Saturday, October 05, 2013

Red Sky Weekly: It shouldn’t be so hard!

I just read a piece in my RSS feeds where the head of NSA’s outreach to the corporate community for public/private partnering and information sharing was on the podium at the Chamber of Commerce. The speech was reported by Federal News Radio and posted to the internet, and as I read it, it took me back to two years ago when I left the government. I was the architect and operating director of the operational arm of the DoD public/private partnership run from the DoD Cyber Crime Center. It was called the DoD/Defense Industrial Base Collaborative Information Sharing Environment (say DICE --it's an acronym that could only come from the government!).
There were several reasons for my leaving, but the truth is, on the government side, the politics were a real bear, and I wasn't having much fun. For the government, the motivation became not as much about helping companies protect themselves, but more about budget and control. There were (are) big dollars in the federal budget associated with cyber, and everyone wanted their piece --NSA, DHS, DoD… and so the marketing machines spin up. The food fight begins. Messages become mixed, companies feel forced to work with all of them, and for many reasons, many do --but mostly out of concern for future acquisition and contractual concerns as Federal Acquisition Regulations go through updates to include cyber reporting requirements.
And you know what? The government should be able to work with the public. In fact, the government should work for the public. What does that mean? That means that NSA, and others, should willingly share cyber protective information and intelligence with the public, without the expectation of anything in return. The American cyber landscape needs help. Companies need help. So quit politicking and making speeches about how good it is. Quit asking companies to sign frameworks, and cooperative research and development agreements, and get security clearances.


Just tell us what you think we need to know, and don’t ask for anything in return.


It shouldn’t be that hard. But it is...
To demonstrate my point, I’m going to take this out of the cyber realm for a moment and show you a message that probably everyone, even non-smokers, will understand.



The surgeon generals of nearly every country in the world put messaging on packs of cigarettes. Some are more elaborate than others, but the same message appears on all -- “Smoking Cigarettes will kill you”, or in the case of this New Zealand pack of smokes, the message on the front is pretty straight forward, but on the back is a full page ad and a picture of a rotted foot! Why am I talking about the message on a pack of cigarettes? Everyone knows that cigarettes kill right? 

 It works because this message is simple, ubiquitous, and because it’s been published for so long, that a very high percentage of the global smoker community knows…. They may choose to smoke, but it could (probably will) kill you. 

 Now try this one.. I received this warning in an email from the FBI earlier this week. Sorry for the resolution.. It’s the banner that appears at the bottom of reports that get pushed out to tens of thousands of people from the the group formerly known as Infragard. It’s funny. Nearly everyone in my office has or has had a security clearance. Two of us were communicators in the military but neither one of us could actually decipher the meaning of this banner --instructions on how/where we could send or use this report. 

 So, I’d like to share this reporting with members of the Alliance, but the banner is a ‘Warning’ --”(U) Warning:... It is subject to release restrictions as detailed in the Homeland Security Act of 2002, as amended… “ and “It is to be controlled, stored, handled, transmitted, distributed and disposed of in accordance with DHS and FBI policy for FOUO information…”


So what exactly does the Homeland of Security Act of 2002, as amended, say about release of information?

 What is the DHS and FBI policy for FOUO information state? 

 And what happens if I don’t know and share it with someone who might use it to protect themselves or their company but I inadvertently go sideways on these rules? Am I going to be fined? Go to jail? Will the black helicopters swoop down and take me away? Do I really need to go look this up?

 Why is this so hard? 

 When I talk about Red Sky Alliance, and why members join us, I tell them this…

 Red Sky was funded by a group of companies who wanted to share information between themselves, or wanted to work with the government, but for various reasons were not able, or they just found it really hard. 

 Why? In the beginning, most members fell into one or more of these categories:

 They all just wanted help… but...
  • Many weren’t invited to work with the intelligence community program (mentioned earlier);
  • Some of the companies were not considered ‘critical infrastructure’ (and therefore couldn’t go, or didn’t want to go, to DHS);
  • Or they were concerned with bringing in law enforcement (typically the FBI),
  • Or they wanted to participate with the DIB folks under DCISE, but the doors, for various reasons, were closed to non-defense contractors,
  • Or perhaps the rules associated with working with government information sharing (see the banner above!) turns off the companies to participating (that banner is only the beginning!)
  • Or trusting the government with internal company data is a massive leap of faith that many will just not take,
  • Or, they loved the services offered by current Red Sky analysts, and wanted to support us in our venture (THANK YOU!!!)
This is why we started Red Sky Alliance. There was an opportunity. It came in the form of fixing many of the issues associated with dealing with the government --heavy rules, DSS visits, CRADAs, costs associated with participating, high false positives rates (or, as one put it "criminally inconsistent" quality) of information received, trust issues, security clearances, etc. Again, a topic for another (very long) blog.

