New Fusion Report; Intel Analysis; Go West Young Man!

One of our members posted data that lead to the discovery of a previously unobserved command and control (C2) infrastructure. What struck me was a call I received from (this very smart and strikingly handsome ;) member late Thursday afternoon... right after we published our Fusion Report. Evidently he'd turned in his pcap samples to Red Sky, the FBI, and a third analytic group. Red Sky did a full workup on the data, crowdsourced pieces as needed, and published (to the group) a Fusion Report with a full analysis and a list of Kill Chain formatted indicators. As of Thursday night, neither of the other groups had responded.  

On the membership side of the operation, we sent out membership packages to a bunch potential members and welcomed our latest newcomer into the Alliance.

• Two Federal Civilian Agencies are evaluating membership -both currently in legal review, one DoD organization invoiced, and one more DoD organization finalizing paper. Just this week, a third Federal Civilian Agency contacted us for membership information, telling us they can't get good unclassified information elsewhere. We've heard this before. So we're hoping that within the next month, Beadwindow will see an infusion of new federal government analysts. 
• On the Red Sky side of the house, we sent three new members to the Advisory Board to offer thumbs up/down before we go any further with them (all of our members are vetted through our Advisory Board before being offered membership). One was a referral from an old friend; another was a referral from a current member. We love referrals!
• One new member was invited into the portal this week. The first guy from this credit card company's information security team needed high quality intel --stuff they're not able to get anywhere else. I'm sure they'll find it in Red Sky. In fact, we had one of our best analytic weeks going with two reports published this week. 

This weeks reporting: 

• Fusion Report 13-011 published: A Red Sky member submitted details from an incoming spear phish. In the posting he included the email header and attachment. He's a smart guy. The attachment exploited a vulnerability from last year,  but the payload initiated and connected to a previously unobserved C2 infrastructure. 
  
• As well, we published Intel Analysis Report 13-007, which drew comparisons between three RAT families and profiled one of the authors.

BT BT

On top of the crazy pace this week, Jim announced at our weekly staff meeting that he's sold "World Headquarters" in St. Louis and is moving to Colorado! Our president (and his World Headquarters) HAS be closer to high quality fly fishing and great skiing. I'm keeping my fingers crossed hoping for my own wing! More importantly, this means we've now got representation in Denver, Colorado Springs and after next week, Steamboat. I had a great trip out to AFCEA a few months ago and can't wait to host our first booz'n and brainstorm'n at elevation in the Rockies! 

RE the Lab? We're in full swing looking for business.  Our first major gig was a RAID rebuild/restore..An IT consultant sent us a set of drives from a RAID array that they'd tried several times to fix. Their customer's entire business was located on these disks; one, a database full of customer information. We were able to identify, carve and rebuild almost all of the data, sending the results back to the consultant yesterday. While it's not sexy APT work, data restoration projects seem to be coming to us, and heck, the works good and the money is green, so we'll take it. We're expecting a 12Tb project this week. So for now, if you're looking to take the strain off of your already over-worked forensic shop, we'll happily take some of it off your plate. If your incident responders/forensic guys are swamped with HR, internal legal, restorals, send some of it our way. Those guys are busy enough with APT. We'll happily take some of the routine cases for you!

OK folks, until next time.
Have a great week!
Jeff

 

 

Red Sky is observing a week of silence...

Having been a runner (50 pounds and 10+ years ago), I can't imagine the feelings going through the runners on the field at such massive devastation --the lack of completion, the sheer shock and horror of being in the mind of a long distance run,  having dreams shattered as quickly as it happened, and the families of the those killed and 100+ injured.

Red Sky Alliance and Wapack Labs are observing a week of silence in support of our neighbors in Boston, and all of those affected by this horrific event.  Our hearts and prayers go out to those killed or injured at the finish line, and to their family and friends, of the Boston Marathon.

A few things to consider before you buy the next hot commodity.

With Jeff on the road making his way up the east coast in yet another wet and soggy commute, I’ve been handed the digital pen for this week’s blog.  

This week, I was having a beer with a couple of colleagues and the discussion turned to the “commoditization” of security.  We all know that security is one of the hottest market spaces on the planet.  Security firms are selling firewalls and IDS/IPS boxes at a breakneck pace to keep up with the growing security threats and to be fair, the demands for these solutions are growing as well.  But what happens when the supply outweighs the demand?  You look for new things to commoditize!

In my opinion, there is more demand for knowledge and expertise than there is for the next firewall.   In fact, I predict that by the end of 2013, the emerging hot commodity in security will be security related communities where people collaborate and share information in a trusted and secure environment.

You’re already seeing many of the big players and security vendors hanging communities off the solutions they are already providing – “Buy our Incident Response service and you have access to our community.”  This demand for communities is nothing new for us at Red Sky. We’ve been supplying this demand for well over a year and half now.  

