Red Sky Weekly - Gh0st RAT

"Ghost Rat (or Gh0st RAT) is a Trojan horse "Remote Access Tool" used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program." While I don't normally quote WikiPedia, their description of Gh0st RAT is actually pretty simple, but pretty good:

The GhostNet system disseminates malware to selected recipients via computer code attached to stolen emails and addresses, thereby expanding the network by allowing more computers to be infected. According to the Infowar Monitor (IWM), "GhostNet" infection causes computers to download a Trojan -"Gh0st Rat" that allows attackers to gain complete, real-time control of the victim computer. The computer can be controlled or inspected by its hackers, and even has the ability to turn on the camera and audio-recording functions of an infected computer that has such capabilities, enabling monitors to see and hear what goes on in a room.

In fact, Gh0st RAT is rarely used alone. It is indeed a remote access and administration tool, but in most cases, the RAT is used to carry out other activities in the victim computer or network. 

This week we published our next Fusion Report, FR14-013 dealt with another variant of Gh0st RAT...  We're not the first to report on Gh0st, nor do I suspect we'll be the last. What we do believe however, was the use of Gh0st this time can be attributed to a group known to be dangerous, very active, and targeting very specific types of technologies. 

In Mid-April 2014, a Red Sky member received two phishing emails originating from the same sender.

• One email contained a link to an executable file. That executable, upon analysis, was identified as a variant of the Gh0st RAT malware. 
• The second email contained a download link to malware that was identified as a Microsoft Outlook credential stealer.

Remember when I said Gh0st is often times used in conjunction with other tools? In this case, the attackers were looking for credentials, probably hoping the credentials captured from Outlook would also give them access to the network's front door --the users access credentials. At that point, without good behavioral analysis techniques, detection becomes really hard, really fast.

One of the things we talk about often is the idea of being able to assist a security team with fast classification of activities hitting the sensors and the security management consoles. This, with the vast amount of data coming at a typical defender, is also really (REALLY) hard. How exactly does a security team quickly assess the difference between 'commodity', 'systemic' and 'targeted' events? For dictionary purposes.. 

• Commodity issues are those that a simple tweak in existing defenses will take care of.. a new virus, a misconfiguration, etc. 
• Systemic issues are those that might take down your company -or worse, an industry. Interconnected systems with few controls, central services to large scale operations --with built in credentials or trusts could be considered systemic. Help desk systems where every help desk technician has credentials to every computer; hard coded accounts in databases that connect to each other. These issues are usually a bit harder to identify, but once identified, controls can be placed to manage risk and threat. 
• Targeted issues are a little different. Where the first two require largely mechanical mitigation processes, targeted attacks require users step into the role of "security chess". The game is on, and it's not going to stop. Attackers are skilled. In fact, one guy posted to a group the warning that targeted attackers (that hit his environment) mean business. They want something, and they bring the A-team. You need to be ready.

In this case, this group's use of Gh0st was clearly targeted. How can we assess that?

• The Gh0st RAT variant that we analyzed, had few known open source variants
• It leverages dynamic C2 domains previously identified in discussions within the Red Sky portal.  
• The initial phish 'bait' was clearly used to social engineering of the intended victims of the high tech company that tipped off the community.
• The products manufactured by this company are known coveted technologies by others in the world (believed associated with the attackers)
• Last, this group rarely operates without either financial gain or espionage motivations (probably both)

In the end, our reporting analyzed and detailed the infrastructure associated with the RAT, malware details and to wrap it up, we provided the Red Sky members with mitigation information - a snort rule, a Yara rule, full directory-structure artifacts that users can search for, and a couple of pages on indicators in LM's kill chain format. 

BT BT

In the lab, we began sink-holing operations on a couple of new locations. Within the first day, we collected information suggesting at least four companies had been compromised. The group? The same group associated with Gh0st RAT mentioned above. In two of the victims identified, the RATs used to steal information from these networks appear to have been placed as early as 2009. Three of the four identified were actively sending and receiving information when we identified them. Industries? One company manufactures airplanes and aerospace technologies. Another is a small engineering firm that manufactures propulsion technologies for rockets and spacecraft. The third, an energy company in Asia. The fourth? Apparently we stumbled onto someone else's research network. Sorry guys! ;)

So, we issued three victim notifications. One company never responded, but I was amazed to see how fast the others did. In both cases, we gave them information they hadn't previously known. In both CISOs reacted nearly immediately. These guys were on the ball, and grateful for the heads up. 