 So how did we fix it?
  • Red Sky speaks PGP (and we're working on TLS). The government speaks SIPRNET. The two don’t talk. And with Red Sky, you don’t need any special gear, software, or DSS visits! Wuhoo!
  • Red Sky only has UNCLASSIFIED data. Do you know how hard it is to find good unclassified threat data?  Certainly some of the government data might be cool, but it's nearly always classified, and therefore, unusable. We don’t use government data.. and we’ve written over 100 technical and intelligence reports anyway…  so here’s the dirty little secret.. the best stuff doesn’t always come from them! (shhhh.. we don’t want anyone to know!)
  • With some of the government programs, “you get what’s in the fridge” (yes, someone actually said that!”). With Red Sky Alliance, you get what all of us have in the fridge…. and the membership casts a really, really wide net… 

     When was the last time someone showed you pictures of some of those pesky hackers, what they want, how they operate, and how you might protect your company from them… without making you sign a 75 year non-disclosure agreement, checking your clearance at the front door, after your long flight to Washington, requiring a DNA sample and placing a chip in your head? (just kidding about the chip… although, you might want to break out your tinfoil hat!)
Here’s the bottom line.. 

 We do our best to make Red Sky simple, pain free, smart, completely usable, and timely… is it perfect? No, but we try really hard. Here’s how:
  1. Red Sky data is completely unclassified. You can use it however you need to protect your company or your customers as long as you can maintain positive control over the data.
  2. Unlike subscriptions, where most of the data gets tossed, many of our members tell us that they process and use every piece of information that we give them.
  3. You get the ability to ask questions and share notes with companies large and small, who, just like you, only want to protect themselves.. and they are all experts in their field --just like you.
  4. Red Sky will make your team more efficient. Even if you’re a small team and just realizing the problems of APT, targeted corporate espionage, or determined adversary threats, don’t repeat work. Ask the membership. They’ve been through it already. They know the pain. They know what the 24 hour workdays feel like, the uncertainty of it all, the nervousness of job insecurities when briefing the board, and best of all.. how to get through it.



It shouldn’t be so hard.

 Don’t feel comfortable jumping into a collaborative just yet? Give us a call. We can help. 

 Neuberger talks of NSA's efforts to help companies in three different options: general, targeted and operational efforts. 

 Red Sky has, and does, deliver all three today:

 General: The social network environment is a great way to share information. It's informative, assistive, and allows those who can use the data to pull from it and protect themselves. Companies share information, lessons learned, forensics and early warning. Our dedicated analysts take that data and turn it into something useful in the form of a Fusion Report and a list of indicators that go with that particular story.

 Targeted: For the last six months, Red Sky's Manchester, NH based Wapack Labs has been writing targeted threat intelligence, technical fusion and warning products for folks who are members of the Alliance, but need help dealing with the data. In most cases, our requests have come from members who know they need threat intelligence but don't have the internal capability to do it themselves. Our job? Show them the wolves closest to the sled today, then what to watch for next, and then after that --all specific to the requester, not the general community.

 Operational: Many of the Red Sky members are massive managed security service providers --Red Sky data is used in their MSSP operations to protect data. Heck at least one of our companies protects the government! Second, the Lab in Manchester hosts the backend of monitoring solutions that will allow us to ensure that your current MSSP isn't letting bad stuff through, or for those without an MSSP, the operational arm in Wapack can help you decide exactly what kind of protections you need to put in place.

 It's all about money... but not government budgets. It should be about how companies should spend the money they have to protect the products or services they create.  

 It shouldn’t be so hard.
It isn't in Red Sky.  I'll be running around the NY to DC corridor over the next two weeks. Give us a call. I'd love to show you how easy it is. 

