Extortion of a 16 billion dollar company...

I tell this story often. It’s a story of a company -- a $16 billion dollar company, who in 2006, bet the farm on some specific technology. The company wanted to use the High Definition (HD) codec to replace a massive network of movie distribution. If it worked, the company would make billions.

You may recall, at the time, some of us owned HD players, others Blu-Ray. In this case, the HD company came under attack by folks backing Blu-Ray. Patent pending technologies stored in the “HD Company” (we’ll call them HDCo) were harvested systematically from their servers all over the world. HDCo executives were targeted individually --physically, cyber, psychologically. Their email accounts were taken over. They were forced to use throw-away cell phones. One exec even reported multiple occasions of harassment in the parking lot of her grocery store! This is what some of us know as ‘asyncronous warfare’. In the corporate world, it’s considered corporate espionage. I’d call it extortion.

The bullying, harassment, and theft went on for roughly two years. The company couldn’t survive.  In the end (Feb last year), this company rebranded. They’d lost nearly all of their stock value, dropping from a whopping $16 billion global diversified company in 2006 to $160 million company in 2012!

Why do I tell this story?

What’s old is definitely not new again... While many things are, cyber isn’t.

Fifteen years ago when I started my career in information security, I’d watch the FIRST list. We had roughly thirty of us sharing real time information through PGP encrypted emails. The information we shared among us was amazing. When I left the Navy, my FIRST membership went with it.

In 2005 I rejoined, remembering the successes I enjoyed in 1997. This time, there were hundreds of folks participating. The landscape had shifted. Moore’s law applies not only to CPU speed, it also applies to growth of the network. In that short period, FIRST grew from roughly 30 to over 300 --highly indicative of the number of victim computers, and the requisite number of incident responders needed to handle the massive, exponential growth of cyber victimization. Nearly ten times more people needed information, and were smart enough to seek it out.

What many didn’t know at the time, was not only had the number of machines compromised grow, requiring more incident responders, but the very nature of those attacks was shifting under our feet. In 2006 when I first was exposed to APT, it wasn’t like my early days in the Navy when one attacker broke into one computer. In 2006, one attacker might compromise hundreds of computers over the course of only a few days. Today, thousands would be compromised using simple exploits with complex chaining of events. Attackers (even today) will use just enough tech and know-how to get what they want. When a defender ups the game, attackers do too.

• Have you ever heard of a company who has to change the credentials on their domain controllers on a weekly basis? One CISO tells me that if he could change the credentials every 10 minutes, it still wouldn’t keep them out!
• What would you do if you knew every week, every one of your servers running IIS was going to have their credentials harvested, and there’s not a damn thing you can do about it. (Read back in my blog. I described the Windows Credential Editor problem earlier.)
• Have you ever changed a rule in your Intrusion Prevention Systems only to find it changed back twenty minutes later?
• What would you do, if on a weekly basis, 3% of all of your company’s computers were found compromised, with nearly all sending data home? In the companies I work with, 3% means at least 3000 computers --every single week.
• How would you feel, as CISO, if you were informed by the FBI today that you’ve been compromised, and when you did the analysis, found you’ve been completely owned --man in the mailbox, full exfiltration, and attacker control over any box in your network for years?

I talk with CISO’s nearly every day. I’m amazed that even today, with the massive advances in attacker TTPs (Tactics, Techniques and Procedures) in the last few years, that a CISO can look me, square in the eye, and believe with every fiber in their being that twenty year old information security practices --going it alone, simple firewalls, relying solely on antivirus, are going to save their companies from the complex chaining of these simple events --just enough, to breach their companies. I talked to one recently who had no idea what a wateringhole attack was. He was floored when I told him that his corporate webserver may well have been compromised, serving up poison water to every employee who visits.

BT BT

This week was fantastic for the Red Sky and Beadwindow Alliances.
 

