Red Sky Weekly: Penny Wise, Pound Foolish...

The story of one CIO’s “oh sh*t” moment.

Earlier this week I received a call from a Chief Security Officer of a company many of us know. It’s not a DIB, nor critical infrastructure, rather a very cool company that does about half a billion per year manufacturing non-computer related hardware.

The CSO told me that the IT director had found the networks had been compromised. Roughly 1000 machines had been found with malware and shares were being killed all over the company. The CSO asked if we (I) could help. Unfortunately my skills as an incident responder are a little long in the tooth so I introduced him to an old friend who now runs a small, highly skilled company (and a Red Sky Associate Member --Kyrus Tech). Kyrus offered a proposal, at the “Friend of Jeff” price. It was very generous. The CIO, however, even with the great price for such a skilled crew thought it to high. He wanted to go it alone.

His company had been compromised (discovered) roughly a month ago. Since that time, IT (not a security team) has been chasing the mole, whacking it every time it popped up. His team is tired. The CIO is frustrated because every time he fixed something, another infection popped up. If you’ve worked as an incident responder lately, you know the pain this team feels. We’ve all been there. The CIO holds a heavy personal connection to his networks, having built many of them himself. He continued to believe he could fix this on his own. He can’t. I hate to say, there’s a high probability this CIO will never view his networks as safe again. Kyrus is responding, only after the frustration the CIO felt when he came to work again this morning and found, yet again, another infection.

Here’s the lesson. If you’ve not dealt with these types of infections before, and you find one in your network, don’t go it alone. Red Sky Alliance is here to help. Information sharing in one of our portals offers two great communities to ask questions and get help. We have relationships with several qualified incident responders that can offer personal assistance if needed. This CIO caught it early (hopefully). This CIO was smart. It only took him a month to realize (forcibly or not!), that he needed help. Good for him!

Now for Red Sky. 2013 is off with a bang! Here’s what happened this week:

• Fusion Report 13-002: Analysis in the portal kicked back into gear this week with several new malware samples in the queue including payloads from recent 0 day attacks. New malware from a known group was also received and employed multiple anti VM evasion techniques. We were able to quickly triage the sample and provide attribution and behavioral details.  
• New Members!
• We’ve delivered our terms and conditions and an invoice to our first potential Federal member. Pending legal review this major cyber center will hopefully be joining Beadwindow very soon.
• Another financial member is joining Red Sky. We presented. They loved what they saw, checked with current members for reference, and this new global Financial Institution is expected to be in the portal very soon.
• We’re growing!
• We’ve hired two new Senior Members of our Technical Staff (SMTS). Both have great backgrounds in cyber intelligence. One, a former CISO from a large enterprise company we all know; the second an experienced intelligence analyst.
• We’re looking for a couple of good Business Development Executives and possibly one Channel Exec. If you’ve been selling security products or services into large enterprise customers or State/Local governments, check us out on UpLadder, or shoot me a resume directly.

Beadwindow was slow going in 2012, but we intend to put a bit more energy into it this year. With our first Federal Cyber Center potentially coming in in the next couple of weeks, and a dedicated, SMTS we’re looking for results there as amazing as we was last year from the private portal. 2013 is starting off nicely!

Until next time,
Have a great week!
Jeff

Red Sky Weekly - Kicking off 2013!

I’m very happy to say that it’s the beginning of our second calendar year, and we made it. That’s an accomplishment that many start-ups never see! And not only did we make it, we made it in style. We’d set a revenue goal early in the year for our self-funded company and I’m happy to say, we met the goal. We closed out our Founding Member drive with seventeen companies in total; two more Founders than hoped, with a nice mix of financial institutions, Internet companies, security providers, defense contractors and Oil/Gas. In all, we ended the year with 24 global companies participating, including Associate (Vendor and Consultant) members, and 2013 our membership pipeline looks great!

On the analysis front, there was no rest for the weary over the holidays thanks to a couple of inconveniently timed 0 days. We kicked off 2013 with a 22 page Fusion Report (FR13-001) that details both the campaign and two separate malware payloads. The report included detailed information on the leveraged protocols along with a working C2 decoder. Multiple indicators and six additional snort signatures were added to the collection for proactive identification and mitigation of related activity.  

It’s busy, and seems to be getting busier.

• We have our annual report in final review with our membership before final publish.
• We’re in conversation with several new associates to provide new and different data types and perspectives to the membership.
• We’re adding new features to the portal --testing the Outlook plug-in in the Beadwindow portal as we speak, and have acquired an app to allow mobile users to operate from smartphones and pads.
• Interest in Beadwindow is growing. I’ve received a number of inquiries, and given several presentations to government users who now have the ability to communicate with those Red Sky members who choose to talk to them. This is big. Our members complain of the sheer volume of government folks who want to talk to them. Now they can do it in one place.

