Red Sky Weekly: USG, NGO hacked; two new RAT versions

I live in an apple orchard. Last summer, when mowing the lawn, I got stung by a bee... actually, I got

Source: telegraph.co.uk

stung by lots of bees. Evidently, I got a little too close to the nest with the tractor and set off a swarm. Immediately, I began swatting... but that didn't do me any good with a couple hundred wasps heading my way. So I gunned the tractor and got out of the area as quickly as I could. I still didn't know where the nest was, and knew I was going to need to find it to be able to mow the lawn next time. So after the bees settled down, I walked the orchard to find the nest. That night, employing an old farmers trick, I built a torch with a kerosene-soaked rag wrapped around the end of a long stake. I drove the stake into the ground while it was still light, and in the middle of the night (when it's good and dark), I lit the rag on fire. The bees, drawn to heat and light, swarm to the fire while the nest was sprayed with a stream of high pressure wasp killer, from a distance.. no more bees.

Intelligence makes all the difference. What kind of bees do you want to kill? What do they want? How can they be baited? All good information to know.. all good intel -some tactical, some strategic. All must be known to stop the pain now, and keep it from happening again in the future. 

SO, who would you rather be? The guy getting stung? Or the guy lighting the torch? You have to be both. 

One of our members tells his story of 'intelligence driven information security'. He's a smart guy who's been in the intel/security space for a long time. I know him as an analyst, but he's done a lot of things really well for as long as I've known him. He takes a two step process in consuming intelligence, and I love the cleanness of the process. He's one of the few guys I know that can articulate it well, so I talk about it often.  He talks of 'priority intelligence requirements' -those things that he'll look for first thing in the morning.. things that are happening today... wolves closest to the sled.  He then looks for things that'll get him tomorrow, next week, and next year --First, tactical, then strategic. If he wants to stop the stinging, he knows, he'll have to have information (intel, the gouge, whatever you want to call it), that will help him figure out what's coming, not just what's here.

If you follow my blog, you know that Threat Analysis and Intelligence (I call it CTA&I) is something I'm passionate (fanatical?) about, and write about regularly.

When I think about intelligence, especially in the cyber space, it's easy to see how many could confuse actionable information with good intelligence. And, we find that many folks we talk to think they understand, but in reality, most do not. And some of those who do, often times have no real means of consuming and/or implementing that information. There was a great piece that came out from Gartner a couple of weeks ago. I'm not a Gartner member, but someone forwarded it to me last week. The piece, "How to Select a Security Threat Intelligence Service" (Published: 16 October 2013), takes on the sometimes contentious discussion of what intelligence is and what it isn't, and what should be considered when purchasing threat intelligence. It breaks intel down into two simple bins --Operational, and Strategic.

• Operational Intel is intel derived through traditional IT tools. Operational Intel should be thought of as short term and tactical. It drives daily operations and will protect from what an old friend likes to call 'wolves closest to the sled'. Intel is delivered in machine readable formats by various subscription services, open source groups, commercial collaboratives (like Red Sky) or information sharing and analysis centers. 
• Strategic Intel is used to affect longer term, strategic positioning of the organization and it's infosec team. 

Operational (Tactical) Intelligence helps you deal with the bees stinging you now. Red Sky members share information about things happening now. Companies are vetted before coming in. Accounts are issued by name. Once in, everyone is peer reviewed. Indicators lists are maintained in comma separated value format for easy consumption. Fusion reports give the story of how they were derived. Members participate in the analysis, assist with everything from false positive derivation to building tools. 

Strategic intelligence helps you deal with those things that might sting you tomorrow, next week, or next year.  Strategic intelligence, comes from Red Sky members participating in geopol discussions, sharing targeting information, objectives of attackers, etc. 

What's happening in Red Sky? This week...