What drives this demand?  It’s pretty simple.  The large companies have the incident response teams to deal with APT but don’t have enough actionable information to act upon and the small companies are lost somewhere between buying solutions, outsourcing functions, and an uneasy feeling that they are not seeing everything they should – that sinking feeling they’re missing something.  Sadly, they are.

Like any hot commodity, your inboxes will be inundated with offers to join such a community.  The costs can range from free, as a value add to an existing product, and be as high as many hundreds of thousands of dollars.  To help navigate your inbox, I wanted to share with you what I believe should be some of the important things you should consider when choosing which community you partner with:

1. Do I trust this community? – You have to have TRUST with whom you are sharing your most sensitive vulnerability data. Do you know the identities of the other contributors?  If you don’t have trust that your information will remain private, you won’t use the community or get the most of your investment.
2. Can I count on this community when I need them most? – In time of crisis, when your Incident Response Team is fully engaged, can you lean on someone for help?  Do you have a lifeline that will help you or find the resources that can?
3. Is the information vetted? – Make sure the information you’re receiving form the community is vetted. If the information you’re receiving is invalid or inaccurate, you’re going to waste a lot of time going back fixing things you shouldn’t have to.
4.  Is the community moderated? – Or is it a free for all? Moderation is important.  An un-moderated community is a time killer.  No one wants to sift through pages of chatter to get to actionable information.
5. Is there any context to the information I’m receiving?  – Is the information you’re consuming in a context you understand?  No one wants to take action and not understand as to why the action being taken is important.
6. Cost? – You get what you pay for.  If you opt for a no-cost community, you may not get quality information or too much data.  If you opt for the most expensive, you may see high turnover of membership or little return on investment.

These are just a few. There are several other things you should consider, but this is a good starting point.  We at Red Sky have a clear vision of how a security community should work and we’re continually improving on our strong foundation, growing our competencies, to sustain our leadership position before the big companies unleash their armies of salespeople!

Red Sky has built a highly trusted, cost effective, and content rich sharing environment to help solve the APT problem by putting together some of the most advance Incident Response Teams in the world.  If you’re looking for such a community and you’re asking yourself the question of how Red Sky can help you, please email me at rgamache@redskyalliance.org 

Red Sky Weekly: “woshihaoren” (我是好人)

“woshihaoren” (我是好人)

I LMAO'd last night when one of the members told me this story, so I had to pass it along. I'm going to clean up his language a bit. I'm crusty, and he's crusty, and the story was conveyed over a beer and cigar at local watering hole. I know some of the color might be lost, but here goes anyway...

This guy (I'll call him Jack), is the CISO of a company that does about a billion per year in sales, and although I won't tell you what the company makes, I'll say they're a high tech.

Jack has a problem. APT actors basically live in their network. Heck, they come to work nightly when Jack isn't there, stick around for an eight hour shift, and log in and out as they need to capture new information. It's bad. Jack is good.. very good.. but has a small team and although they work very hard to keep actors out, sometimes it just doesn't work out that way.

So one day, Jack gets pissed. He knows the actors use a tool to capture passwords from machines and when they do, they have free reign to do what they want. Worse yet, they capture credentials all the way back to last reboot. So Jack --a really pissed Jack, knows someone is going to read his (what should be private) password. So Jack changes his password, leaving a message for his attacker. You won't be able to translate this in Google, and for those of you who know me, I don't usually pull these punches, but in writing, on a blog, I'm doing my best.

The CISO's taunting new password:

Limp [insert sailor slang for 'Male Sexual Organ'] [insert ‘Racial Slur’]

The password, after the next ‘shift’ (24 hours later) was changed to:

“woshihaoren” (我是好人) --Spaced out Wo Shi Hao Ren means "I am a good person."

So this tells me two things. First, yes, someone is living in the networks and not afraid to interact directly with this (incredibly technical) CISO and his team, and second, OPSEC isn't always a concern --especially when they know they've got you and have free range of movement in your networks.

This isn't the first time I've heard about attackers living in a network, and I'm sure it won't be the last. This guy has been sharing some of the best intel on attackers that I’ve ever seen. While it’s true he’s got a real mess, it’s also true that he knows how to capture data, record actions, and repel when he does find them. Unfortunately he can’t be cloned (yet), and can’t work 24/7, but without a doubt, Jack is one of the best and he isn’t afraid to show others what he’s got going on, or help them with their own problems.

This is what Red Sky is about --neighbors helping neighbors.

BT BT

Now some really cool stuff. We published two reporta --a Fusion Report (FR13-009), and our version of an Intelligence Information Report, an Intel Analysis Report (IAR13-004).