Look for our Annual Report soon, as well as our first white paper “How great companies deal with APT and Targeted Events”. The paper is a high level road map of the seven common actions that companies do when faced with Targeted and APT events. There’s nothing worse than realizing there’s someone in your network and you can’t get them out. This paper will tell you how others worked through the problem. 

2012 was a great year. 2013 looks to be even better!

Once more, and then I’ll stop. Happy New Year!
Have a great week!
Jeff

Red Sky Weekly - LOST: Confidentiality. Integrity. Availability.

The term “war zone” elicits images of tanks, gunfire and military personnel. However, as technology evolves, so do the weapons associated with the art of warfare[1]. The battleground has moved online.

Confidentiality of our information has been lost. While this article talks about Flame as a threat, Red Sky Alliance (and others) track hundreds of pieces of malware, all aimed at stealing data. In even the most sophisticated environments data gets stolen daily. On that, the natural progression beyond espionage is use of the stolen data. I was reading Popular Science yesterday (Jan 13 edition). I find it no surprise that the new Chinese unmanned aerial vehicle (CH-4 UAV) looks a lot like the US’s Reaper drone, or that the frontal view of the J-20 looks a hell of a lot like the frontal view of the F-35. While much of the information on size, shape, etc., may be found in the open press, much cannot. That which cannot is acquired via human intelligence (HUMINT) or cyber. Cyber is cheap and (compared to HUMINT) easy and significantly lower risk. Confidentiality of our information has been lost and it’s cost the US billions in stolen research and development, and competitive advantage.

Availability is lost. Distributed Denial of Services (DDoS) attacks have rendered small countries unavailable; Banks have been hit repeatedly. Nobody is safe from being taken offline temporarily. DDoS is an easy way to sent a ton of packets down range to a specific target, disallowing use of the target until those packet floods stop. While no long term damage (as far as I know) has been reported showing DDoS taking down a global bank to the point of bankruptcy. Availability is lost (at least in short spurts --for now).

So what’s next for cyber? Integrity loss. Beyond exploitation of intellectual property, it seems there would be plans for suspected longer term application of destroying data, or more simply, corrupting data to the point where its use creates a lack of confidence in the operator using it. How will companies protect the integrity of their data? When source code lands on the last server or storage, before going into production --on that chip, in the car, or computers heading out for general distribution, how can we be sure the code that lands on those end-use systems won’t do bad things when plugged in? How do we know today that massive auto-stock trading computers are not being manipulated? What about stock indexes and futures? What must we do to ensure future cyber won’t allow power to be turned on and off at adversarial will, or ensuring that air traffic controllers actually maintain control over air traffic.

How does a company protect itself when espionage and warfare rules apply?

I don’t believe the sky is falling. I’m an old Navy guy. I believe we’re learning to fight submarines. During World War I U-boats ravaged Allied shipping. It wasn’t until much later that we figured out how to detect them, thus saving the lives of untold numbers of sailors. Eventually we learned to detect the German U-boats, build them ourselves, and fight back with great success during WWII. This new cyber era is much the same. We’re facing new threats. The new tools, tactics and procedures are becoming commonplace in our world, and we will (WILL) learn to combat the growth in both numbers and complexity. As these new tactics and threats grow to ubiquity (and public awareness), Cyber will become just another weapon... Just another weapon that we’ll deal with in the future. Until then, many of us will still flounder in trial and error. Others (smart ones) will take the lessons from others and use them successfully to learn to deal with cyber in today’s new environment.

Red Sky Alliance members help each other learn. It’s about sharing information in real time about real events in a world where both Confidentiality and Availability has already been lost, and Integrity remains (currently) up for grabs.

We’ve pre-published our first Annual Report to members of our Advisory Board with the expectation of having it published more broadly very soon. It’s amazing to see some of the kinds of technologies exploited for economic gain, but equally amazing to see that Information Operations are most definitely being used to identify and manipulate those who shape policy, economic futures, and build our new tech... and I’m probably only just scratched the surface.

Hang onto your hats folks. 2013 is going to be a wild ride!

Until next year!
(Happy New Year!)
Jeff

[1] http://www.foxsanantonio.com/sections/lifestyle/tech/16365/

Red Sky Weekly - Happy Holidays - something fun

As expected, activity in the portal has slowed a bit leading up to the holidays, so we have been focusing on adding capabilities to further benefit the membership. 