• Humanitarian NGO hacked: We posted analysis, and notified an international humanitarian organization that they'd been victimized. Wapack Labs (Red Sky's 'hands on' end of the operation) identifies and exploits sources of information not generally available to others. Through this source, we identified leads that lead us to this NGO. In coordination with an EU Computer Emergency Response Team, we were able to notify the humanitarian organization of the problem, and help them figure out what do to about it.
• Two new RAT versions were identified, analyzed, and shared. Again, through the lab, information was received and shared to the Red Sky membership. It was then analyzed by the collaborative with indicators cleaned up, and posted.
• Compromised US Government Certificates and Accounts: Wapack Labs received information from one of its HUMINT sources, raw, unevaluated information of US Government certificates and account compromises. We're receiving more and more information related to attacks on various governments and NGOs. Some of this stuff really isn't in our lane, so all information is posted to the Beadwindow portal where government users can download the information and act on it as needed. 

So yes.. it's been a good week. 

Why should you join us today? Because for slightly less than half the cost of a good subscription service, you get to access and share information with many of the original authors of much of the data that those subscription services analyze. What kind of information?

• Incredible tactical information: The portal has been busier than ever. Tactical intelligence is growing and every minute you wait, you're losing valuable protection information.. information that would cost HOURS (if not days, weeks) to derive without help. From the tactical perspective, in both Red Sky and Beadwindow, you can quickly pull down:

• Information of hacks in industries, how they acted, and how others protected against them.
• Monitoring and sharing of network activity by others
• Shared monitoring of open sources such as social media, Google groups, chat rooms and other forums
• Analysis of artifacts - If you can't do this yourself, ask about Wapack Labs' malware analysis.

• Strategic Intelligence.. at a very high level...

• Who are these guys?
• What do they want?
• What will make them stop?
• What exactly are they trying to do when they hack us?
• How will you know? 
• How can you prevent the attacks, or stop them in progress?

Come join us. Build your network! I was in a meeting a few weeks ago, when I (once again) heard the most common thing that I hear when talking with potential members of Wapack Labs customers.. "I got a guy". Every company that we work with has hired someone from the intelligence or law enforcement community. They think because they hired 'a guy', they're good. In fact, the 'guy' is almost always adorned with an 'intelligence' title but have dozens of responsibilities that don't include intelligence. Red Sky and Wapack Labs focus on intelligence. We have process. Use our process to compliment your team. The networks are huge, and pay off in spades!

Schedule a demo today. Our membership price is going up at the end of the year, and if you join now, you can lock in 2013 prices. We offer flexible payment options, and every minute you wait is another piece of information that won't get used in your network today. Drop us a note to schedule your demo.

Until next time!
Have a great week!
Jeff

 

Red Sky Weekly - 11/23/13: It's about the swing!

One of the guys told me yesterday that our growth and content creation lines were near straight lines at a 45 degree angle. He'd noticed that since the end of summer, the portal has been on fire. So this morning before jumping into the blog, I wanted to check the numbers out for myself. It's been a while since doing so, and I'm coming up on a threat day where I've got to report out to the membership our current status and what's coming.

Figure 1: Content Creation

Figure 1 is a graphic showing content creation since our kick-off. Our portal was issued to us (empty) in mid-January 2012, modified, tested and deployed in mid-February with content population starting in March. Since then, this thing has been a straight line of activity. 

Our community has grown from two (Jim and I) to 207 total accounts (as of this morning), with roughly 80-100 active every month (Figure 2). This was a total surprise to me. I've been involved in information sharing organizations before (several in fact), and have never seen user participation levels like these. What does that mean to you? It means there are 80-100 active, peer reviewed analysts who can help you with just about any request. Need help with something special? Just ask. Someone will have worked on that too. Need to reduce false positives in your IOCS? Just ask. Setting strategy for next year? Metrics help? Others have been working the same things. Good intel - tech to GEOPOL, cross sector participation, and finished reporting from the discussions. How cool is that!?

Figure 2: User Adoption and Creation

Figure two is the graphic showing the numbers of active participants month over month back to the beginning of the year. It's amazing to me to think that even when the week seems slow, month over month the activity stay's relatively consistent.  By far, besides the containers that hold the fusion reports and IOCs, the most active area in the community is intelligence, followed closely by the Malware Lab. 

