this in mind, I am very pleased to report that Beadwindow is already providing a valuable space for our early adopters from both significant municipalities and state governments to connect, interact, and build long-standing relationships with.  I believe that the only way we can protect our critical infrastructure as well as our intellectual property is if we work together – Red Sky provides the space, all we need to for you to do is maximize its potential.

Before I wrap up this first installment of the Beadwindow blog, I wanted to remind each everyone that Beadwindow members have access to Red Sky’s Norman Malware Analyzer (MAG2) device.  We are already seeing a lot of activity with our MAG2 – keep it coming!  The MAG2 device is capable of analyzing up to 40,000 separate pieces of malware a day!  The MAG2 is an excellent “first responder’s” device and should be an immediate resource in your triage plans.  DO NOT let this resource go unused. 

We are moving forward and growing. For those already aboard, keep the discussions going and the analysis coming. For those of you on the fence about how Red Sky can help your organization, please reach out to me @ rgamache@redskyalliance.org  In the meantime, please learn more about Red Sky @ www.redskyalliance.org or http://henrybasset.blogspot.com  

Have a great week and remember – If fighting is sure to result in victory, then you must fight!

Rick Gamache – Red Sky Alliance CIO – rgamache@redskyalliance.org – 207-449-8090

Red Sky Weekly - New Fusion Report details shift in TTP

I posted earlier this week, so this one will be a little shorter. It’s September, and time to get back to work! Red Sky works hard to create forward movement every single week, and this week was a good one.

• Fusion Report 23 (and Beadwindow Fusion Report 001) were posted to the  portals earlier this week. The analysis was tipped from open source, but detailed a major TTP change in a prolific group, noted within about 24 hours after the shift, from a TTP the actors used for at least the last 18-24 months. This is as good (better!) than 0-day research as it showed a shift in TTPs and the new malware that goes with it. The report, because it was tipped from open sources, was made available to both the private Red Sky portal and our Private/Public portal - Beadwindow.

• Beadwindow is doing well. We’re in our first official week of operation and have a number of State/Local and Critical Infrastructure participants, as well as two of the original founding Red Sky members who’ve opted to participate directly with government users in the new, more open portal. We’re holding orientation for the new group today, and expect to see conversations starting next week. In fact, we’ve already got one participant authoring a search/retrieval application to interface with their city’s big data project. Very exciting!

• Threat Day! We’ve just finalized plans for next Threat Day, to be held at a member location in DC. We’ll be sending members invitations and calls for papers today. Our last went really well. I’m looking forward to this one too. Plan on cocktails at the Army Navy Club for the night before! For members reading this, please RSVP in the portal. I’ve posted details there.

From a growth perspective, I can tell we’re maturing. We had to add a ticketing system to our backend today. It doesn’t take long before we realized that not having process around workflow --as many bootstrapped startups realize quickly, creates problems in customer service. Even one is to many, and we had one today. Those who know me know I’m a process guy. I’m going to start walking through those checklists as we speak! We’re going to need it more as time goes on. We have three new companies receiving Red Sky  membership packages this afternoon!

Interested in joining Red Sky? While Founding memberships are basically filled, Founding member rates are being honored through 12/31.

Interested in joining Beadwindow? We have a government and academic rate structure to accomodate you too and Beadwindow is off to a great start! 

Drop us a note now at jmckee@redskyalliance.org or jstutzman@redskyalliance.org.

Until next week!
Have a great weekend!
Jeff

Wow! Beadwindow is going like gangbusters!

I realize this is an out of cycle posting, but I'm really happy today. We went live with Beadwindow on Monday, and in two days:

• We've created accounts for thirteen state and local users, three members of an ISAC SOC, two of our Red Sky Founding Members (a Global Bank and a Tech Company!), and our Red Sky analysts.
• Our first Fusion Report was posted to the Beadwindow portal. The report offers infrastructure analysis and a major TTP shift for a prolific group of APT actors
• Conversations have started, and are moving nicely!

I'm psyched!  Opening a portal to allow government participation looks, at least at the early (infantile) stages, as a really great P2 (private-public) interaction opportunity as few restrictions as possible (we have only three very simple rules!).