• We started a DNS monitoring and reporting process. This will give us better situational awareness on malicious domains being reported through the portal. 
• We are also beginning integration of automated network simulation into our MAG2 environment for easier identification of adversary protocols. 
• Our first comprehensive threat actor profile is forthcoming just in time for Christmas. This will be the culmination of several years of tracking and analysis on arguably the most formidable and highest profile Chinese threat actor groups. 
• We're wrapping up our first Annual Report. We'll be pushing it out to our Advisory Board in the next day or two for final review before publish.
• We've begun making appointments for demos of the Beadwindow portal with Federal folks. My dance card for the weeks after the New Year are filling quickly!! Don't be left behind. Drop me a note.

Enough of that for now. I’m going to close with a short, sweet blog. It’s been a great year. I’d like to take a moment and say thank you, and Happy Holidays to all of our members, especially those early Founding Members who had enough faith to write us the first checks and get the Alliance off the ground. Thank you. To our military, and especially our deployed military members and the civilian support and their families, I wish you Happy Holidays, and a safe return home.

I’ve put together something fun to close out the year. I hope you enjoy holiday well wishes from Jim and I. Happy Holidays all!

http://www.jibjab.com/view/23LxYQKITqalEiJLXJgN0A

Until next time.
Merry Christmas (or whatever you celebrate!),
Jeff

Red Sky Weekly - Predictions for 2013

I’m going to do something a little different this morning.

Last year, I published (in limited distribution.. in case I was wrong!) predictions for 2012. This morning I’m publishing that list to the blog, with updates to my 2011 thoughts for 2012, moving forward into 2013, and a few positive trends.

A couple of highlights on the positive side:

• Companies outside of the critical infrastructures are becoming aware of the dangers of targeted and advanced persistent cyber events.
• Adoption of information sharing by companies large and small has taken off. This, not just a trend in Red Sky Alliance, but in others as well. We see this has a major deal --low cost, extremely high payoff.
• More companies are looking to formalized models to build their information security programs and management processes.
• Securing the Human has become widespread -not just in SANS, but also in practice. More companies are employing routine, randomized testing and education of their end user workforce.
• Last, “Best in Breed” practices are beginning to emerge. This is a leading indicator of institutionalizing new practices and processes to deal with the new, emerging threat landscape.

 
 
Next, my 2011 thoughts.

Last year I outlined several trends. I’ve updated them for this year, and through work with the Red Sky Alliance members during the year, have extrapolated some of this information into predictions for 2013, and thoughts on a few new items:

A couple of key thoughts, and the highest of risks on my prediction list for 2013. These were added authored for 2012 predictions, and those shown in red have grown through the year, to become mainstream in 2013. For example:

• Use of remote access and their associated legitimate (but stolen) credentials are a mainstream method of gaining access to company networks and intellectual property
• Supply chain, including not only traditional supply chain, but also non-direct value add suppliers (i.e.: legal, outsourced HR functions, and finance) are high value targets for intelligence on not only ongoing operations, but futures.
• Traditionally closed systems (physical security systems) are becoming more interconnected to allow remote work, higher order analysis and correlation, and storage. These systems continue to be targeted as PSIM is integrated with traditional infosec operations. These systems include primarily voice and video.
• I'd also like to couch one of my positions. My belief is that the healthcare system will see an avalanche of PII related theft in the future. I've not tracked the healthcare system this year as much as I have in the past, but this is one of those secondary value add suppliers that, in my opinion, are in danger of massive losses. Every healthcare CISO I talk with worries about this. I left movement as neutral, but believe the risk is high. I'd offer the same advice on the legal industry. 
  

2013 will bring new challenges, mostly associated with Cloud, Big Data, and Mobility. This should be no surprise to readers, as companies find massive returns on renting server, infrastructure, applications, etc., from cloud providers, and BYOD is both a massive opex reduction and makes end users happy at the same time (Win-win! right? WRONG.).

Key takeaways for 2013:

• Not surprising but the natural progression of things suggests that more companies will realize the devastation of being targeted and not be able to kick intruders off their networks. We call this realization their “Oh Sh*t!” moment... and we believe this feeling will spread like wildfire during 2013.
• Our inability to deal with the overwhelming needs will result in a knee-jerk reaction for government to over-regulate and demand reporting from respective supply chain companies.
• I should have placed BYOD concerns on last years thoughts, but BYOD at the time, was largely an immature concept. The idea that “Mechanics use their own tools, why shouldn’t computer workers?” means companies will realize the ROI associated with allowing the use of personal devices will bring an entire new crop of security concerns --all of which will feed the target footprint for those targeted events that we just talked about moments ago. BYOD is going to bring infosec pain. Be ready.
• Last, large repositories are always great targets. As companies move to cloud based systems and big data repositories, we’ll see discrete attacks used against these large data sets in undetectable new TTPs.
  