• Security Intelligence is the location in the portal where members talk about what's coming. We've added priority intelligence reporting and geo-political analysis, both based on traditional intelligence cycle processes, both creating a ton of activity. 
• Malware Lab is always busy. Most of our folks have malware analysis capabilities, and they'll drop results into the Malware Lab. For those who don't, Wapack Labs can help. We can run the code for you and drop the results back into the portal. 

So why did I title this blog "It's about the swing!"??

I keep a morse code key on my desk. It reminds me of where this all started for me. I was a Coast Guard Radioman (RM3) standing watch at Coast Guard Communications Station Boston (actually, in Marshfield, MA), eventually growing to Telecom Specialist (TC1) before heading off to Navy Officer Candidate School (that's a whole different story!). Back to the code key... when you're operating by morse code (we ran many of our comms by morse code (I'm dating myself!!) , after a while, you get to know who you're talking to by the 'swing' of their key. It's like recognizing the voice on the other end of the phone. After a while, even though some of us have never met, we get to know each other. The portal is the same way. We're getting to know each other through active participation, peer reviews, and various get-togethers --some involving food and mild liquid lubrication.. it helps with the bonding ;)

The swing has become apparent in the portal. Those who communicate regularly seem to really hit it off analytically. The products that the team pushes out cement the conversations in formal, easy to read, 'this is what it means' and 'this is how you stop it' reporting. Will it always work? Probably not, but it's a great start to working your own environment, knowing what to look for, finding it, and saving yourself a hell of a lot of time and frustration of trying to go it alone. 

We're pushing through to the end of the year. We brought on a new member this year, and are pushing to close out our year and get new folks started before January. If you've been thinking about requesting a demo, give us a call. We've been flat out for the last few months (see Figure 1!). I'm expecting that we'll slow down as we pass Thanksgiving, so this is the time. Drop us a note!

Until next time,

Have a GREAT Thanksgiving!

Jeff

Red Sky Weekly - 11/16/13: Mind the Gap!

I had dinner at a local steakhouse last night. And as I ran through the menu, I found a new page --a picture of each of the cuts of steak laid out as a simple one-page guide to what each was --marbled, lean, expected taste/texture, etc. Why the new page? Evidently the restaurant (who'd been here for years) had a realization that the majority of their customers didn't understand the differences from one cut to another. As a result, they tended to order the same cut, over and over, without ever trying other possibly more expensive cuts.

Why am I talking about a steak dinner?

Because this week was busy. 0-days, new malware, shifts in TTPs, etc. For whatever reason, this week seemed much busier than others. It brought me back to a day when I operated as the Information Security Officer. The company did about $7 billion per year in sales, had roughly 35,000 employees in a few dozen locations around the world, and with partner and supplier connections, probably expanded the network to about 100,000+ people. We had export controls, consent decrees (court ordered firewalls between potentially competing internal businesses), and a dozen or so regulatory issues, including, like many of you, SOX and increasing government pressures from DSS, and others. My job? I managed information security for this entire environment on two people.. me and one other. We focused mainly on architecture and architecture reviews with almost no time to deal with testing final integrations -but we did do patch management really well. It was largely automated and relied heavily on the desktop teams. It didn't take long to realize we needed help. We were being targeted, and every run of the host-based scanners reported at least several hundred computers that needed to be looked at, troubleshot, investigated and probably rebuilt.

So what's the gap?

It's the space that lies between what actually needs to be done and what actually gets

done. It's knowing that you've got 800 machines showing up in that host-based scanner result, and finding out that you've actually got a problem, but having to simply burn and rebuild them without doing the forensics that might help stop it next time (and there WILL be a next time!). It's playing whack-a-mole for months before finally realizing that this just isn't working anymore. It's the complexity of interconnectivity of systems of heterogeneous systems connected to other systems of heterogeneous systems connected during acquisitions past; it's gaps in visibility across the network from the lack of uniform tools; it's not being able to touch every machine during an emergency. It's virtualization and clouds, and having to ask permission to take a box offline or leave it on for monitoring. It's the lack of trained personnel --not people lacking infosec training, but company training on the processes of intelligence handling, incident response, forensics, restoration and continued monitoring and protection.

