Security is a team sport!

We went through an exercise this week proving just this. 

It seems that in nearly every meeting I’ve had in the past several weeks, someone asks a question about what Red Sky Alliance knows about Insiders. It’s true, we focus on corporate espionage and APT events, but clearly insiders –at least one class of insiders, falls easily into the ‘determined adversary’ category… and for that, we’re on it!

So what constitutes an insider?  I have an old friend who’s studied this for years.  Dawn Capelli left Carnegie Mellon (maybe a year ago?) where she built and spearheaded the insider threat group at SEI. She’s the expert, and she’ll tell you that insiders come in many shapes and sizes.

So what which category are we talking about?  I’m not talking about Snowden. In fact I’m growing tired of reading about him in TechDirt (the “all Snowden all day” RSS feed!), but more about others, whom we know to be wearing the white hats by day, turning gradually darker as the evening draws close, and finally pure, pitch black after hours.

 

We realized that for the last several months we’ve been authoring not only the fusion reports that I talk briefly about in my weekly blogs, but in May we began writing ‘priority intelligence reports’. For those of you in the IC, think Intelligence Information Reports, based on both priority and standing requirements. For all others, PIRs talk of ‘wolves closest to the sled’.  Anyway, in going through the last few months, we’ve come to realize that many of the individuals that we’ve identified through our research are both smart guys by day, and by night, cyber thugs stealing IP, coaching newbies, testing their 0-days and pushing their way through the corporate walls.  Heck, maybe they do it by day to.  Not sure, but here’s what I do know…  we presented to one company this week where we showed them a picture of a really smart guy by day, but a really bad guy by night. He advertises the fact that he works, as a security consultant for their company, in an IT Security consulting role. We know him from his involvement in other things…  He, in my mind, is an insider threat. 

He’s one case. We have a few others. And what’s interesting to me is that there are some interesting correlations that seem to be appearing:

• Many of these guys are doing double duty
• There is targeting employed as part of the group(s) that they belong to
• And by watching employment by some of these Jekyll and Hyde’s we can get a pretty good idea of not only who many of these folks are, but who they work for.  And if we’re right, we know why some of these guys are getting very specific jobs. 

How does this work in the real world?  We played out an example just this week. Someone we know (from our research) was hired by a company in the US. This is a great company, and they hired a smart guy, but at the same time, some may consider some of his off-hours associations questionable.  Those associations often times make for a great intel sources, but at the same time they could also significantly increase the risk that this guy could also be a really efficient insider, placed in this company to deepen information known about this company’s customer base or security posture.  It’s not unheard of.  Dawn had probably documented hundreds of these cases before leaving SEI. In our case, our early assessment wasn’t perfect, but by the end of the day after sharing notes and talking with members, we had a pretty good idea where we had gaps.  We’ll continue tracking, asking our members for information, keeping the conversations moving… and over time, the assessments will become clearer.

Security IS indeed a team sport.

We been getting really good about talking together about information security threats, but should insiders be another topic? 

BT BT

The guys have been busy this week. The portal never stops moving. It’s great! Here are a couple of the highlights:

• Fusion Report 27: Red Sky analysts issued our 27^th fusion report of the year. FR13-027 presented findings about a previously unknown malware variant observed in the wild. The report provided analysis on the infrastructure and presented technical analysis of two of what we’re calling “Backdoor.Baby” variants.
•  Intel Report 18: This week we updated our analysis of “Flower Lady” with our 18^th intel report of the year. IAR13-018 builds upon work in two recent Fusion Reports analyzing infrastructures and malware attributes --connecting the dots from attacks as far back as 2011.

It's been a busy week. 

I'm going fishing.

Have a great weekend!
Jeff

Red Sky Weekly: Know before you buy!

Interestingly enough, nearly every large enterprise CISO that we at the Red Sky Alliance talk to tell us that they spend (at a minimum) hundreds of thousands of dollars on subscription security intelligence reports.  Every medium sized enterprise CISO (or if they don’t have one, their director if IT or CIO) tells us they harvest open source information for their security intelligence.  The small guys? Rarely do they use security intelligence at all.

And so what’s the problem with this model?

Not all data is created equally.