• Two new companies joined Red Sky last week. Our provisioning guy has taken to drinking (heavily). I know in one day he did 28 new accounts!
• This month alone (and it’s not over), our accounts receivable are more than all of the revenue we collected last year. It’s not a result of my good looks, or of our sales prowess, it’s a result of members telling others to join... and they are!
• I’m happy to announce AJ Brown and Bob Hillery have all joined the Red Sky | Beadwindow team as Senior Members of the Technical Staff. I’ll announce the third next week. Bob is a retired Navy Commander, a long time SANS Instructor, and a founder of InGuardians. AJ came out of PC Connections as an IT Account Executive. Bob will be handling our intern program, and has already kicked off one major, (provisional) patent pending project that we hope to be using in our portal at some point in the future. AJ is pounding the pavement, charged with new member acquisition from the commercial sector. Both are great guys!
• Our Annual Report FINALLY went to the printer. I’m hoping to have a stack of them on Rick when he goes to RSA.

What’s old is definitely not what’s new. If you’re a CEO, CIO, or CISO, and you’ve not stayed current, drop us a note. We’re scheduling threat briefs. We’d be happy to schedule an online or in-person threat brief for you and your team. You’ll see first-hand the kind of amazing work that comes from a group such as ours.  Live action. Real Time cyber intelligence through crowdsourcing, smart, easy to work with people, and good tools.

I’d like to invite you to join Red Sky Alliance. 

Please contact AJ Brown today.

“Red Sky at night, sailors’ delight... ”

Until next time,
Have a great week!
Jeff

Red Sky Weekly: 0-day, Intel Analysis Report, and new Associate Member...

Cyber Security Intelligence - Live, Real Time, Right now.

I love this. Clear, succinct. It’s what we are. It’s what Red Sky Alliance does all day, every day.

I’m the geek in this operation. My sales skills aren’t everything they could be (not necessarily a bad thing), but we pushed through 2012 successfully. Yesterday I was doing the third interview with a new Business Development Executive that we were looking at for new member recruitment.

As part of the interview, I asked him “In your words, what’s the value?” He replied, without missing a beat --it’s live. Red Sky isn’t a movie that was recorded live but played over and over, it’s live. It’s conversations and actions that members can use now.. in real time, talking to others, seeing what’s happening in real time. I could see it in his eyes. The light bulb had gone off and was fueled by the contagion we all feel when we realize just how powerful a community such as our two (Red Sky and Beadwindow) can be...

I think our new membership guy defined our new company slogan..  

Cyber Security Intelligence - Live, Real Time, Right now!

BT BT

Intelligence Analysis Report 13-001 (IAR 13-001) released: Over the course of the last couple of months we’ve been working with one of our members in analyzing and authoring an in-depth analysis of one of the most prolific and damaging APT groups out there today. The group claims thousands of jump points into and out of thousands of commercial, defense, and government targets, including we believe, much of the chemical sector last year, well known IT security companies, and dozens of others, stealing enormous amounts valuable intellectual property from each as they’ve ravaged their way through cyberspace over the course of the last couple of years. We labeled this report ‘Intelligence Analysis Report 13-001’. It’s a little different than one of our Fusion Reports. The IAR focuses more on the people, how they work, and what they want. The report consisted of over 20 pages of high-level analysis on tools, targeting, infrastructure and identifying information on suspected actors.

Other happenings:

• 0-day: Red Sky analyzed recent 0 day. Feedback from one member confirmed that analysis from Red Sky enabled this member to mitigate the activity from this 0 day on his company’s network.  

• New Associate Member: This week we’re joined by a newcomer to the security intelligence space - Exodus Intelligence. Exodus is this cool little company that does 0-day research, selling subscriptions to finished reporting to their subscribers. For those of you who don’t know what an 0-day is, an 0-day (zero day, or oh day) is a new vulnerability that isn’t yet published in the wild. The Exodus team is now in Red Sky, and will be interacting directly with our Alliance, providing real time 0-day discovery, discussions and participating in our crowdsourced analytic intelligence engine.