The gap is knowing what must be done, but not having the ability to actually do it. It's a security intelligence provider offering victim notification a gig of indicators suggesting a large percentage of your company has been p0wned, but not having the instrumentation to even go find it. It's knowing intelligence could have prevented it, but not even knowing where to start.

Don't burn out. Don't chase your tail. Get organized. Get help. Mind the gap.

Red Sky can help mind the gap... the knowledge gap. What have others done when they had 800 machines show up with those same results you're seeing today? What worked, and what didn't? Ask them! With a few keystrokes you can ask the question, get answers, and possibly save yourself yet another overnight in the lab running forensics, banging your head against the wall. Others have been there before you.. and others will come after you. Perhaps you can help them with their gap!

Can't participate in a collaborative? Think Wapack Labs. There are lots of reasons why Red Sky might not fit, but that shouldn't stop you from getting the information you need. The lab handles other kinds of questions. "We've been bought and sold so many times... what's my network look like?" "Who keeps hacking us and what will make them stop?"

How do we help? We've got a great membership. We've got almost two years of ongoing conversations in Red Sky portals and several years of targeted incident response before that. The problem you're having today is probably one that someone else has already had.. so ask them. Need analysis and indicators? Check out the fusion and intel reports. We published two of them this week. Any more would probably be overwhelming, so we work hard to keep it simple and actionable.

On the 11th, we're having our end-of-year threat day. We'll have happy hour on the 10th as an ice-breaker, and a day of presentations and great conversation on the 11th. We'll have a line open for those who can't attend but want to be involved virtually. It's always a great day.

Want to join us? We're pushing hard as we come into the end of the year. Drop us a note. Let's set up a time for a demo!

I'm keeping it short today. Much to do before traveling tomorrow.
So until next time,
Have a great week!
Jeff

Red Sky Weekly - Life is hard, but it's harder with bad intel!

You'll probably recognize the saying. That’s not really how the saying goes, but it’s pretty much the same point… Let me explain.

I spent some time this week with an old friend from the Defense Industry, who, like many of us, has moved on. His new company, not defense related, joined Red Sky Alliance last week. We had great conversation with him and his new team. We shared war stories of using creative ways to find attackers living in their networks. And as with any good series of incident response war stories, they always turn to harder cases. You know the ones. They’re the ones where you’ll never find (or stop) attackers by using indicators of compromise (IOCs) alone. As an example, we talked about one case where a virtual VPN server was set up inside a network, allowing attackers the ability to simply log in using encrypted comms over the port left open for normal encrypted web traffic (SSL). Once in, the proxy was used as a jump point to into other virtualized attacker installed servers. Attackers built their own virtual network on top of the company network, and used it as their workspace and the activity entering and leaving the actual network looked just like normal employee activity!

The question I get (nearly on a daily basis!), with regard to intelligence, is ‘how good is it, and how can you tell?”

Let’s try this...

When dealing with targeted infections, every company does three simple things simultaneously:

1. They must stop current infection(s) (an infection is a set of compromised machines, and might be expressed as a percentage of your network --in large enterprise, it might be 1-2% per infection);
2. They must stop the current infection(s) while maintaining current operations and allowing the business to continue to operate;
3. And they must plan for how they’ll maintain operations into the future over now untrusted networks (and you won’t, ever, trust them again).

From our perspective, and the way I push my team and train analysts, is this.. Intelligence is analyzed data that will be used to present the answer to a specific question relative to strategy… futures.  “Intelligence” has been used to describe IOCs (Indicators of Compromise), forensic analysis (from a previously hacked machine or machines), reverse engineering, and many other past tense, or current state activities. But from our perspective, IOCs are required information, and will help you find and stop activity now, but Intelligence tells you what IOCS to use next. Intelligence is about futures.