 Until next time,
Have a great week!
Jeff
Posted by at 1 comment:

Saturday, September 28, 2013

Red Sky Weekly: Hackers Schmackers.. blah blah blah - DRONES ARE THE TIP OF THE ICEBERG

A few weeks ago the NASDAQ went down for three hours. The cause? Unknown. Stupid user trick?
Maybe. Might have been a misconfigured router, or it might have been a hacker. What struck me was listening to the news when they talked about what might have caused it, they called people talking about the option of it being a hacker something to the effect of doom-and-gloomers.
And then it hit me.


General Alexander, the dual-hatted commander of the National Security Agency, and the US Cyber Command has been shaking hands and kissing babies on Capitol Hill for years. He a busy guy, hawking his wares, scaring the hell out of congressmen --and all with good reason. I had a boss once that use to say “assume noble intent’, and of course, I do… but the messaging...
Security vendors and CISOs have been grabbing budget through campaigns of ‘fear uncertainty and doubt’ (FUD for short) for years, and not a month went by for several years when CSO Magazine or one of the daily online rags offered advice on the CISO communicating effectively the need for security (and budget) to upper management. We all did it. Me too.. the messaging was terrible but at the time, we scrapped for every dime.
“If it bleeds it leads” is the mantra of our news. And cyber, while it doesn’t (hasn’t yet as far as I know) cause bleeding (at least in a non-warfare setting), it’s pretty sexy, but then, on a daily basis, even when reading my non-security related daily RSS, the news is filled with stories of unrelentless hackers stealing our stuff. It’s true, but the message is, many times steeped in artistic license aimed at keeping eyeballs on pages. Our messaging is terrible.


For some reason Jack Nicholson is in my head screaming “YOU CAN’T HANDLE THE TRUTH!”
Here’s my point. Readers, viewers and listeners are saturated. “Don’t tell us how bad it is Stutzman.” I’m thinking readers fall into one of a couple of categories.. Some are deep into the problem and deal with it on a daily basis. I think of them as the one percenters. The next group many already know something about the problem. Others? Perhaps they know and just don’t care. Or perhaps they know and have no idea what it means to them. Or more likely, they know and they care, but don’t have any idea what to do about it.
Let’s try this.. bear with me. It’s gonna get good...


  • A US-made Predator sells for about $4.5 million
  • IISS data shows that the US has at least 678 drones in service, of 18 different types.

Could Burger King survive if McDonalds duplicated the Whopper and sold it for 65 cents when Burger King sells it for $3.00? What if Burger King couldn’t file a cease and desist, but was forced to rely on the government's m4d diplomacy skills to stop the sale of the McWhopper? Yikes.

Maybe our messaging is wrong. I’ll be the first to admit that I’ve used the FUD approach to get budget a few times myself, but on a daily basis? Every piece that hits my inbox? Nope. I won’t do that.

So here’s a slightly different way to message...

  • 678 drones sold by US companies at 4.5 million dollars each
  • Corporations posted over 3 billion dollars in revenues on 678 drones.
  • I’m betting this number equates to 100,000 jobs or more including the supply chain (electronics, avionics, hydraulics, integration, engineering, assembly, etc.).. not including long term maintenance and upgrades.
  • The economic advantage gained by China through Comment Crew and others is enormous. According to the NY Times piece, Chinese manufacturers now sell the knock-off Predators for 1 million dollars each.

http://youtu.be/KXY2jpVdY0E
  • Military advantage created through the use of drones is slipping. They can (will) be mass produced and sold around the world. And oh, by the way, our aviation supply chain is under attack like you wouldn’t believe. I’ve compiled a list of 66 companies (not Red Sky members) that are, in my opinion, hard targets. 27 of them are supply chain companies and 15 are in the aerospace business!

  • Chinese manufacturers are selling knockoffs at 22% of the cost of our own. Do I really have to go back to McDonalds and Burger King?

  • Shareholder value and earnings by financial institutions that bankrolled these efforts are missing out on their long term potential because CEOs in charge of our manufacturing base couldn’t figure out how to stop the bleeding of drone technology. Yikes again. As shareholders, can we ask for their bonuses back?

  • Drones are the tip of the iceberg. Download our 2012 Annual Report for last year’s list. Espionage (corporate and APT) actors are hitting all kinds of targets from Military and Defense to Economic, Lawyers, Finance, Automotive targets, Energy Production, and Manufacturing.