• New folks: As mentioned above, we’d posted three positions on UpLadders last week. In the few days the ad was running, we had probably 25 applicants before we turned the ads off. In the end, I’m happy to report, we have extended offers, and all three have accepted. Two of these new folks are linguists and one deep technical. Our first two start on 2/4, and the third, during the first week in March.

• Beadwindow: We’re working contractual language with our first Federal Government Beadwindow member, and we’re hoping to have them in very soon.

A quick admin note: I’m sad to say, Dave Chauvette, our Director of Academic Services has left Red Sky to pursue activities more inline with his long term interests. Please direct any messaging regarding internships to me.

Oh, and before I forget --an update on my piece from last week. Remember that CIO with his head in the sand? I gave him a threat brief... went to his office, sat side by side with him, and gave him a threat brief to show him what's going on around him. The outcome? he's agreed to use an outsider for incident response and triage analysis. His Carbon Black server should be arriving tomorrow. 

If you're interested in having your CIO, CEO, or management team receive our threat brief, please drop us a note. We'd be happy to set something up online, or in person. We've got qualified people in New England, DC and St. Louis, MO areas and would be happy to arrange a time. 

So, another fantastic week in Red Sky Alliance!

Until next time,
Have a great week!
Jeff

Red Sky Weekly: Penny Wise, Pound Foolish...

The story of one CIO’s “oh sh*t” moment.

Earlier this week I received a call from a Chief Security Officer of a company many of us know. It’s not a DIB, nor critical infrastructure, rather a very cool company that does about half a billion per year manufacturing non-computer related hardware.

The CSO told me that the IT director had found the networks had been compromised. Roughly 1000 machines had been found with malware and shares were being killed all over the company. The CSO asked if we (I) could help. Unfortunately my skills as an incident responder are a little long in the tooth so I introduced him to an old friend who now runs a small, highly skilled company (and a Red Sky Associate Member --Kyrus Tech). Kyrus offered a proposal, at the “Friend of Jeff” price. It was very generous. The CIO, however, even with the great price for such a skilled crew thought it to high. He wanted to go it alone.

His company had been compromised (discovered) roughly a month ago. Since that time, IT (not a security team) has been chasing the mole, whacking it every time it popped up. His team is tired. The CIO is frustrated because every time he fixed something, another infection popped up. If you’ve worked as an incident responder lately, you know the pain this team feels. We’ve all been there. The CIO holds a heavy personal connection to his networks, having built many of them himself. He continued to believe he could fix this on his own. He can’t. I hate to say, there’s a high probability this CIO will never view his networks as safe again. Kyrus is responding, only after the frustration the CIO felt when he came to work again this morning and found, yet again, another infection.

Here’s the lesson. If you’ve not dealt with these types of infections before, and you find one in your network, don’t go it alone. Red Sky Alliance is here to help. Information sharing in one of our portals offers two great communities to ask questions and get help. We have relationships with several qualified incident responders that can offer personal assistance if needed. This CIO caught it early (hopefully). This CIO was smart. It only took him a month to realize (forcibly or not!), that he needed help. Good for him!

Now for Red Sky. 2013 is off with a bang! Here’s what happened this week:

• Fusion Report 13-002: Analysis in the portal kicked back into gear this week with several new malware samples in the queue including payloads from recent 0 day attacks. New malware from a known group was also received and employed multiple anti VM evasion techniques. We were able to quickly triage the sample and provide attribution and behavioral details.  
• New Members!
• We’ve delivered our terms and conditions and an invoice to our first potential Federal member. Pending legal review this major cyber center will hopefully be joining Beadwindow very soon.
• Another financial member is joining Red Sky. We presented. They loved what they saw, checked with current members for reference, and this new global Financial Institution is expected to be in the portal very soon.
• We’re growing!
• We’ve hired two new Senior Members of our Technical Staff (SMTS). Both have great backgrounds in cyber intelligence. One, a former CISO from a large enterprise company we all know; the second an experienced intelligence analyst.
• We’re looking for a couple of good Business Development Executives and possibly one Channel Exec. If you’ve been selling security products or services into large enterprise customers or State/Local governments, check us out on UpLadder, or shoot me a resume directly.