The information sharing construct works. Red Sky Alliance isn't the only group out there, and it looks like at least some companies are getting the message. In fact, a Ponema Study on Information Sharing (released last week) polled 701 companies. 71% of them believed (at least according to the survey) that participating in threat intelligence forums (like Red Sky Alliance) improves the security posture of their organizations.

It's apparent, and not a secret, that there have to be better ways to share information. Automated means, faster turn-around, simplified exchange protocols and taxonomies, trust (and anti-trust), and competitive concerns all seemingly get in the way, but for those who love this stuff, they REALLY love it. The rest? Well, I'm reminded of my first junior high school dance where the boys stood on one side of the gym and the girls on the other. Only the boldest dared actually dance. At some point in the future, we'll all be on the floor, but don't wait to long. A small company with high value tech doesn't stand a chance on their own. 

Drop us a note. You may not want to participate in the Red Sky Portal, but it'll be there if you need it. When you (or your lawyers) finally get up the courage to actually participate and dance, there'll be others in the portal waiting to help, and if you don't have the ability to implement the 'help' yourself, we're happy to make recommendations.

Until next time,
Have a great week!
Jeff

Red Sky Weekly: What's happening in Wapack Labs?

Heartbleed? Yeah, we're watching too. We try hard to identify and talk about things others don't. There's a ton of messaging on Heartbleed, and I don't want to just repeat what others have already said, so this week I'm going to talk a bit about Wapack Labs. 

As a bit of a primer, Wapack Labs is an independent company located in Manchester, NH. We recognized early that as facilitators of information sharing in the Red Sky portal, our abilities as incident responders, forensic guys, auditors, or whatever background we came from, would quickly rust if we didn't find ways to participate in a material way, and keep those skills sharply honed. So we started Wapack Labs as a forensic shop hoping to use it to support the membership. We created it as a separate company because it didn't fit nicely into the information sharing construct, and manned it with a couple of new folks, in a new lease in Manchester, with its own ecosystem and infrastructure. We realized quickly however that we weren't going to make a living on forensics, so rather than blow off the remainder of the lease, let the people go, and sell all of the gear, we decided to focus the lab on our core competency --intelligence and analysis. We still have a forensic capability, and we have a great guy manning that con, but the core competency of the lab is managing and operating an intelligence cycle and publishing results to various customers --Red Sky Alliance, the FS-ISAC, and dozens of companies. Today, nearly all analysis that goes into Red Sky Alliance from our participation comes from primary sourced data, collected to answer specific questions, using great process... in Wapack Labs.

And while the portal remains busy, the analytics coming out of the lab have just been amazing lately, so I thought I'd share some of it, getting back to our roots of summarizing weekly happenings in our analytics, and not just Jeff sharing stories, ideology and lessons.

At the macro cyber-geopolitical perspective, we've got a couple of folks dedicated to tracking significant happenings in the world today:

• Ukraine and Russia: There's a serious lack of press on this topic, but we know theres no shortage of cyber activity. The cyber conflict currently lies between the two countries, but we monitor for escalation, spill-over that might affect our members/customers, and for lessons learned about future protections against government sponsored cyber activities targeting individuals or companies. Guys in the lab are keeping a close eye on developments. One of our analysts is a native Russian speaker and we use him to translate and provide running commentary. This week, the team, based on his work, drafted a timely and relevant profile on a suspected Intelligence group operating within Ukraine, including their use of cyber tactics. The report offers details and analysis that have yet to be captured in Western Media. We believe that we will see more activity from these guys as Russia escalates its operations in Eastern Ukraine... and we will continue to monitor and report to our Red Sky Alliance members and Wapack Labs customers.
• Country studies: The guys are working working through our second country study. The idea is to assist organizations in planning their security, based on their geographic diversity, customer base, technical resources, network environment, and infrastructure conditions. Our first study was Iceland. It's a great little spot in the north Atlantic with a TON of power, great bandwidth, and dirt cheap datacenter space. We wrapped that up about two months ago. Our second will be announced in May, but as with Iceland, this is a research project that considers the factors that affect cyber, decision making, threats and risks -from a number of sources- intelligence, geographic, political, and cyber. 

At the micro level, we continue to be busy. Work keeps coming.