Our messaging is wrong. All wrong.

BT BT

On Wednesday we participated in the Cyber Security Summit in NYC. I think it’s probably the third or fourth named Cyber Security Summit, but short of hosting at the Wye River or out in Aspen, this was an incredible event. I’m not a fan of driving in NYC, especially when Obama is in town, but this was good. I sat a panel on policy with some old friends, and now a couple of new ones, and the booth (our first shot at a booth) was busy all afternoon!

New members? We’re preparing to welcome our second Telecom into Red Sky. We’re really looking forward to working with these guys! This is a busy membership drive. The fall was crazy for us last year too, but this is great. Next week is booking fast, and we’re getting referrals from our current members. We got a note from an old co-worker today who said he’s been asked to set up a threat intelligence shop. He asked one of his major vendors who told him “if you really want threat intelligence, you need to join Red Sky” SWEEEEEEET!!!

Reporting? We authored three reports for members of the alliance --we’ve been writing targeted intelligence reports on a for-fee basis. We came to the realization about two weeks ago that we’d written over 100 reports for our membership. Why not use the processes we’ve developed to write company (or critical information) specific ‘targeted intelligence reports’ for those who need answers to specific questions.  Want to know about threats to specific projects (say, drones?!)? Ask us.

Thinking of joining us? The time is now. I sat with the head of a new threat intelligence shop last week. He’d just returned from an RSA Board meeting where the messaging resonated --EVERY CISO NEEDS THREAT INTELLIGENCE. We’re hearing that too.

Red Sky can help.   Drop us a note and set up a demo.

Have a great week.
Jeff

Posted by at No comments:

Saturday, September 21, 2013

Red Sky Weekly: Bruce Willis and Harrison Ford don't lie!

When is fiction based on truth? Would you believe it if you saw it?

Blowing up buildings, killing off the entire air traffic control grid, and stealing gobs and gobs of money. Live Free or Die Hard is the story of a guy (Bruce Willis) who does it all. Harrison Ford uses the database built into his daughters iPod to move 10 million accounts from the bank where he's the CISO to an offshore account, while his family lived (unknowingly at first) under the threat being killed in Firewall,

To far fetched for your liking?  Alarmist or realist?... you decide...

  • I published the (very true) story of  “woshihaoren” (我是好人) Red Sky Weekly: “woshihaoren” (我是好人 in April. It told the story of a cat and mouse game between a real CISO (I called him Jack) and a group of folks somewhere on the other side of the world. Jack's outgunned and probably will never get these guys out of his networks, but he shuts them down quickly. Heck, he's probably their training ground... (maybe we'll see a new movie? -Training Day III?)
  • I delivered the news to another CISO that an application that his company purchased (for a BOAT LOAD of money) was bought from another company who'd been completely p0wned. The result? The application he purchased was likely owned too... and probably leaking data.
  • In yet another, I informed a CISO last week that he'd had several emails heading for his company, all with malware attached. How would I know? Let's just say I do ok? We received a copy of the malware, and sure enough... it wasn't a birthday card from gramma! The information we gave him was less than 30 minutes old and the malware was undetected in the major virus engines.

When I talk with real life CISOs who've been through the 'oh sh*t' moment, every one says of those who don't know enough to share information that "they've never been through the giant sucking sound" (one CISO's quote.. not mine), or the idea that a virus might not be just a virus.. or the idea that we look at seven different areas connected by time to figure out how a chain of events occurred.

And if you think for one second that these movies aren't based on seeds of truth, I'd tell you this... the cat and mouse game is very real.  We've been doing this for two years as Red Sky Alliance and for several more before that... probably back to the roots -- the early days, old school, Solar Sunrise, Moonlight Maze, Titan Rain, APT, and now. As these things move into more mainstream, well... names stop when the new threats become the new normal... welcome to the new normal. 

Here's the bottom line... over the last few months we've compiled a list of companies who we believe are being actively targeted. We're not chasing ambulances and we're not the old glass repair guy running around in the parking lot with a hammer. We're a group looking out for each other. The community watch. The 'hoot 'n hollar' network. We want to know when one of our own will be hit. Heck, we told one of our members that they were being targeted. We gave them a dozen domains and IP addresses that were going to be used, and we grabbed the malware, analyzed it, and published the defensive findings before the attacks occurred. We named (by company name) six companies that we thought might be targeted. We published our findings to the membership, but warned the specific member (who handles security for the other six) privately. This stuff works. 

