Red Sky Weekly - Predictions for 2013

I’m going to do something a little different this morning.

Last year, I published (in limited distribution.. in case I was wrong!) predictions for 2012. This morning I’m publishing that list to the blog, with updates to my 2011 thoughts for 2012, moving forward into 2013, and a few positive trends.

A couple of highlights on the positive side:

• Companies outside of the critical infrastructures are becoming aware of the dangers of targeted and advanced persistent cyber events.
• Adoption of information sharing by companies large and small has taken off. This, not just a trend in Red Sky Alliance, but in others as well. We see this has a major deal --low cost, extremely high payoff.
• More companies are looking to formalized models to build their information security programs and management processes.
• Securing the Human has become widespread -not just in SANS, but also in practice. More companies are employing routine, randomized testing and education of their end user workforce.
• Last, “Best in Breed” practices are beginning to emerge. This is a leading indicator of institutionalizing new practices and processes to deal with the new, emerging threat landscape.

 
 
Next, my 2011 thoughts.

Last year I outlined several trends. I’ve updated them for this year, and through work with the Red Sky Alliance members during the year, have extrapolated some of this information into predictions for 2013, and thoughts on a few new items:

A couple of key thoughts, and the highest of risks on my prediction list for 2013. These were added authored for 2012 predictions, and those shown in red have grown through the year, to become mainstream in 2013. For example:

• Use of remote access and their associated legitimate (but stolen) credentials are a mainstream method of gaining access to company networks and intellectual property
• Supply chain, including not only traditional supply chain, but also non-direct value add suppliers (i.e.: legal, outsourced HR functions, and finance) are high value targets for intelligence on not only ongoing operations, but futures.
• Traditionally closed systems (physical security systems) are becoming more interconnected to allow remote work, higher order analysis and correlation, and storage. These systems continue to be targeted as PSIM is integrated with traditional infosec operations. These systems include primarily voice and video.
• I'd also like to couch one of my positions. My belief is that the healthcare system will see an avalanche of PII related theft in the future. I've not tracked the healthcare system this year as much as I have in the past, but this is one of those secondary value add suppliers that, in my opinion, are in danger of massive losses. Every healthcare CISO I talk with worries about this. I left movement as neutral, but believe the risk is high. I'd offer the same advice on the legal industry. 
  

2013 will bring new challenges, mostly associated with Cloud, Big Data, and Mobility. This should be no surprise to readers, as companies find massive returns on renting server, infrastructure, applications, etc., from cloud providers, and BYOD is both a massive opex reduction and makes end users happy at the same time (Win-win! right? WRONG.).

Key takeaways for 2013:

• Not surprising but the natural progression of things suggests that more companies will realize the devastation of being targeted and not be able to kick intruders off their networks. We call this realization their “Oh Sh*t!” moment... and we believe this feeling will spread like wildfire during 2013.
• Our inability to deal with the overwhelming needs will result in a knee-jerk reaction for government to over-regulate and demand reporting from respective supply chain companies.
• I should have placed BYOD concerns on last years thoughts, but BYOD at the time, was largely an immature concept. The idea that “Mechanics use their own tools, why shouldn’t computer workers?” means companies will realize the ROI associated with allowing the use of personal devices will bring an entire new crop of security concerns --all of which will feed the target footprint for those targeted events that we just talked about moments ago. BYOD is going to bring infosec pain. Be ready.
• Last, large repositories are always great targets. As companies move to cloud based systems and big data repositories, we’ll see discrete attacks used against these large data sets in undetectable new TTPs.
  

To wrap up, every week we publish a simple highlight of the fusion report we published during the week. We could publish dozens (hundreds) of these things if we chose, but we try and choose something important that we believe users need to know about. 

• This week we published FR12-033, which details a variant of malware leveraged in coordinated APT attacks involving several threat groups. The report revealed new intrusion infrastructure and contained information indicating a nexus with possible ties to a Chinese university. The incident is believed to have targeted a Federally Funded Research and Development Center (remember the discussion about indirect value add supply chain companies?). 
• In the portal this week, early warning indicators were provided for pending DDOS activity targeting the US Banking community, and
• We continued the "name and shame" analysis with a completed persona profile of a known operator and malware developer.

Whew. This was a long post. I hope you find it useful.
Until next time,
Have a great week.
Jeff

Red Sky Weekly- Threat Day, Name and Shame, Beadwindow!