Red Sky | Beadwindow - New Fusion Report

This was an INCREDIBLE week for Red Sky. Here’s why:

• We brought Beadwindow® online this week and will begin orientation sessions and account provisioning for government users from several cities, two states, and an ISAC.
• Our new Director of IT starts Monday, I would like to introduce Rick Gamache.    
• We had our first 0-day reported in the portal by a member, and issued analysis and a threat alert within only a couple of hours 
• Fusion Report 22 published Monday night.

The details:

·      0-day Threat Alert: On Tuesday evening, following a tip and sample from one of the Red Sky® members, we released a threat alert to the Red Sky® community. The alert provided attribution and relevant data concerning a zero-day vulnerability being exploited in targeted attacks. As is typical in the portal, the alert was followed up by additional analysis and reporting from Red Sky® analysts and the membership.
·      We released Fusion Report 22 this week. FR12-022 provided a detailed analysis on malware and infrastructure belonging to a new actor. TTPs associated with the actor are consistent with other tracked APT activity originating from China. Red Sky members were given one new snort signature and 76 new indicators to search for (or proactively block) in their networks.
·      Beadwindow®! Using the same model as Red Sky Alliance, we opened a second portal under the name “Beadwindow®” this week. Beadwindow® is a separate portal offering the same level of commitment, process, operating rules, and hopefully (we’re sure it will!), results, to a members from the state, local, tribal, federal government, education, organizations, and also to others who may not wish (or may not qualify) to join the private Red Sky Alliance portal. A news release was posted on Monday morning this week, and as of tonight, has been picked up by over 1100 digital feeds around the world. Our announcement had a strong response, with membership requests coming in from government organizations, a major electricity producer and a national law enforcement organization.  Beadwindow® is a “private-public cyber partnership” and has approximately a half dozen early adopters from major cities and states, and analysts from Red Sky and an ISAC SOC starting on day one –covering critical infrastructures all over the country!
 
When I worked as a CISO, and just about every time I asked someone for money, the first question I was asked was "What are others doing about this?" The idea was that our CIO would spend just enough to keep up with the Jones's and maybe a little more if we could correctly articulate the need/requirement.

Do you want to know what your peers are doing? 

Ask them. It is far more cost effective to learn from other Red Sky Alliance members in either the Red Sky or Beadwindow portals than it is to go it alone. Learn to fend off cyber attackers smartly by asking your peers how they did it and employing their lessons learned. If you don’t talk because your lawyers are worried about antitrust, don’t worry about it. You’ll be probably be out of business soon anyway when you realize your G&A is broken through its four-point restraints and is heading through the roof. You must talk, and often, about how you’re protecting yourselves. Companies don’t give up proprietary information in the Red Sky portal. They exchange analysis, indicators and ideas of how to deal with different scenarios that are, on a daily basis, bombarding member’s networks with sticky, thieving malware, operated by trained professionals with real collection requirements. 

Last, I laughed out loud at a comment by Alan Paller this week. I love reading his commentary at the beginning of the weekly SANS email updates. It went like this...

Alan was referring to a piece in the news about a new rule being proposed by DoD, NASA and GSA (links footnoted below). His comments:
 
[Editor's Note (Paller): With the growing consensus that there is a minimum standard of due care in cybersecurity controls, and the fact that this proposed rule completely fails to meet that standard, and that the greatest losses of national security information were from the contractors' computers, (Wait, here it comes. I LOVE the next part!) whoever is managing the authors of this half-rule should assign them to some less important responsibilities and get people who understand the threat and the controls to write the rule. 

Rules are expensive to create (millions), take seemingly forever to vet through everyone who may have a stake, and there's no guarantee that even after all of the consultants, legal review, Washington process, publish for comment, public comment, (you get the picture) that anything is going to move forward. Add to that the fact that many of the rules are authored by consultants who rarely have actual information security experience (they may be great writers, but have little or no operational infosec experience). There's just nothing simple in DC is there?

It's to bad.