A lot of data doesn’t necessarily mean you have good data.  In fact, nearly all of the data needs to be qualified before use. An old friend, (Dr.) Vince Berk, is the founder and CEO of very cool company called FlowTraq. It's funny. When we talk, Vince says often “There is a fundamental difference between data and information. Information is the specific pieces of data that allow you to make actionable decisions. This means that two different people might find different bits of information in the same pile of data. As people's objectives and missions differ, they will need different pieces of data, "the right data", that is information for them.”

You need to ask, how will the data affect your current system when installed?  Will it block key suppliers? Often times, even the most popular services are used for bad.  Google’s domain name service (DNS), 8.8.8.8:53 for example, is often times called out as a command and control channel for malicious code installed in your network by the phisher du jour.  Google isn’t bad, but good tools are often times used for purposes other than intended. And will you base your defense spending on unqualified data? How do you know what to buy to protect yourself when your analysis is potentially based on low confidence information?

Let’s turn the model upside down for a moment shall we?

I’m taking this metaphor from Ed Amoroso, the CISO at AT&T. He’s a smart guy, and the metaphor

Source: USA Today

hit me like, well, a sandbag to the head.. so in fairness, he talks about using sandbags to stop the water that’s rising from the swelling riverbed as a metaphor for dropping boxes and boxes in front of a network for protection.. they both leak under the rising river!

So let’s think about this for a moment.. before you spend another dime on a sandbag that won’t protect you from that swelling riverbank, let’s take a smart look at what you should buy, what you should collect, and the data you must have, to help understand what’s going on in your network.

Here’s a start.

Monitoring (not protecting just yet) your network is a three-step process plus one more if needed (it will be):

1.     Identify as many command and control nodes as you can get your hands on.

2.     Install them in a good, perimeter based network flow monitoring and analysis suite

3.     Place inexpensive monitoring inside your network for a period of time (say, 30-60 days?) to help identify root cause, patient zero, and areas of weakness

4.     Be ready to pull egregious internal offending computers off the wire for analysis.  You will find a few.

Dr. Berk says the key to success in the info security space is finding the information in all the data. “This requires both an understanding of what you are protecting - what your mission is - as well as an understanding of the evolving threat to that mission. Only when we understand the nature of the threats, can we make decisions on what data is "information", and what data is just data.”

Here’s how it works. If you’re going to take this on yourself:

·      Obtain command and control (C2 for short) addresses information from any number of sources. Collective Intelligence Framework is a good starting place, but it won’t necessarily give you targeted adversary information. Red Sky Alliance focuses on advanced and other ‘determined adversary threats’ and can give you information on many of the botnets. Open sources will yield the same information, but with far more false positives. Best to pay for a good list and buy in.

·      Install FlowTraq at your perimeter. FlowTraq comes in both an inexpensive cloud-based option, and a slightly more expensive onsite form, but FlowTraq comes with a simple, easy to use interface for monitoring communications to/from your network. Use it to alert when users on your network are communicating (knowingly or unknowingly) with bad IP addresses or domains.

·      Install a simple client based monitoring solution on every computer on your network. When a network flow is identified communicating with bad actors, use the client based monitoring system to identify patient zero, and quickly follow the crumb trail across the enterprise looking for indications of other compromised machines.

If (when) you find badness, the live forensic system (the client based monitoring system) can be used to perform initial triage, but you still might want to pull the box(es) for analysis to figure out how bad it really is.  You should be prepared for this. It will happen.

I know this all sounds hard (and expensive) but it doesn’t have to be.  The solution can also be built, analyzed and monitored by a managed analysis provider.  A 30-60 day project might cost $25/computer per month for the troubleshooting and recommendations for going forward.

In an environment with 1000 computers, a month of monitoring, troubleshooting, prioritizing and strategizing is a fraction of the long term cost of that next sandbags -firewalls, IPSs, Host Based IPSs, enterprise AV project, or whatever you’re going to throw on the pile next. Red Sky’s Manchester, NH based Wapack Labs and it’s Lebanon, NH based partner FlowTraq will install a solution, monitor your network, and tell you where your current levy is leaking.  Armed with that information, you can purchase the protections you need not the protections you’re told you need.

Don’t guess. Don’t estimate. Call us.

Know before you buy (your next security sandbag).