So without getting into the religious wars over what intelligence is and what it isn’t, let’s get back to the questions.

How good is your intelligence?

How can you tell?

Intelligence has many traits, but in my opinion, you can tell good intelligence by looking at a couple of simple things. In fact, try measuring these:

• Intelligence should be actionable. Intelligence that you can’t act on isn’t intelligence, it’s analyst porn;  it’s a ‘self licking ice cream cone’; it’s intelligence for the sake of intelligence; it’s research time spent to make the analyst smarter (not a bad thing), possibly offer situational awareness, but doesn’t necessarily create returns on your intelligence spend.
• Intelligence should be sourced. This doesn’t mean users need to know every source, but the author needs to be able to express both confidence in the source, and quality of reporting. For example: Red Sky considers its finished analysis (fusion reports) high confidence information relating to targeted events. This is because we practice, and expect, peer review on our products. Our products are sourced, allowing readers to check our work, and we practice something an old friend used to pound into me --analytic rigor. Analytic rigor is the act of identifying multiple sources that point at one conclusion (or sometimes not!). When we correlate data, we typically compare Red Sky derived data to multiple sources through our own private collections of CIF data, malware, crowdsourced data and potentially dozens of others. This gives us “layers of analytic confidence”. We can quickly compare high confidence data (fusion report drafts) to open source data (CIF) to primary sourced data (data off the wire from the members). Source quality counts.
• Intelligence should make your future life easier, not harder. When you drop an intelligence derived IOC into an IPS, does it make bad things stop? What’s the false positive rate? Do you know? Red Sky members receive snort signatures and Yara rules when possible. In the snort signatures, we label the rule with the Red Sky report that it came from. That way, you can easily measure the effectiveness of rules published in Red Sky reporting. While every rule may not fire immediately, the idea is that it will in the future. You may not have seen that activity yet. We don’t necessarily get feedback on which rules fired where, but we do get feedback from CISOs who tell us that they use EVERYTHING we give them, and that they’re renewing because we give them information that they don’t get elsewhere… both great compliments!

So lets go back to our original example.

The FBI shows up on your doorstep one day and tells you that your network is phoning home to .  When you look at the traffic (assuming you have the ability to do so), you find a machine pumping data through port 443 from a machine on your internal network, using an internal non-addressable IP address. It’ll look pretty much normal --maybe one that matches your DHCP addressing but the machine name doesn’t necessarily match your naming convention.  Whadya gonna do? You’ll want IOCs, but you’ll also want intel. IOCs will give you the machine name, internal IP and other information to help with the immediate infection, and without them you’d probably spend days (weeks?) scouring your network for others that might be talking to this first virtual machine… and when you identify those comms, they’ll become encrypted, or move! This is where good intel will help you with what’s coming next….

Assume you’ve pulled IOCs from one of your sources (I hope it’s Red Sky Alliance!). You find the invading virtual environment. In every case the activity will escalate. Once you learn to protect from the immediate activity, the tactics will change. How will you know what’s coming? INTELLIGENCE. And what must that Intelligence be? Actionable, timely and correct. Without it, your future life is about to become really hard. It should make your future life easier, not harder.

That’s how you can tell good intelligence.

ACTIONABLE, TIMELY, AND CORRECT.

BT BT

• We had two new members join us this week --our first large law firm, and another one of the large cloud providers.
• We posted another new intelligence analysis reports and a priority intelligence report.
• We’re preparing for our 4th quarter threat day.

It’s been busy. We like it that way!  Christmas is busy for Santa and hackers, and our membership price will increase at the beginning of the year. A December membership will let you lock in your rate for up to three years, so if you’re thinking about joining us, do it now. We’re happy to schedule a demo. Just drop us a note!

Until next time,

Have a great week!

And for you veterans. Happy Veterans Day! Enjoy the weekend. You (we!) deserve it!

Jeff

Red Sky Weekly - 11/2/13

It's been a LONG (and awesome!) week, but I'm not going to post this week. 
It's 5:11 AM and I'm forgoing my weekly blog and heading to Boston for the parade. Congrats Sox! It was an amazing series! Wuhoo!