Until next week,
Have a great Labor Day weekend all!
Jeff

---

[1] http://www.nextgov.com/cio-briefing/2012/08/white-house-plans-regulate-contractor-computer-security/57668/?oref=ng-HPtopstory
http://www.bizjournals.com/washington/blog/fedbiz_daily/2012/08/feds-propose-rule-to-hold-contractors.html
https://www.federalregister.gov/articles/2012/08/24/2012-20881/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems#h-4

Red Sky - New Fusion Report; Announcing Gov focused portal

What a week! I just returned from GFIRST. Highlights include:

• Red Sky Alliance opens “Beadwindow®” for Federal, State, Local, Tribal cyber research and analysis
• Fusion Report 12-021 released
• Kudos to US-CERT

Building on success of the private Red Sky® Alliance cyber intelligence and analysis center, Red Sky Alliance is happy to announce the opening of a second, separate portal called the “Beadwindow® Center”.  Beadwindow® is intended for use by Federal, State, Local and Tribal Infosec teams. Inside the portal members share information about current advanced threats and assist each other with analysis, best practice, and preventing future attacks. Government users may also interact with corporate users through anonymization processes linking the two portals. On the back end, Red Sky analysts distill the conversations to author Fusion Reports that detail, in a clear and cohesive way, all information known about the subject. The Fusion Report includes an executive summary, detailed analysis, mitigation recommendations, and a list of indicators in an easy to use Kill Chain format.

Account provisioning is occurring as we speak. Early adopters of the Beadwindow® Center include six major US cities, two states, a major Information Sharing and Analysis Center SOC, and Red Sky Analysts. Members of Red Sky Alliance will, if they choose, be offered credentials allowing them to interact directly with government users. Interested in an account? Contact Jim Mckee.

This week we released Fusion Feport 21. FR12-021 provides incident details and analysis concerning malware leveraged by one of the most active threat actor groups. The malware was delivered by way of a redirect to a .gov website that was compromised in order to serve as a malicious host. Indicators also show the targeting and compromise of a major web based software provider for the financial and healthcare industries. Due to this compromise, actors may have acquired credentials or sensitive information on the provider's customer base which includes numerous banks and financial institutions.

Kudos to US-CERT. I’m happy to see US-CERT (Tom Millar and Richard Struse) championing the development of TAXII -a structured means for sharing attack data in a uniform way. This is LONG overdue, and I’m happy to see US-CERT taking a strong leadership role, stepping out, and getting this done!

BT BT

During my talk yesterday I stated something that I believe (and I’ve heard others say quietly) that I don’t think there’s a piece of intellectual property on a computer, attached to a network, anywhere in the world that’s safe from exploitation. Exploitation may mean theft, changing the code (integrity), or denial of use. This is not a local problem, nor a US problem. It’s a global problem. Our networks are crawling with bugs and those who wish to exploit them. The only way forward is to learn how to work within untrusted networks while we devise a long term strategy for weaning us off the current implementation of the Internet and design a next generation network (Nextranet?) with security built in to take it’s place. During the meantime, we MUST work together, else lose every piece of intellectual property we’ve ever created to those who choose to steal it rather than build their own.

Red Sky and Beadwindow are intended to do three things:

1. Help companies fight today’s cyber problem. Just about every bug flicked at our networks are sticky. The problem is becoming ubiquitous.
2. We partner with vendors in the communities to make sure they know exactly what members are seeing. We want vendors involved to make sure they know exactly what operational users of their products are seeing. We hope this will create a next generation of better security products.
3. Last, but certainly not least, we’re feeding the labor pool with trained analysts who are taught to analyze emerging threats.

Our community is not a means for investigation, rather network defense. We work hard to make sure that conversations remain focused, but unstructured. Members are notified of new inputs as they occur, thereby allowing those who have not been hit to protect themselves before they are. Feedback to date has been tremendous. When asked if State and Locals wanted their own portal using a separate but similar Red Sky environment, I was overrun with requests for accounts. We don’t see ourselves as competing with the ISAC --we see ourselves as an enhancement to the current model -highly complimentary. We work solely in the emerging, targeted and APT space. Our members benefit from knowledge imparted by others. Everyone is peer reviewed to ensure we know who generally has better gouge (technical term for really good stuff!) than others.