Until next time,

Have a great week! Jeff

Red Sky Weekly: It shouldn’t be so hard!

I just read a piece in my RSS feeds where the head of NSA’s outreach to the corporate community for public/private partnering and information sharing was on the podium at the Chamber of Commerce. The speech was reported by Federal News Radio and posted to the internet, and as I read it, it took me back to two years ago when I left the government. I was the architect and operating director of the operational arm of the DoD public/private partnership run from the DoD Cyber Crime Center. It was called the DoD/Defense Industrial Base Collaborative Information Sharing Environment (say DICE --it's an acronym that could only come from the government!).

There were several reasons for my leaving, but the truth is, on the government side, the politics were a real bear, and I wasn't having much fun. For the government, the motivation became not as much about helping companies protect themselves, but more about budget and control. There were (are) big dollars in the federal budget associated with cyber, and everyone wanted their piece --NSA, DHS, DoD… and so the marketing machines spin up. The food fight begins. Messages become mixed, companies feel forced to work with all of them, and for many reasons, many do --but mostly out of concern for future acquisition and contractual concerns as Federal Acquisition Regulations go through updates to include cyber reporting requirements.

And you know what? The government should be able to work with the public. In fact, the government should work for the public. What does that mean? That means that NSA, and others, should willingly share cyber protective information and intelligence with the public, without the expectation of anything in return. The American cyber landscape needs help. Companies need help. So quit politicking and making speeches about how good it is. Quit asking companies to sign frameworks, and cooperative research and development agreements, and get security clearances.

Just tell us what you think we need to know, and don’t ask for anything in return.

It shouldn’t be that hard. But it is...
To demonstrate my point, I’m going to take this out of the cyber realm for a moment and show you a message that probably everyone, even non-smokers, will understand.

The surgeon generals of nearly every country in the world put messaging on packs of cigarettes. Some are more elaborate than others, but the same message appears on all -- “Smoking Cigarettes will kill you”, or in the case of this New Zealand pack of smokes, the message on the front is pretty straight forward, but on the back is a full page ad and a picture of a rotted foot! Why am I talking about the message on a pack of cigarettes? Everyone knows that cigarettes kill right? 

It works because this message is simple, ubiquitous, and because it’s been published for so long, that a very high percentage of the global smoker community knows…. They may choose to smoke, but it could (probably will) kill you. 

Now try this one.. I received this warning in an email from the FBI earlier this week. Sorry for the resolution.. It’s the banner that appears at the bottom of reports that get pushed out to tens of thousands of people from the the group formerly known as Infragard. It’s funny. Nearly everyone in my office has or has had a security clearance. Two of us were communicators in the military but neither one of us could actually decipher the meaning of this banner --instructions on how/where we could send or use this report. 

So, I’d like to share this reporting with members of the Alliance, but the banner is a ‘Warning’ --”(U) Warning:... It is subject to release restrictions as detailed in the Homeland Security Act of 2002, as amended… “ and “It is to be controlled, stored, handled, transmitted, distributed and disposed of in accordance with DHS and FBI policy for FOUO information…”

So what exactly does the Homeland of Security Act of 2002, as amended, say about release of information?

What is the DHS and FBI policy for FOUO information state? 

And what happens if I don’t know and share it with someone who might use it to protect themselves or their company but I inadvertently go sideways on these rules? Am I going to be fined? Go to jail? Will the black helicopters swoop down and take me away? Do I really need to go look this up?

Why is this so hard? 

When I talk about Red Sky Alliance, and why members join us, I tell them this…

Red Sky was funded by a group of companies who wanted to share information between themselves, or wanted to work with the government, but for various reasons were not able, or they just found it really hard. 

Why? In the beginning, most members fell into one or more of these categories:

They all just wanted help… but...

• Many weren’t invited to work with the intelligence community program (mentioned earlier);
• Some of the companies were not considered ‘critical infrastructure’ (and therefore couldn’t go, or didn’t want to go, to DHS);
• Or they were concerned with bringing in law enforcement (typically the FBI),
• Or they wanted to participate with the DIB folks under DCISE, but the doors, for various reasons, were closed to non-defense contractors,
• Or perhaps the rules associated with working with government information sharing (see the banner above!) turns off the companies to participating (that banner is only the beginning!)
• Or trusting the government with internal company data is a massive leap of faith that many will just not take,
• Or, they loved the services offered by current Red Sky analysts, and wanted to support us in our venture (THANK YOU!!!)