We held our third Red Sky Alliance Threat Day in San Antonio this week, and it was an absolute success! We had a decent turnout with several member companies in attendance. The day started out with a joint presentation on a well known threat group and included a "name and shame" on several of the actors themselves.

• Analysts, working together on site were able to identify not only (high confidence) identities of many of the people believed associated with this group, but also alias email addresses, buddy lists, blog sites, forums they participate in, and screenshots of their computers with (believed) exfiltrated files on the desktop. In addition to personas, analysts were able to view what they believed were targeted information including technologies ranging from military to electric automobile technologies and financials of over a dozen companies. A formal ‘Name and Shame” fusion report resulting from the onsite “Analyze-a-Thon” will be published to our community in the near future.
• This presentation by Red Sky analysts and one of our members was followed up with a post-exploitation analysis of another group by a second member analyst.
• The day was wrapped up with a lessons learned discussion, on building out a network forensics capability.

On the Beadwindow Private | Public side of the house, we’ve met with two of the six major Federal Cyber Centers, delivering presentations on how they might benefit from participating in the Beadwindow portal. My hope is that we’ll see some new participants soon. I’m very much looking forward to that day. While we hear every day that members of the government have a hard time talking to private industry information security practitioners, Beadwindow offers a great way to allow this sharing, and allows corporate members the ability to protect their anonymity if they choose.

As we head into the end of the year the portal this week was business as usual.

• Our analysts are currently crowdsourcing a new malware variant and TTP involved in a recent uptick of APT activity.
• Two new ‘diversified industry’ participants have joined and are participating. While it may seem hard to think about how you, as a new member might benefit from participating in the Alliance, one new member immediately started posting to an area we call “Wildfire”. The new member needed help. Wildfire is reserved for out of band communications during incident response, and to request assistance from the community. “Forming, Storming, Norming and Performing” processes we go through with new members is quickly becoming routine. The group is gelling nicely and we’re finding amazing benefit in the amazing group of companies now in the Alliance.

So, if you’re thinking about jumping in, now’s the time. Government and Academic users can take advantage of lower membership rates for membership in the Beadwindow portal. Commercial users can take advantage of founding level membership pricing for only another couple of weeks. Current pricing ends on 12/31. Don’t wait.

Have a great week!
Jeff

Red Sky Weekly - 12/1/12

We’re winding down 2012 but the pace hasn’t seemed to change even one bit. Attackers are busy, defenders are busy. This week Red Sky has people onsite doing analysis, and others building infrastructure to reduce friction points to collaboration, and even with all of that going on, we continue to add new members.

Here’s what’s happening:

• Fusion Report 32 published: This week we released Fusion Report 32. FR12-032 details a newly leveraged backdoor and its associated infrastructure. We provided analysis of the malware's capabilities and protocol with 8 new signatures for identifying its communications.
• Analyze-a-thon: Our lead analyst is onsite with a member this week developing an attributional profile of one of the most prolific APT groups out there today. In three days onsite, combing through mountains of forensic data, the team, working together has made significant progress in what they’re calling the “name and shame” report. The result of this analysis will be provided to the Red Sky community in our upcoming threat day next week.
• Threat Day: Our next (our third) Threat Day is scheduled for this week in San Antonio, TX -again at a member location (I hear they have an indoor slide!). Presenters are lined up to talk through the day, and we’re expecting to video the day and post the presentations to the portal.

Short and sweet. Sometimes that’s best.

Until next time, have a great week!
Jeff

Red Sky Weekly - Anatomy of an Attack

Thanksgiving and Black Friday mark the start of the holiday season --bringing not only scrums for $97 televisions at Walmart, but also exponential increases in online activity. During the next several weeks, lasting until roughly the second week in January, more retail dollars will flow than any other time of the year. What’s this mean to you? Willie Sutton once said when asked why he robbed banks “That’s where the money is”. Why will hackers be out in force? Now is when the money flows.

What do these attacks look like? This week, a report detailing an incident at a state government victim was posted (leaked?) to the Internet. While there is no evidence (that I can see) of APT activity (bad guys paid by a government to steal information), this is clearly a targeted event carried out with purpose over the course of several weeks using multiple accesses ranging from backdoors to legitimate (but stolen) credentialed accounts. The organization owning the victim network moves a lot of money, and is responsible for protecting privacy information for millions of people.