What is Wapack Labs? What does it do for Red Sky (and others)?

I just sent a note to one of the sources we use in identifying information that might be of help to our members. If you've ever sourced folks, you'll know that even at 6:30 in the morning when you might otherwise be having your first coffee, you might still find yourselves quelling the "the sky is falling" messaging when every source feels their gouge is more important than anything else in the world today.

Why sources? Because cyber comes in all shapes and sizes.  This blog is a bit different. We've done some amazing work in the lab and I rarely tell anyone about it, so I thought I might today.

As a bit of clarification, Red Sky is about information sharing of good cyber intelligence and network defense. When our guys post information to Red Sky members, it comes from smart guys, but also from things that smart guys have developed in Wapack Labs. The idea in the lab is to both perform second and third level dedicated for those who need it, but also, we use it to find new sources of unusual, high value information, collect that information, and turn that information into actionable intelligence to support members of the Alliance. But in doing so, we almost always come across a ton of other really interesting information that we then distill down to answer other questions.  We have the ability to do computer forensics, analysis, break down PCAP, and all of the other things needed to be able to help defenders protect their networks --and we do. We work these issues and post findings for members in the Red Sky and Beadwindow portals. But at the same time, when going through these processes, data identified gives us a really great perspective on other problems.

And on that, it should be noted... Information isn't intelligence. Intelligence comes from being able to identify the nuggets in information that might be helpful in aiding decision makers on courses of future actions. This is what Wapack Labs does. Red Sky is where we put that intelligence. Wapack Labs is where we develop and analyze it.

What kind of intelligence are we talking about?  Cyber defense obviously, but also insider threats, competitive intelligence, M&A, and self examination as starters.  With enough smart guys (we're keeping it small), we could easily go into dozens of others, but these are really fun so we'll focus here for now!

So beyond the cyber that we push to the portal, here are a couple of examples of non-cyber focused work that we end up obtaining as part of the process:

• Insider Threats: Last week we had the ability tell a global consumer electronics company that they have an insider threat problem. We had done research supporting cyber defense. This work that lead us to conversations (open source of course) of a specific group. One of the guys does security consulting work in a number of companies, and we had a conversation with one of them last week. This work has lead us to start an insider thread in the portal. 

• Mergers, acquisition, or outsourcing: Would you buy or use a company without doing due diligence?  Since earlier this spring, we've answered questions from companies about possible merger and acquisition targets, and this week we're being contracted for the third time to answer questions about a bunch of companies who're being looked at for large scale IT outsourcing by a non-member. The questions usually go something like "We're thinking about using tell us what you know about them."

• Infrastructure: While not necessarily intelligence focused, the Lab has received a number of requests where companies want to know about themselves! Our last paper went something like this... "We've been through a number of acquisitions and divestitures. What do you guys know about our infrastructure?" We're not into mapping networks, but the answer might be more along the lines of "We found that you still have web servers and a DMZ residing ." -or- "we found a dozen or so of your addresses registered as VPNs with a (ahem) third party." (This isn't a good thing.)  Interestingly enough, there's a TON of open source, free information out there that can be used to find out about a company's infrastructure and if you know how, you don't need to even touch the network to find it and answer questions like this.

So if you've wondered what Wapack Labs does, but were maybe to shy to ask, this is what it does... cyber defense, R&D, analysis, and anything else we find fun, interesting (and of course, revenue generating!). 

BT BT

I'm keeping it short today. It's been a heck of a week! 

So until next week. 

Have a great weekend.

Jeff

Security is a team sport!

We went through an exercise this week proving just this. 

It seems that in nearly every meeting I’ve had in the past several weeks, someone asks a question about what Red Sky Alliance knows about Insiders. It’s true, we focus on corporate espionage and APT events, but clearly insiders –at least one class of insiders, falls easily into the ‘determined adversary’ category… and for that, we’re on it!