This is why we started Red Sky Alliance. There was an opportunity. It came in the form of fixing many of the issues associated with dealing with the government --heavy rules, DSS visits, CRADAs, costs associated with participating, high false positives rates (or, as one put it "criminally inconsistent" quality) of information received, trust issues, security clearances, etc. Again, a topic for another (very long) blog.

So how did we fix it?

• Red Sky speaks PGP (and we're working on TLS). The government speaks SIPRNET. The two don’t talk. And with Red Sky, you don’t need any special gear, software, or DSS visits! Wuhoo!
• Red Sky only has UNCLASSIFIED data. Do you know how hard it is to find good unclassified threat data?  Certainly some of the government data might be cool, but it's nearly always classified, and therefore, unusable. We don’t use government data.. and we’ve written over 100 technical and intelligence reports anyway…  so here’s the dirty little secret.. the best stuff doesn’t always come from them! (shhhh.. we don’t want anyone to know!)
• With some of the government programs, “you get what’s in the fridge” (yes, someone actually said that!”). With Red Sky Alliance, you get what all of us have in the fridge…. and the membership casts a really, really wide net… 
  
  When was the last time someone showed you pictures of some of those pesky hackers, what they want, how they operate, and how you might protect your company from them… without making you sign a 75 year non-disclosure agreement, checking your clearance at the front door, after your long flight to Washington, requiring a DNA sample and placing a chip in your head? (just kidding about the chip… although, you might want to break out your tinfoil hat!)

Here’s the bottom line.. 

We do our best to make Red Sky simple, pain free, smart, completely usable, and timely… is it perfect? No, but we try really hard. Here’s how:

1. Red Sky data is completely unclassified. You can use it however you need to protect your company or your customers as long as you can maintain positive control over the data.
2. Unlike subscriptions, where most of the data gets tossed, many of our members tell us that they process and use every piece of information that we give them.
3. You get the ability to ask questions and share notes with companies large and small, who, just like you, only want to protect themselves.. and they are all experts in their field --just like you.
4. Red Sky will make your team more efficient. Even if you’re a small team and just realizing the problems of APT, targeted corporate espionage, or determined adversary threats, don’t repeat work. Ask the membership. They’ve been through it already. They know the pain. They know what the 24 hour workdays feel like, the uncertainty of it all, the nervousness of job insecurities when briefing the board, and best of all.. how to get through it.

It shouldn’t be so hard.

Don’t feel comfortable jumping into a collaborative just yet? Give us a call. We can help. 

Neuberger talks of NSA's efforts to help companies in three different options: general, targeted and operational efforts. 

Red Sky has, and does, deliver all three today:

General: The social network environment is a great way to share information. It's informative, assistive, and allows those who can use the data to pull from it and protect themselves. Companies share information, lessons learned, forensics and early warning. Our dedicated analysts take that data and turn it into something useful in the form of a Fusion Report and a list of indicators that go with that particular story.

Targeted: For the last six months, Red Sky's Manchester, NH based Wapack Labs has been writing targeted threat intelligence, technical fusion and warning products for folks who are members of the Alliance, but need help dealing with the data. In most cases, our requests have come from members who know they need threat intelligence but don't have the internal capability to do it themselves. Our job? Show them the wolves closest to the sled today, then what to watch for next, and then after that --all specific to the requester, not the general community.

Operational: Many of the Red Sky members are massive managed security service providers --Red Sky data is used in their MSSP operations to protect data. Heck at least one of our companies protects the government! Second, the Lab in Manchester hosts the backend of monitoring solutions that will allow us to ensure that your current MSSP isn't letting bad stuff through, or for those without an MSSP, the operational arm in Wapack can help you decide exactly what kind of protections you need to put in place.

It's all about money... but not government budgets. It should be about how companies should spend the money they have to protect the products or services they create.  

It shouldn’t be so hard.

It isn't in Red Sky.  I'll be running around the NY to DC corridor over the next two weeks. Give us a call. I'd love to show you how easy it is. 

Until next time,
Have a great week!
Jeff