Beadwindow was slow going in 2012, but we intend to put a bit more energy into it this year. With our first Federal Cyber Center potentially coming in in the next couple of weeks, and a dedicated, SMTS we’re looking for results there as amazing as we was last year from the private portal. 2013 is starting off nicely!

Until next time,
Have a great week!
Jeff

Red Sky Weekly - Kicking off 2013!

I’m very happy to say that it’s the beginning of our second calendar year, and we made it. That’s an accomplishment that many start-ups never see! And not only did we make it, we made it in style. We’d set a revenue goal early in the year for our self-funded company and I’m happy to say, we met the goal. We closed out our Founding Member drive with seventeen companies in total; two more Founders than hoped, with a nice mix of financial institutions, Internet companies, security providers, defense contractors and Oil/Gas. In all, we ended the year with 24 global companies participating, including Associate (Vendor and Consultant) members, and 2013 our membership pipeline looks great!

On the analysis front, there was no rest for the weary over the holidays thanks to a couple of inconveniently timed 0 days. We kicked off 2013 with a 22 page Fusion Report (FR13-001) that details both the campaign and two separate malware payloads. The report included detailed information on the leveraged protocols along with a working C2 decoder. Multiple indicators and six additional snort signatures were added to the collection for proactive identification and mitigation of related activity.  

It’s busy, and seems to be getting busier.

• We have our annual report in final review with our membership before final publish.
• We’re in conversation with several new associates to provide new and different data types and perspectives to the membership.
• We’re adding new features to the portal --testing the Outlook plug-in in the Beadwindow portal as we speak, and have acquired an app to allow mobile users to operate from smartphones and pads.
• Interest in Beadwindow is growing. I’ve received a number of inquiries, and given several presentations to government users who now have the ability to communicate with those Red Sky members who choose to talk to them. This is big. Our members complain of the sheer volume of government folks who want to talk to them. Now they can do it in one place.

Look for our Annual Report soon, as well as our first white paper “How great companies deal with APT and Targeted Events”. The paper is a high level road map of the seven common actions that companies do when faced with Targeted and APT events. There’s nothing worse than realizing there’s someone in your network and you can’t get them out. This paper will tell you how others worked through the problem. 

2012 was a great year. 2013 looks to be even better!

Once more, and then I’ll stop. Happy New Year!
Have a great week!
Jeff

Red Sky Weekly - LOST: Confidentiality. Integrity. Availability.

The term “war zone” elicits images of tanks, gunfire and military personnel. However, as technology evolves, so do the weapons associated with the art of warfare[1]. The battleground has moved online.

Confidentiality of our information has been lost. While this article talks about Flame as a threat, Red Sky Alliance (and others) track hundreds of pieces of malware, all aimed at stealing data. In even the most sophisticated environments data gets stolen daily. On that, the natural progression beyond espionage is use of the stolen data. I was reading Popular Science yesterday (Jan 13 edition). I find it no surprise that the new Chinese unmanned aerial vehicle (CH-4 UAV) looks a lot like the US’s Reaper drone, or that the frontal view of the J-20 looks a hell of a lot like the frontal view of the F-35. While much of the information on size, shape, etc., may be found in the open press, much cannot. That which cannot is acquired via human intelligence (HUMINT) or cyber. Cyber is cheap and (compared to HUMINT) easy and significantly lower risk. Confidentiality of our information has been lost and it’s cost the US billions in stolen research and development, and competitive advantage.

Availability is lost. Distributed Denial of Services (DDoS) attacks have rendered small countries unavailable; Banks have been hit repeatedly. Nobody is safe from being taken offline temporarily. DDoS is an easy way to sent a ton of packets down range to a specific target, disallowing use of the target until those packet floods stop. While no long term damage (as far as I know) has been reported showing DDoS taking down a global bank to the point of bankruptcy. Availability is lost (at least in short spurts --for now).