BT BT
  • This weeks fusion report detailed a shift in tactics by one group, moving to a new downloader process for a specific remote access trojan. A remote access trojan, RAT, allows hackers to have full control and interactivity with the machine or machines where they have it installed. We've been seeing this in some of the discussion boards outside of Red Sky and took some time this week to send out some good analysis (and mitigations or courses) to our members.
  • We published a report on a bad guy that we've been tracking for several months now. The guy is active but practices really good tradecraft --no social media, not much open source communications --and seemingly never has, yet he's either an urban legend or he's just really careful.. not sure yet, but we know he writes some hellish malware.
  • We took on a bit of a GEOPOL project this week. More to follow as that unfolds, but this is reminiscent of my first project as an Intelligence Officer.. basics count and they need to be taught; so we're teaching a junior analyst. 

We're in our year-end membership push. We had 22 meetings in the last two weeks, putting four new members in front of the Advisory Board. We've also been asked (and have agreed to a test) to write targeted threat intelligence reporting for a couple of members. We'd been doing it for the last six months for one, and thought it might be a good second offering instead of some of the other more piecemeal work we've been doing in the lab. We like threat intelligence and we're really good at it. In fact, we've published over 100 analytic works in the last 18 months, and thought we might explore growth in the area of taking on a few clients to keep our minds nimble. So far, the reception has been terrific. 

I'll be at the Cyber Security Summit with Rick and Chris on Wednesday. Stop by and say hello. The booth with be sparse, but I'll have that target list in my pocket. You should ask me if you're on it! I've got an invitation for you if needed. It'll get you a discount on admission. I've placed it below the blog if you'd like to use it. We'll be in booth 211, and I'm sitting a panel in the early afternoon. The early attendee list looks good, so I'm looking forward to meeting some new people!

See you there!
Jeff

Read more »
Posted by at 2 comments:

Saturday, September 14, 2013

“How do all the others stand a chance?”

  • “Sharing intelligence in a forum like Red Sky is a force multiplier!”
  • “How do all the others (who don’t participate) stand a chance?”
  • “What do companies do when they can’t (or don’t want to) go to the government for help?”
        • (Quoted from a former member of the Defense Industrial Base who recently made an inquiry about Red Sky Alliance membership --and is joining us now!)
We’ve been putting on the end of year membership drive for the last week. I had 16 appointments scheduled between last week and next --dinners, reconnections, lunches, and visits with potential new members. Three new membership packages have been issued this week. They’ll all be going through legal review on the company side, and likely entering the portal in the next couple of weeks. Next week? I have three every day. I went WAY over my goal of 20 for the two weeks. I work with overachievers who like to please.. and they do it well.. for the Red Sky team, and our members!


On that, I wanted to share with you a bit about happenings this week.


  • We held threat day in the global NOC of one of the telecoms. What a great day! Thank you again to our hosts!
  • We issued a couple of new reports --both pretty cool actually. One detailed new activities associated with one of the groups that’s pretty prolific against just about every industry right now. The other, one of our newer priority intelligence reports is based on a set of priority and standing questions that we ask, and when we find a piece of the puzzle(s), we write them up in a short format product.


We received another query for tailored reporting. We’ve been getting a few of these lately. Apparently there’s a real need for unclassified Threat Intelligence and the word is spreading that Red Sky has good gouge. So over the course of the year we’ve done some work for a couple of organizations where we take an analyst or two (who work remotely) and become the virtual extension of the company’s Threat Intelligence shop. We’ve got over a hundred technical and intelligence reports in internal publication, and believe we’ve got a pretty good process, and the knowhow that goes with it!. We like this model --not consulting per se, but we actively hunt for information that might help our reader. They don’t get Red Sky data unless they’re a member, but they still like the work. We do the work under Wapack Labs, and have taken a number of these ‘moped’ work requests.. why moped? One of my guys likes to say that everyone likes to ride them, but nobody wants to be seen with one! We’re kinda the same way… everyone likes the work, but nobody wants to be seen with us (and we like it quiet too!).