In this case, the victim had been notified by a law enforcement agency that the privacy information (PII) of at least three people had been identified as stolen (this is probably the most common way of finding out about breaches such as this --someone else usually tells the victim).  A consultant was called in to identify the extent of losses, figure out if it was ongoing, and create remediation plans.

According to the report, the attack went something like this:

1. The initial attack vector was confirmed as phishing emails, delivered on August 13, 2012. At least one user clicked, rendering the network compromised and likely, first credentials captured.
2. Fourteen days later (8/27), the attacker entered the network, logging into a Citrix server (remote access) using credentials obtained (probably) during the initial August 13th breach.
3. On the 29th, the attacker reentered the network, releasing tools designed to capture other user credentials on six additional servers.
4. Between September 1st and the 4th, the attacker executed additional tools to capture Windows credentials. Additional tools were used to create ‘backdoor’ capabilities. The attacker uses new-found bounty to perform reconnaissance on other parts of the network.
5. After roughly a week, the attacker performed additional reconnaissance on the network, until finally...
6. Over the course of three days in mid-September, the attacker copied database backup files to a staging area, where they were encrypted into 15 encrypted 7-zip files. The files were then moved to another server (presumably their own) before deleting the files from the staging server.

The attack resulted in compromises of at least 44 systems. (One member claims the cost of fixing each server is roughly $10,000. At that price per machine, this incident cost, at a minimum, $440,000, but likely significantly more. This is a very public breach.)

• One had a ‘backdoor’ loaded, three had database backups or files stolen
• One server was used to remove data from the network, but 39 systems were accessed by the attacker during reconnaissance or password captures
• Roughly 75 GB of data were compressed into fifteen 8.2 GB 7-zip files and (presumably, although not confirmed) removed from the network (we must assume these files contained information related to revenue generation and capture in the state, although the report does not mention losses of any privacy information)

• Fourteen of the files contained 23 database backups, one contained roughly 1200 files related to the encrypted version of the data encryption key

Over the past months, you’ve read about Fusion Reports. The Fusion Report is a compilation of all information known about the attack --taken from one victim or multiple victims in the Red Sky Alliance, or externally when data is available. The Fusion Report is a two part report:

Part one is authored in prose; intended to show our work and tell the story of the attack(s), much like shown above.

Part two is mitigation. Red Sky Analysts author snort, yara, etc., signatures when we can. Artifacts --file names with full directory structures, including file hash values and other meta data are included, and “Kill Chain” Formatted indicators are presented in a final tabular format. A sample is shown below. the idea is, Alliance members should be able to take information from any of our reports and cut/paste information distilled from reporting into highly actionable information that any member can act on today.

In this case, the kill chain information might look like Table 1. (Completely fictitious. Please do not attempt to use):

Table 1: Sample Fusion Report indicator list

So here’s the deal. Remember Willie Sutton? There will be more retail transactions in the next few weeks than any other time during the year. Retailers will lose money as a result of cyber shenanigans. In addition to retail losses, the added noise on the networks will create opportunities for others to steal information from non-retailers, and to top it off, kids all over the world are home for the holidays, so the kiddie scripters will be active too (they always are over Christmas vacation!). Wouldn’t it be nice to be getting fusion reports, each containing hundreds of indicators from the Alliance --before you are attacked? The only way you can is to join.

Red Sky = private

Corporate members only

Beadwindow = Private | Public

Many of our private corporate members + government members

Drop us a note. Join us now.

Until next time, have a great week!
Jeff

Academic Services Division

Two items for the blog.  First, with Thanksgiving this week I'd like to say thank you to all our members of the armed services both present and past and to all first responders and people who will give their time and effort to keep us safe.  Many of us are generally quite comfortable and it unfortunately takes an event like Sandy to make us realize what these people do for us.  Red Sky has a commitment to helping our veterans transition to civilian life by working with any of them who would like to work as data analysts.  If your organization can do anything to help, I ask that as a way of saying thank you, you consider qualified veterans.  Red Sky is developing a relationship with the Wounded Warriors Project but your company should feel free to work with an organization that best suits your needs.

Second, I was reading this week on various sites about the recent Iranian attack on American banks.  When the attack was going on I was at a meeting in a bank relating to advanced persistent threats.  As I read about the attacks, it seems that it began with hackers getting into the computer network at the University of Michigan's Engineering School (see link below) by using little used ports.