FR13-009: This week we released FR13-009, our 9th in-depth fusion report this year. FR13-009 is an analysis of our "APT1". Granted its not the Mandiant "APT1", but it's number one our list. As always, our report included roughly 15 pages of analysis, including detailed analysis of a widely used remote access trojan and its infrastructure. The report include several pages of indicators, and gave members two new Yara rules and a snort signature to drop into their defenses.

IAR13-004 is an unfinished intel report summarizing yet another VPN service linked to hackers. This paper was provided for situational awareness in an effort to provide Red Sky Alliance with the ability to monitor and warn against future threats and provide data to compare with past intrusion analysis.

Our first Intern graduates to employment! Our first intern is now employed with one of the best companies going. Bruno got hired as a Regional Intelligence Analyst with a global payment processing company in Wilmington, DE. He started on the first of April and so far, so good. I've been told by the CISO of another member company that he'll take as many of our interns as we can give him (they’d made an offer too). In fact, I've got a good Marine coming off active duty that I'm probably going to refer to him soon, but for now, Bruno had some really nice things to say about his experience with Red Sky. Bruno peer reviewed in the top 10% of our membership, rated by folks in a group of mature infosec teams dealing with some of the hardest problems. If you’re a student, want to learn to be an analyst, and think you can contribute and rank out in peer reviews, drop us a note.

That’s it for now!
Have a great week!
Jeff

Red Sky Weekly - 3/29/13

Wapack Labs setup is nearing completion. There’s a bit of painting left to do, but we’re ready to open the doors on Monday. Wapack has already had a couple of folks walk through the doors, including the Data Security Partner for one of the largest law firms in New Hampshire, and a mom who wanted to know if we could restore pictures from a broken disk. We won’t be doing any criminal work yet, but have solid processes and capabilities in host and network based forensic analysis, cellular/mobiles/Pads and malware analysis. I’ll be in Tokyo, but Rick will be in the lab with the team. So if you’re local to the Manchester Historic Mills area, we’re in the Waumbec Mills (250 Commercial St., Suite 2013) right next to the UNH campus.  

SecureWorld Boston: On top of getting payment systems set up, building furniture, and buying trash cans (I think I have swiper's elbow.. and I can't tell you the workouts I've endured just running my Amex through so many times!), I spent two days at SecureWorld Boston. I had probably two dozen people come up and tell me they’d heard of Red Sky Alliance! Our friend Al Koch, from Norman was there with a former coworker of mine from my days at DC3, as were Red Sky's friends from Solutionary. This was my first SecureWorld, but it won’t be my last. I enjoyed reconnecting at a local level. Boston is a blast, and the security community is on fire. I’ll be giving a threat presentation at the next ISC2 Boston Chapter meeting on May 9th, and have begun reconnecting through ISSA and Boston Infragard. It’s funny. I participated in these groups years ago, and now I’m running into many of the same folks that I knew from then. I ran into two old coworkers from my PwC days (they're not kids anymore!), several folks from the local FBI office, and I've got a half dozen new companies that want to talk about joining Red Sky!

STIX! We had the long-overdue opportunity to reconnect with Mitre this week. We’ve been wanting to do a bit more with STIX but hadn’t really had the resources to do it. Mitre has been doing a lot of work in development of STIX, and was gracious enough to offer assistance in “STIX-ifying” Red Sky. This will be welcome addition, as some of the members already started heading that way. We’ll remain on Kill Chain, but we promised Richard and Tom at DHS that we’d work to support STIX, so we’ll do our part.  

New Members: We sent membership kits out to two new incoming members --one Federal Agency and a new large enterprise mid-west Chemical Sector company. Our second year renewals have started to roll in, and so far so good. No drops!

Analytics: This weekend we will be releasing our 8th fusion report for 2013. FR13-008 will be our second infrastructure focused report and will detail two related subnets that have been linked to a wide range of APT activity; and we been working hard developing our third Intel Analysis Report to assist one of our members with a bit of tailored reporting. We had a question asked. It was interesting, and pulling the thread lead to some interesting observations. I hope the community likes the reporting!

Easter Egg: This is to see who's paying attention! The Easter Bunny has a special treat for you! WhoisRecon is coming soon from Wapack Labs.  Want to be an early adopter user?  Want to get on the pre-release list? Just send the Easter Bunny a note and ask.

It’s been a great week!

...off to Tokyo!
Jeff

Announcing Wapack Labs!

I sat on a panel this week in Manhattan --a group of bankers, all very good at what they do. At the end of the panel, we were asked for one closing remark. I always offer the same bit... "We're learning to fight submarines." The intent is to say that (and you've read this before in my blog).. during WWI, we lost a ton of ships to German U-Boats. But by WWII, we not only got better at detecting them, but we had our own and fought back! The Air Force and Army guys could probably come up with their own analogy, but in my way of thinking, APT is just the new threat. We (the royal we) will learn how to better cope as we move up the learning curve.