 Before I forget, I'm looking forward to seeing many of you at the Cyber Security Summit 2013 in NY on the 25th. We've never done a booth before (we're in 211). Getting it done is interesting. I'll be sitting a panel in the afternoon. Stop by and say hello.
OK, this is a short blog (say thank you!). I’m going fly fishing in the western part of the state with an old friend VERY early tomorrow. He’s a CTO with one of my former employers (you won’t guess, there’ve been just toooo many!), but it’s going to be a great day. I’ve got my 9 weight rigged, my PFD check checked out, and fresh chemlights in the pocket. So...
Until next time,
Have a great week!
Jeff
Posted by at No comments:

Saturday, September 07, 2013

Red Sky Weekly: This is big!

This is the first blog after our two year anniversary of incorporating Red Sky Alliance, and I can’t even believe how far we’ve come! In two years… and at the same time, we’re putting on the “heading into the end of the year membership push”. So sorry, this isn’t a rough cut blog, nor a controversial issue. It’s very simply, this is what we’ve done in the last two year. I’d offer this too. We started from nothing… an empty portal So, here’s where we’re at:
Intelligence and Analysis:
  • We’ve published roughly 100 pieces of detailed, sourced, finished technical analytics (we call them fusion reports --roughly 20 pages of analyst porn and usually a couple of hundred technical indicators presented in Lockheed’s original kill chain format).
  • We’ve published dozens of non-technical intelligence reports showing targeting, intent, and yes, attribution in many cases!
Our membership is active!


  • We’ve got roughly 45 active organizations represented in the two portals, ranging from state/local/federal IT and Information security personnel in our Beadwindow Private | Public portal to 30 or so global enterprise companies in our private Red Sky portal with hundreds of thousands of employees all over the world. In fact, rough estimates suggest this small number of members own, manage, control, or secure over 20 million computers in approximately 140 countries around the world!
  • The portal has grown both in numbers, and in quality of information and activity. Our members contribute on a daily basis more than any other group I’ve been involved with! Checking a moment ago, as of today we have 182 users in our private portal, (including several dev, test and administrative). Of those 182:
    • 81 (slightly less than half) are active participants (we monitor for lurking, but also have many CISOs who just want to read to know what their teams are seeing and doing!)
    • 48 threat analysts or incident responders from these great companies contribute regularly
    • and 23 are regular users who are on here all the time --meaning they log in first thing in the morning and stay on all day (it can be addicting!)
We’ve expanded our services!
  • In April we opened Wapack Labs in Manchester, NH. One might call this our ‘collaboratory’ because of the many great skunkwork ideas that flow in and out of it on a daily basis. Others might call it our ‘wholesale analytic shop’ because we’ve been funded to do analysis on the backend of one of the larger national Computer Emergency Response Teams and a couple of smaller projects for both members and non-members. Others might call it a simple incident response and forensic shop, but that’s a pretty mundane way to describe it given some successes.  Here including two of my favs:
    • WhoisRecon: One of our guys, in his quest for additional data to analyze created a system designed to link and graphically analyze the meta-data associated with bad guys we see registering domains (we call this WhoisRecon and it’s cool as hell!)
    • TIAD: Development of an automated threat intelligence system that links our analytics in the portal to real world data. Today, we have the ability to run nearly 300,000 externally captured pieces of information against all of the data from the two alliance portals and quickly diagnose and qualify them as to what we believe the level of badness is in the intent of the attacker. How cool is that?! In the government we built one of these bad boys and called it GoldRush. Except in the government, the same system cost roughly $10 mil to build. In our collaboratory that is Wapack.. under $200K!
    • R&D: Besides the finished works, we’ve done a bunch of work with Watchguard boxes to see if we can make them do fun things. We’ve had some fun with Splunk and TIAD and a product called Veera. (You’ll be hearing more about this at the Threat Day on Monday.. Oh, wait. I didn’t mention that? We’re having our next Threat Day on Monday at one of the major telecoms, with a tour of the Global NOC. I’m really looking forward to this!)
Last, but certainly not least.. our intern program!
Last year we offered two internship programs. One intern made it through the program. When he graduated, we pushed him into the membership for his first job. Why not? They’ve been seeing his work all year. They peer reviewed him in the top 10%. Why wouldn’t one of our members hire him. And you know what? He’s in a great job working as an intel analyst at one of the biggest credit card processors in the world! He’d been offered three jobs from members, and we’ve been told (by the members) that they’ll take as many as we can push out. So this year we have four of them in the pipeline. One just accepted a (paid) position in a local university. One has another year of school, but she’s bilingual (Japanese and English) and a dual major (CS and Journalism --what a great combination! Man, can she write!). Another is a statistician, and the last is just wrapped his program in homeland security.