As the Director of Academic Services, I work with colleges and universities as well as non-profit and government agencies in protesting their networks.  By getting into the commercial world through a university, it highlights that all our networks are intertwined more that we sometimes realize.   The openness of academia makes it an ideal place to get into other networks.

Red Sky is based on the simple concept that intelligent people working together can achieve more than any one person alone.  I invite you to contact me concerning Red sky's Beadwindow to discuss our common areas of interest and better protect all our networks.

Dave Chauvette

University Of Michigan and Iranian Cyber Attack

http://cognitionemission.wordpress.com/2012/10/15/iran-used-university-of-michigan-network-to-launch-cyber-attack-against-u-s-financial-system/

Red Sky Weekly - 11/17/12

It was another busy week. This Thursday we saw more malware submissions to the portal -- the most we have received in a single day. While many submissions stop at automated analysis, many also undergo human analysis by either Red Sky or members of the Alliance. One of the pieces submitted on Thursday included an unknown variant for which we performed same-day protocol analysis. This resulted in a tailored signature for identifying the encoded communications. 

This week:

• Fusion Report 31 was released and details a new variant of a previously observed downloader. The report provided analysis on probable targeting requirements for the actors and included four new snort signatures for detecting the unique user agents generated by the malware.  This was a really good example of what we’re trying to do in Red Sky Alliance and in the Beadwindow portal. Hit with malware --we handled it nicely --our MAG device is supposed to be able to process up to 40K pieces per day.. we’ve not exercised that yet but maybe someday. FR-31 was tipped off by malware, but the report offered a number of new indicators and what we believe the actor was actually trying to find in the network. If you knew ‘where’ you needed to protect as well as ‘how’ you could protect it, wouldn’t that be of value? Of course!
• This week we attended FedCyber. It was great running into folks I'd worked with in the government. Thanks to Bob Gourley for the invite!
• Red Sky attended SAGE in Portland, ME and Vistage in Boston. Vistage is a CEO group, but SAGE is a security group and resulted in several requests for Red Sky Alliance introductions.

Last, we’re honoring our Founding Member prices through the end of this year. After that, they’re gone. While most will not be brought into the Advisory Board, the price holds through 12/31. We’re accepting full members and associate (vendor) members at 2012 prices. Don’t wait.

Until next week.
Jeff

Red Sky Weekly - New TTP detected by Beadwindow member!

This week will mark two milestones --our active user-adoption is at an all time high and Fusion Report 30 is about to be released. As with every social network, there are ebbs and flows, however this week the flow has hit a record rate. We hope the momentum will continue. Saturday will see the release of our 30th fusion report which will detail a previously unobserved TTP and C2 protocol. To date we have reported on over 10 different threat actors and have built out a solid profile of several of the more active groups.

If you haven’t been able to tell, I’m really excited! I haven’t been this excited about a major success in one of the portals since earlier this year. We’ve had a ton of ‘wins’ but this week one of our government members posted early indicators and pcap of a TTP shift in the Beadwindow portal. That information generated incredibly active discussions in the portal --crowdsourcing. Everyone brought a piece to the table until in the end, the new TTP was validated and shared.

So major activity this week:

• Beadwindow was on fire with activity surrounding a TTP shift. The information was shared with the private portal, prompting several of them to jump into the conversation on Beadwindow
• Red Sky received a submission from a non-member which lead to the discovery of more activity utilizing Windows Credential Editor to steal Windows creds (does anyone know when this will be fixed in Windows?)
• A piece of malware that our folks have struggled with for the last couple of weeks finally broke and gave up the booty --a previously unknown (at least by us) TTP and C2 protocol

Interestingly enough, this stuff really demonstrated what I think is the value of Beadwindow. Our submitter is a state government guy who used our Norman MAG2 malware analysis tool, bounced findings and ideas off of our Red Sky Alliance technical lead and analyzed the targeted cyber events by interacting directly with the mature, APT-hardened information security teams in large private companies --and they’re helping him protect his networks --and he’s given them something to protect theirs. This is exactly how Beadwindow is supposed to work.

Before I forget, if you’ve not been mailed directly, we’re honoring our Founding Member prices through the end of this year. After that, they’re gone. While most will not be brought into the Advisory Board, the price holds through 12/31. We’re accepting full members and associate (vendor) members at 2012 prices. Don’t wait.