To wrap up, every week we publish a simple highlight of the fusion report we published during the week. We could publish dozens (hundreds) of these things if we chose, but we try and choose something important that we believe users need to know about. 

• This week we published FR12-033, which details a variant of malware leveraged in coordinated APT attacks involving several threat groups. The report revealed new intrusion infrastructure and contained information indicating a nexus with possible ties to a Chinese university. The incident is believed to have targeted a Federally Funded Research and Development Center (remember the discussion about indirect value add supply chain companies?). 
• In the portal this week, early warning indicators were provided for pending DDOS activity targeting the US Banking community, and
• We continued the "name and shame" analysis with a completed persona profile of a known operator and malware developer.

Whew. This was a long post. I hope you find it useful.
Until next time,
Have a great week.
Jeff

Red Sky Weekly- Threat Day, Name and Shame, Beadwindow!

We held our third Red Sky Alliance Threat Day in San Antonio this week, and it was an absolute success! We had a decent turnout with several member companies in attendance. The day started out with a joint presentation on a well known threat group and included a "name and shame" on several of the actors themselves.

• Analysts, working together on site were able to identify not only (high confidence) identities of many of the people believed associated with this group, but also alias email addresses, buddy lists, blog sites, forums they participate in, and screenshots of their computers with (believed) exfiltrated files on the desktop. In addition to personas, analysts were able to view what they believed were targeted information including technologies ranging from military to electric automobile technologies and financials of over a dozen companies. A formal ‘Name and Shame” fusion report resulting from the onsite “Analyze-a-Thon” will be published to our community in the near future.
• This presentation by Red Sky analysts and one of our members was followed up with a post-exploitation analysis of another group by a second member analyst.
• The day was wrapped up with a lessons learned discussion, on building out a network forensics capability.

On the Beadwindow Private | Public side of the house, we’ve met with two of the six major Federal Cyber Centers, delivering presentations on how they might benefit from participating in the Beadwindow portal. My hope is that we’ll see some new participants soon. I’m very much looking forward to that day. While we hear every day that members of the government have a hard time talking to private industry information security practitioners, Beadwindow offers a great way to allow this sharing, and allows corporate members the ability to protect their anonymity if they choose.

As we head into the end of the year the portal this week was business as usual.

• Our analysts are currently crowdsourcing a new malware variant and TTP involved in a recent uptick of APT activity.
• Two new ‘diversified industry’ participants have joined and are participating. While it may seem hard to think about how you, as a new member might benefit from participating in the Alliance, one new member immediately started posting to an area we call “Wildfire”. The new member needed help. Wildfire is reserved for out of band communications during incident response, and to request assistance from the community. “Forming, Storming, Norming and Performing” processes we go through with new members is quickly becoming routine. The group is gelling nicely and we’re finding amazing benefit in the amazing group of companies now in the Alliance.

So, if you’re thinking about jumping in, now’s the time. Government and Academic users can take advantage of lower membership rates for membership in the Beadwindow portal. Commercial users can take advantage of founding level membership pricing for only another couple of weeks. Current pricing ends on 12/31. Don’t wait.

Have a great week!
Jeff

Red Sky Weekly - 12/1/12

We’re winding down 2012 but the pace hasn’t seemed to change even one bit. Attackers are busy, defenders are busy. This week Red Sky has people onsite doing analysis, and others building infrastructure to reduce friction points to collaboration, and even with all of that going on, we continue to add new members.

Here’s what’s happening:

• Fusion Report 32 published: This week we released Fusion Report 32. FR12-032 details a newly leveraged backdoor and its associated infrastructure. We provided analysis of the malware's capabilities and protocol with 8 new signatures for identifying its communications.
• Analyze-a-thon: Our lead analyst is onsite with a member this week developing an attributional profile of one of the most prolific APT groups out there today. In three days onsite, combing through mountains of forensic data, the team, working together has made significant progress in what they’re calling the “name and shame” report. The result of this analysis will be provided to the Red Sky community in our upcoming threat day next week.
• Threat Day: Our next (our third) Threat Day is scheduled for this week in San Antonio, TX -again at a member location (I hear they have an indoor slide!). Presenters are lined up to talk through the day, and we’re expecting to video the day and post the presentations to the portal.

Short and sweet. Sometimes that’s best.

Until next time, have a great week!
Jeff