“Heading for the end of the year membership push”
So here it is.. it takes months to get membership checks from big companies… even when you offer good terms. I’ve got 14 appointments in the next two weeks to talk about potential memberships. It’s getting busy. Send me a note and schedule your demo today before the end of the year rolls around!


Until next time,

Have a great week!
Jeff

Posted by at 1 comment:

Saturday, August 31, 2013

Red Sky Weekly - 0-day and intel

Red Sky Alliance turns two!

 Yesterday marked the second anniversary of our incorporation! We're two! We've come a long way. They say the test of a startup comes in making it through the first year, but I'll tell you, even the second is terrifying! That said, it's been a GREAT two years!

 I've just returned from Iceland, where I had the opportunity to participate and speak at the Nordic Security Conference. What a blast! The weather was cool and wet most days, but nonetheless, I was able to get a run in along the beach (Did you know they have a heated beach?? They pump geothermal heat into the beach!) and experience a bit of the local flair. Thank you to our Icelandic hosts! I'm looking forward to seeing some of you come into Red Sky!

 BT BT (break break)

 I'm starting this week's blog with some good intel. We're heading into post-summer, and as with every year, it seems September brings folks back to life from summer vacations. This year is now different...

  • Fusion Report 20: In late July, Red Sky received information regarding Microsoft 0 day, being exploited in the wild. This Fusion Report provided detailed the delivery and C2 infrastructure as well as the observed payloads and protection against it. Red Sky classified this activity as UPS for future tracking and correlation. 
  • Intelligence Report: Red Sky received information regarding a piece of malware used in targeting (as currently known) only one member of the Red Sky Alliance membership. This appeared to be a highly targeted set of attacks (yes, a set.. more than one) against one company with very specific intent. Our internal analysis team was able to locate who we believe authored the malware used. Our report is going out this weekend after some final edits.
BT BT

 Preparing for our next threat day: September 9th will bring our next threat day. This one will be held in one of the big telecoms. We'll be demonstrating new tech to be added to the Red Sky portal, we've got four great presenters and we'll be wrapping the day with a tour of this telecom's global NOC. I'm very much looking forward to it!
The next few weeks are big for Red Sky Alliance. As we head into the post-summer months, it seems like we get really busy on both the analytic fronts and new membership requests. I'll be in the lab in Manchester all of this week, but heading to the DC area next week, taking appointments for Red Sky introductions. I've got several booked up, so if you've been considering talking with us about membership in any of the portals, or a need for services from the lab, Please contact us earlier rather than later. 

  • Red Sky Alliance's private portal - Business to business only. No government participation. Companies share information about current activities and futures. Our backend analysis team boils down those conversations and feeds them back in Fusion reports --20 pages of solid analyst porn and usually several pages of easy to use kill chain formatted indicators.
  • Red Sky Alliance's Beadwindow portal: Beadwindow is a Private | Public environment. We have smaller companies, and state/local/federal IT workers in Beadwindow. Beadwindow members do not get access to the private portal, but do have access to Red Sky's expert analytic team.
  • Wapack Labs: Wapack is the hands-on end of the business. If you need forensic support, malware work, or development work, consider Wapack. In addition, we've been talking (and working) in healthcare companies offering HIPAA gap analysis and assessments (we have fully qualified auditors on staff), following up with placement of sensors for protection. We bring data back to the lab (over the wire) where we check sensor findings against current Red Sky indicator data. This does a couple of things --companies who may not otherwise participate in Red Sky get the benefit, and Red Sky members get the benefit of any new TTP's or indicators identified!

I'm keeping this one short, but please, if you're considering scheduling a demo, contact us today. We'd be happy to set it up.

Until next time,
Have a great week!
Jeff




Posted by at No comments:
Subscribe to: Posts (Atom)