Until next week. Hopefully I’ll see some of you at FedCyber!
Jeff

Epic week in Red Sky!

Despite the storm, it was very busy in the portal this week. Red Sky staff and member analysts participated in crowd-sourcing various targeted malware. We also posted relevant details on two ongoing large-scale Blackhole campaigns which were sourced by our Beadwindow members and are now being corroborated by the private member analysts. Fusion Report 29 will hit the press this weekend and describe a highly targeted incident which leveraged a backdoor that was specifically tailored for the target environment. The malware is not a known variant so the report will include a detailed analysis for future mitigation and correlation.

Beyond that, membership continues to grow! We picked up four new global members this week --a gas and oil company, a large player in the networking community, a new financial institution, and another global internet provider! Data is moving nicely as we round out the last quarter of our first year in operation. 

We’re in planning mode for 2013. Membership projections are looking good. We've got bookings already staged for next year, and we're looking for member feedback on several new features that might include full mobile access, real time encrypted communications, unified messaging, and semi-automated analytics to help reduce some of the manual burden of farming, correlation, and repetitive tasks.

Last, but certainly not least, our intern is preparing to fly the coop. He’s our first, and has ranked out in the top 10% of our peer reviewed analysts since starting with us in March. As a result, he’s currently listed as provisionally “Red Sky Certified” (RSc)*, and will qualify for one year certification in March if he sticks around that long. He graduates in December, and as promised, we’ve referred him into two member companies, and to make sure we align with his long term goals, we introduced him into a third, non-member company. I’ll let you know where he finally lands, but this is very exciting. We’ve narrowed down next year’s crop of interns to four, and will be working them through a filtering process over the next couple of weeks. Interested in learning cyber analytics in the APT space? Drop our Academic Director a note.

Until next week!
Have a great weekend!
Jeff

* Red Sky certified (RSc) is granted provisionally after two quarters of ranking in the top 10% of all peer reviewed analysts in Red Sky. Four consecutive quarters of top 10% peer reviews earns one year of Red Sky Certification. Three years certified makes it permanent.

Beadwindow is growing!

We kicked off our "Beadwindow" portal a couple of months ago with the idea that we could give government participants a place to quietly share notes with the private sector companies in the Red Sky Alliance.  While participation isn't as strong as we see on the Red Sky private portal, we are seeing growth as a result of a couple of new features:

• Beadwindow users enjoy access to our Malware Analyzer: Imagine working in an information security shop and not having access to a malware analyzer! One of our top community analysts has probably pushed 150 malware samples through our MAG2, and tells us it saves him a ton of time every day. In an average processing time of less than a minute, he learns very quickly, which code, URLs, or documents are bad, and if so, how he can block the C2 before losing any more data. He then takes the analysis from our analyzer and starts looking for other instances of the same code in his network. 59 second average triage malware analysis time and expert assistance from our back-end team if needed. Where else can he go to get that?
• Cross portal communications: As of today Beadwindow users can now tag a question to be posted to the Red Sky private portal. This is especially useful when comparing notes between the two. We've had a couple of cases, even in this short period of time, where activities in one also targeted folks in the other. The benefits have been incredible. A direct result of this is two new Red Sky private portal users have requested (and were given) accounts on the Beadwindow portal. 
• Beadwindow users get the same direct access to Red Sky analysts as the private portal -this means full length unclassified Fusion Reports based on actual cases you're talking about in the portal, with easy to use, high confidence actionable indicators that can be cut and pasted directly into your own sensors.

Join the conversation! Federal, State, Local, or tribal, we don't care. Take advantage of the Beadwindow analytic capabilities and embed Beadwindow into your daily routine and incident response processes. We've created special rate plans for government and academic users who would like to participate in Beadwindow. So, if you'd like to 'poll the audience' all you have to do is ask!

Last, looking for training?  Are you an analyst with training in another discipline who's just jonesing to get into cyber but can't seem to catch a break?  We've got three interns signed up for 2013 and one more possibly on the way, but we're always looking for wounded warriors or other folks who might have crazy m4d research, analytic and writing skills but need to be taught cyber. Red Sky and Beadwindow are now offering a training program for those who are willing to commit and study hard. Once completed, if you do well, we'll introduce you to our membership for your next job. Our first Intern is going through the process as we speak. Interested? Drop me a note or contact our Director of Academic Services directly.

Jeff