So what constitutes an insider?  I have an old friend who’s studied this for years.  Dawn Capelli left Carnegie Mellon (maybe a year ago?) where she built and spearheaded the insider threat group at SEI. She’s the expert, and she’ll tell you that insiders come in many shapes and sizes.

So what which category are we talking about?  I’m not talking about Snowden. In fact I’m growing tired of reading about him in TechDirt (the “all Snowden all day” RSS feed!), but more about others, whom we know to be wearing the white hats by day, turning gradually darker as the evening draws close, and finally pure, pitch black after hours.

 

We realized that for the last several months we’ve been authoring not only the fusion reports that I talk briefly about in my weekly blogs, but in May we began writing ‘priority intelligence reports’. For those of you in the IC, think Intelligence Information Reports, based on both priority and standing requirements. For all others, PIRs talk of ‘wolves closest to the sled’.  Anyway, in going through the last few months, we’ve come to realize that many of the individuals that we’ve identified through our research are both smart guys by day, and by night, cyber thugs stealing IP, coaching newbies, testing their 0-days and pushing their way through the corporate walls.  Heck, maybe they do it by day to.  Not sure, but here’s what I do know…  we presented to one company this week where we showed them a picture of a really smart guy by day, but a really bad guy by night. He advertises the fact that he works, as a security consultant for their company, in an IT Security consulting role. We know him from his involvement in other things…  He, in my mind, is an insider threat. 

He’s one case. We have a few others. And what’s interesting to me is that there are some interesting correlations that seem to be appearing:

• Many of these guys are doing double duty
• There is targeting employed as part of the group(s) that they belong to
• And by watching employment by some of these Jekyll and Hyde’s we can get a pretty good idea of not only who many of these folks are, but who they work for.  And if we’re right, we know why some of these guys are getting very specific jobs. 

How does this work in the real world?  We played out an example just this week. Someone we know (from our research) was hired by a company in the US. This is a great company, and they hired a smart guy, but at the same time, some may consider some of his off-hours associations questionable.  Those associations often times make for a great intel sources, but at the same time they could also significantly increase the risk that this guy could also be a really efficient insider, placed in this company to deepen information known about this company’s customer base or security posture.  It’s not unheard of.  Dawn had probably documented hundreds of these cases before leaving SEI. In our case, our early assessment wasn’t perfect, but by the end of the day after sharing notes and talking with members, we had a pretty good idea where we had gaps.  We’ll continue tracking, asking our members for information, keeping the conversations moving… and over time, the assessments will become clearer.

Security IS indeed a team sport.

We been getting really good about talking together about information security threats, but should insiders be another topic? 

BT BT

The guys have been busy this week. The portal never stops moving. It’s great! Here are a couple of the highlights:

• Fusion Report 27: Red Sky analysts issued our 27^th fusion report of the year. FR13-027 presented findings about a previously unknown malware variant observed in the wild. The report provided analysis on the infrastructure and presented technical analysis of two of what we’re calling “Backdoor.Baby” variants.
•  Intel Report 18: This week we updated our analysis of “Flower Lady” with our 18^th intel report of the year. IAR13-018 builds upon work in two recent Fusion Reports analyzing infrastructures and malware attributes --connecting the dots from attacks as far back as 2011.

It's been a busy week. 

I'm going fishing.

Have a great weekend!
Jeff

Red Sky Weekly: Know before you buy!

Interestingly enough, nearly every large enterprise CISO that we at the Red Sky Alliance talk to tell us that they spend (at a minimum) hundreds of thousands of dollars on subscription security intelligence reports.  Every medium sized enterprise CISO (or if they don’t have one, their director if IT or CIO) tells us they harvest open source information for their security intelligence.  The small guys? Rarely do they use security intelligence at all.

And so what’s the problem with this model?

Not all data is created equally.

A lot of data doesn’t necessarily mean you have good data.  In fact, nearly all of the data needs to be qualified before use. An old friend, (Dr.) Vince Berk, is the founder and CEO of very cool company called FlowTraq. It's funny. When we talk, Vince says often “There is a fundamental difference between data and information. Information is the specific pieces of data that allow you to make actionable decisions. This means that two different people might find different bits of information in the same pile of data. As people's objectives and missions differ, they will need different pieces of data, "the right data", that is information for them.”