During my drive back from NYC to New England, however, I came up with a new analogy... 

Think about this:

Imagine you, going to your office on Monday morning. Probably (I hope), you work in a nice building with lots of windows, new furniture.. comfortable, right?

What if that building was owned and controlled by your closest (and most aggressive) competitor? 

Cameras in the building are set to capture screens and documents. Every time you do work,  someone (a competitor) is looking over your shoulder, feverishly scribbling notes. The onlooker videotapes keystrokes, credentials, financials, work habits, documents, customer lists, etc. Now imagine that you've got only a small team of security guys,  unable to keep them out. They stand at the main entrance and do their best to block the competitors from entering. They stand in front of each desk and in every hallway, but alas, they look like everyone else... nice haircuts, good suit, shined shoes. Heck, their credentials work!... Security can't always spot them. They just keep finding ways into the building... You get the picture, right? 

How would you feel? Would you do anything differently? You'd probably be upset, guarded, feel like you've lost a bit of privacy, maybe afraid for your company's future?

What would you think if I told you this is exactly what happens when you are victimized during a targeted attack. If the attack is successful, most unprepared companies quickly lose control over their networks. That receptionist in the front office really thought those kittens were cute. She must have watched that video a hundred times when nobody was looking. She'd received it from someone else in the company via email. It must be OK, right? Immediately following her first click, a bug launches. Keystroke loggers are used to capture credentials. Remote access trojans (RATs) are installed and start phoning home. Once the attacker gets the call, he begins to capture documents and other work product. Various 'credential rich' sources are harvested for employee directories, and interesting employees are monitored routinely.  Those systems that are critical to the operation are rendered useless because of all of the bandwidth being used by the attacker. You've got only a small team of security guys (if any), often times they can't keep these guys out. Security monitors at the main entrance, the pipes leading to every computer, and every individual computer, but alas, the intruders look like everyone else. Heck, their credentials work!... Security can't always spot them. They just keep finding ways into the networks... 

Getting the picture? This is probably the most accurate analogy that I've come up with to describe what's happening in computing today.. and it's not just big companies. It's not just in the US. Every company I talk to today has 'virus' problems. Most believe that their  firewall will keep the networks safe. Even some of the biggest companies are blind to current happenings, but this is a global problem and it's getting worse. Every company in the supply chain of a larger is a target, and I'd say with high confidence, compromised and don't know it.

Who's at risk?


Are you a law firm, financial institution, OEM manufacturer (especially transportation - auto, air), chemical (pharma, oil & gas) company or IT? 

• Have you ever noticed your network connection slowing and didn't know why?
• Has your IT team found malware or viruses that have no, or very few results in VirusTotal or other online research sites?
• Have your nighttime computer routines failed or timed out (this may be an indicator of nighttime activity on your networks).

So what to do about it? Where do you find out what to do about it?

Join Red Sky Alliance today. If you're a private company, and need to know more about what's happening on your networks, or want to compare notes on technical analysis and intelligence with other really smart people in real time, Red Sky Alliance is for you.

Are you a smaller company? Federal civilian government agency? State? Local? Join Red Sky's Beadwindow Portal. Beadwindow offers the same level of service as Red Sky, but with slightly different views on who may participate at a lower price point, and best of all? Everything is UNCLASSIFIED! There's no need to find a SIPRNET (or worse) to download information from NTOC. Your folks don't need security clearances to access our Beadwindow Portal. And when you call, ask about Sequester pricing! Beadwindow costs WAAAYYY less than a week of White House tours!

Just need help analyzing data? Need forensic services? Don't want to build your own team? Or maybe you just need someone to take some of the more routine forensic work off the shoulders of your already taxed Infosec guys.... Check out Wapack Labs! Wapack Labs is our newest addition to the Red Sky lineup. Wapack Labs is furnished, staffed, and set up. It'll open in the Historic Mills along the river in Manchester, NH on the first of April. Wapack Labs will initially handle non-criminal computer forensics, analysis and R&D projects. In fact, we've even had our first customer! A woman walked in on Thursday while we were setting up our furniture. She'd seen the 'coming soon' sign on our door and she wanted to know if we could recover her baby pictures and videos from a crashed 1Tb external drive... and you know what?  When you like to bootstrap (and we do!), mom's money is green, too!  It'll pay for the coffee pot and new Wii U (lab guys apparently, LOVE killing zombies).

Have a great week!
Jeff

Wapack Labs Contact info:

250 Commercial St., Suite 2013
Manchester, NH 03101 
(603) 606-1246  
dkirmes@wapacklabs.com