So what’s next for cyber? Integrity loss. Beyond exploitation of intellectual property, it seems there would be plans for suspected longer term application of destroying data, or more simply, corrupting data to the point where its use creates a lack of confidence in the operator using it. How will companies protect the integrity of their data? When source code lands on the last server or storage, before going into production --on that chip, in the car, or computers heading out for general distribution, how can we be sure the code that lands on those end-use systems won’t do bad things when plugged in? How do we know today that massive auto-stock trading computers are not being manipulated? What about stock indexes and futures? What must we do to ensure future cyber won’t allow power to be turned on and off at adversarial will, or ensuring that air traffic controllers actually maintain control over air traffic.

How does a company protect itself when espionage and warfare rules apply?

I don’t believe the sky is falling. I’m an old Navy guy. I believe we’re learning to fight submarines. During World War I U-boats ravaged Allied shipping. It wasn’t until much later that we figured out how to detect them, thus saving the lives of untold numbers of sailors. Eventually we learned to detect the German U-boats, build them ourselves, and fight back with great success during WWII. This new cyber era is much the same. We’re facing new threats. The new tools, tactics and procedures are becoming commonplace in our world, and we will (WILL) learn to combat the growth in both numbers and complexity. As these new tactics and threats grow to ubiquity (and public awareness), Cyber will become just another weapon... Just another weapon that we’ll deal with in the future. Until then, many of us will still flounder in trial and error. Others (smart ones) will take the lessons from others and use them successfully to learn to deal with cyber in today’s new environment.

Red Sky Alliance members help each other learn. It’s about sharing information in real time about real events in a world where both Confidentiality and Availability has already been lost, and Integrity remains (currently) up for grabs.

We’ve pre-published our first Annual Report to members of our Advisory Board with the expectation of having it published more broadly very soon. It’s amazing to see some of the kinds of technologies exploited for economic gain, but equally amazing to see that Information Operations are most definitely being used to identify and manipulate those who shape policy, economic futures, and build our new tech... and I’m probably only just scratched the surface.

Hang onto your hats folks. 2013 is going to be a wild ride!

Until next year!
(Happy New Year!)
Jeff

[1] http://www.foxsanantonio.com/sections/lifestyle/tech/16365/

Red Sky Weekly - Happy Holidays - something fun

As expected, activity in the portal has slowed a bit leading up to the holidays, so we have been focusing on adding capabilities to further benefit the membership. 

• We started a DNS monitoring and reporting process. This will give us better situational awareness on malicious domains being reported through the portal. 
• We are also beginning integration of automated network simulation into our MAG2 environment for easier identification of adversary protocols. 
• Our first comprehensive threat actor profile is forthcoming just in time for Christmas. This will be the culmination of several years of tracking and analysis on arguably the most formidable and highest profile Chinese threat actor groups. 
• We're wrapping up our first Annual Report. We'll be pushing it out to our Advisory Board in the next day or two for final review before publish.
• We've begun making appointments for demos of the Beadwindow portal with Federal folks. My dance card for the weeks after the New Year are filling quickly!! Don't be left behind. Drop me a note.

Enough of that for now. I’m going to close with a short, sweet blog. It’s been a great year. I’d like to take a moment and say thank you, and Happy Holidays to all of our members, especially those early Founding Members who had enough faith to write us the first checks and get the Alliance off the ground. Thank you. To our military, and especially our deployed military members and the civilian support and their families, I wish you Happy Holidays, and a safe return home.

I’ve put together something fun to close out the year. I hope you enjoy holiday well wishes from Jim and I. Happy Holidays all!

http://www.jibjab.com/view/23LxYQKITqalEiJLXJgN0A

Until next time.
Merry Christmas (or whatever you celebrate!),
Jeff