You need to ask, how will the data affect your current system when installed?  Will it block key suppliers? Often times, even the most popular services are used for bad.  Google’s domain name service (DNS), 8.8.8.8:53 for example, is often times called out as a command and control channel for malicious code installed in your network by the phisher du jour.  Google isn’t bad, but good tools are often times used for purposes other than intended. And will you base your defense spending on unqualified data? How do you know what to buy to protect yourself when your analysis is potentially based on low confidence information?

Let’s turn the model upside down for a moment shall we?

I’m taking this metaphor from Ed Amoroso, the CISO at AT&T. He’s a smart guy, and the metaphor

Source: USA Today

hit me like, well, a sandbag to the head.. so in fairness, he talks about using sandbags to stop the water that’s rising from the swelling riverbed as a metaphor for dropping boxes and boxes in front of a network for protection.. they both leak under the rising river!

So let’s think about this for a moment.. before you spend another dime on a sandbag that won’t protect you from that swelling riverbank, let’s take a smart look at what you should buy, what you should collect, and the data you must have, to help understand what’s going on in your network.

Here’s a start.

Monitoring (not protecting just yet) your network is a three-step process plus one more if needed (it will be):

1.     Identify as many command and control nodes as you can get your hands on.

2.     Install them in a good, perimeter based network flow monitoring and analysis suite

3.     Place inexpensive monitoring inside your network for a period of time (say, 30-60 days?) to help identify root cause, patient zero, and areas of weakness

4.     Be ready to pull egregious internal offending computers off the wire for analysis.  You will find a few.

Dr. Berk says the key to success in the info security space is finding the information in all the data. “This requires both an understanding of what you are protecting - what your mission is - as well as an understanding of the evolving threat to that mission. Only when we understand the nature of the threats, can we make decisions on what data is "information", and what data is just data.”

Here’s how it works. If you’re going to take this on yourself:

·      Obtain command and control (C2 for short) addresses information from any number of sources. Collective Intelligence Framework is a good starting place, but it won’t necessarily give you targeted adversary information. Red Sky Alliance focuses on advanced and other ‘determined adversary threats’ and can give you information on many of the botnets. Open sources will yield the same information, but with far more false positives. Best to pay for a good list and buy in.

·      Install FlowTraq at your perimeter. FlowTraq comes in both an inexpensive cloud-based option, and a slightly more expensive onsite form, but FlowTraq comes with a simple, easy to use interface for monitoring communications to/from your network. Use it to alert when users on your network are communicating (knowingly or unknowingly) with bad IP addresses or domains.

·      Install a simple client based monitoring solution on every computer on your network. When a network flow is identified communicating with bad actors, use the client based monitoring system to identify patient zero, and quickly follow the crumb trail across the enterprise looking for indications of other compromised machines.

If (when) you find badness, the live forensic system (the client based monitoring system) can be used to perform initial triage, but you still might want to pull the box(es) for analysis to figure out how bad it really is.  You should be prepared for this. It will happen.

I know this all sounds hard (and expensive) but it doesn’t have to be.  The solution can also be built, analyzed and monitored by a managed analysis provider.  A 30-60 day project might cost $25/computer per month for the troubleshooting and recommendations for going forward.

In an environment with 1000 computers, a month of monitoring, troubleshooting, prioritizing and strategizing is a fraction of the long term cost of that next sandbags -firewalls, IPSs, Host Based IPSs, enterprise AV project, or whatever you’re going to throw on the pile next. Red Sky’s Manchester, NH based Wapack Labs and it’s Lebanon, NH based partner FlowTraq will install a solution, monitor your network, and tell you where your current levy is leaking.  Armed with that information, you can purchase the protections you need not the protections you’re told you need.

Don’t guess. Don’t estimate. Call us.

Know before you buy (your next security sandbag).

Until next time,

Have a great week! Jeff