I am highly outspoken when discussing data versus intelligence. Aggregated feeds of data, because of the vast amounts available, are no longer actionable. Here’s what I know.. right or wrong.. it’s what I know and believe... the only way to get good intelligence out of the vast multi-industry international streams of data is to ask the originator of the data what it means. When you can’t verify the source, its credibility as a source, configuration of originating machines, context of the data or believed motive (of the human attacker as derived through analysis), aggregated data without trusted endpoints runs the risk of becoming a garbage in garbage out model, where users should question their confidence in its use.

Bottom line.

Public private partnerships are hard. Even after so many years, private sector companies rarely share openly and completely with the government --even in the best partnerships. Red Sky and Beadwindow together will give both sides the opportunity to talk and share cyber information --voluntarily, members of one may never choose to talk or expose their data to others.. that’s ok. The option exists. If Red Sky Alliance members find value in data received from the government, they’ll talk about it. If Beadwindow members need information from corporate users, they can ask. Their discussion will be moved to the private Red Sky portal where members can discuss the questions among themselves and submit an anonymous (or sourced if they choose) answers back to Beadwindow members. The process is designed to alleviate trust agita. We’re doing our best to connect the smartest people in a place where they can compare notes, share data, offer each other defensive tips from their own lessons learned, work through the hardest problems, and build a lasting bond among companies who have the ability to protect computers in over 140 countries in the world today.

You too should join the conversation. We can’t win without honest discussion. We’re all standing around with our pants down (or dresses up Margie!), and you know what? We all have the same parts! Amazing! Let’s help each other.

Join the conversation.

Until next week,
Jeff

Red Sky weekly update - Six months in operation and a new Fusion Report!

This week, we released FR12-020, which detailed a Poison Ivy variant provided by one of our members. Analysis of delivery indicators and TTPs linked the incident to known first-stage infrastructure, which is exclusively intended for the delivery of Poison Ivy (PI) payloads. The report provided new insight into the social engineering tactics employed by the actors, and also revealed correlations among the leveraged URLs and domains. This resulted in the development of 6 new signatures to aid in the detection of related activity. Moreover, indicators provided in FR12-020 allowed for the identification of a compromised site belonging to a major software provider for corporate applications.

As of today, our six-month operational anniversary, it’s been a heck of a ride.

• We’re now at 19 companies in the environment –including four vendors who provide analytic assistance to the members, and have three others going through legal review of our terms and conditions
•  We’ve authored 20 fusion reports detailing analysis on submissions from the membership 
• As of today we’ve racked our automated malware analysis suite, and will make that available for the membership as soon as we finalize our configuration changes
• We bootstrapped (self funded) Red Sky, so as not to be beholden to external pressures from institutional funders, and I’m happy to say, we’re cash flow positive, having hit breakeven within our first four months! 
• We now have a solid analytic capability backing the membership. Our members have done a heck of job helping each other. Crowdsourced analytics from the membership, distilled into actionable, usable indicators and knowledge by the Red Sky staff and analytic vendor partners is working wonderfully! As a side note, a woman from Network World interviewed me today. She was surprised when I told her we allowed vendors as analytic members. I believe we have to partner with vendors, not exclude them. How else will vendors know what emerging threats look like and how to shape their futures? We have to tell them. They play by the rules (no ambulance chasing, just good analytic support to the membership). So far, so good!
• Our intern program and participation in Wounded Warrior is hitting on all cylinders and we’ve brought in a long time educator to ensure our curriculums are done right. We’re hoping to establish a pipeline of qualified analysts to our membership starting in December when our first intern graduates from his Masters program in criminology and cyber. Starting in the fall, we’re hoping to have new faces in the program from Wounded Warriors and will begin training them, preparing them for positions in our members workforces
• And best of all? We’re receiving referrals from our members for new members. That's the best compliment ever. Thank you!

  

So for now, I’m making this a short blog. I’m driving from the Baltimore to Atlanta for GFIRST. I hope to see many of you there! Ask me for a demo!

Have a great weekend!
Jeff