• New botnet: This week we pushed out a "part one of two" technical report. Part one provides details on several new IRC botnet seen targeting the financial sector. Part two will be published next week, offering an inspection and details of the related infrastructure. 
• Targeting Korean Banking: Our second report this week detailed a family of popular Chinese malware that was re-purposed for targeting Korean banks and the banking infrastructure. Fortunately, the mitigations that we developed and published, not only protect against this variant, but all variants of the parent malware family. 

BT BT

If you're detecting a slightly different tone in my messaging this week, it's because there is in fact a slightly different tone in my messaging. I've been making the rounds, talking with Red Sky members, asking them what they like, don't like, and how we might do better. 

The overwhelming answer is this "We love what you do! We but we don't always like having to get it from a portal!" So on that, even only about a third of the way through the interviews, it appears that the deep techies who use the portal regularly, love the portal. But that leaves about 58% of our user base need who need alternative delivery mechanisms. So ask, and you will receive!  

Our messaging has shifted a bit from "Come be part of our information sharing environment!" to "We (Wapack Labs) author intelligence and analysis.. and we can deliver it how you need it." Want to share information, compare notes? We have that! The Red Sky Alliance portal isn't going anywhere, and assuming qualification and Advisor approval, subscribers to services through Wapack Labs will receive access to one of the portals. Only want access to an automated system to query indicators, we have that too. Subscription service? The lab can tailor your subscription to just about any requirements, and output just about any format you want --STIX/TAXII, Snort signatures, SIM packages.. whatever. 

We author great intelligence and analysis.. and we'll deliver it in any format you need. 

I promised to keep it short. 
Until next time, have a great weekend!
Jeff

Red Sky Weekly: What will the cyber of my grandchildren look like?

We started a project last summer, where we track the growth of government sponsored

offensive operations around the world. It's a work in progress. When we started, our first cut at our "GEOPOL Matrix" reported six countries with officially sponsored offensive cyber organizations. Our last cut? 22.
22 countries at the beginning of February sport the triad of Surveillance, Defense and Offensive cyber capabilities.  So, I suggest... If the growth chart of cyber as a means of influence were a hockey stick, I'd say we're starting to hit the curve. Cyber complexity is going to grow exponentially, and with it a proportional number of places it can be exploited. 

In 1999, I spoke on cyber espionage at a SANS conference. I'll never forget it. In one of the reviews someone said I was selling FUD (fear, uncertainty, and doubt). Another called my presentation snake oil. How did I know that cyber would become the principle location for future intelligence operations? Because I was, at the time, farming open source data on a daily basis looking for clues to subjects I'd been tasked with researching... nothing covert. Everything was in the open, but even back then I was amazed at the huge amount of data that companies and countries were putting on the internet --and what a massive advantage that gave me. The seeds were being planted in that garden -with such amazing dark soil, plenty of water, and the patch that EVERYBODY planted their best stuff. Now, 15 years later, cyber is probably the most exploited patch of dark land, that the corn is waist high and looking good. 

Also now 15 years later, on nearly a daily basis, someone looses a million credit cards, and intellectual property is lost. And to the credit cards? Who cares, right? The banks make it right. And the intellectual property? Well, this stuff doesn't make it into the news as often as millions of credit cards lost, and when it does, you'd think we'd be shocked, but frankly, it's the new normal. And Heartbleed? It's bad.. really bad.. but who cares. It's just another thing. 

So what about 15 years from now? Beyond the idea of data loss and beyond the espionage.. both will always be there --they have been forever, in and out of cyber space. 15 years from now, many governments (and companies) will have their own cyber programs --warfare, attack, surveillance and defense. Think about it. In every case, when a country prepares for conflict, there's a timeline that's followed. And even today, kinetic options include dropping bombs on communications nodes, power generation, and other targets critical to operations. So is a power plant an arm of the military? What about the telecom provider that runs the cell or satellite services? Of course not. But those stockholder owned private companies ARE military targets during conflict. And do you think the stockholders aren't going to demand that the companies fight back? My bet is they will. Disintermediation is real. Militaries can and do attack civilian targets. And I don't think it's going to be just militaries.. In the future, cyber is going to make is so very easy, that others will jump into the fight.. civilian on civilian, military on civilian, and civilian on military. Heck, we see it today. There are plenty of example so government sponsored cyber, and on the non-government side? The SEA, Anonymous, and others form behind causes taking patriotic and hactivism to the realm of cyber action.

If cyber could be used to effect change in behavior of an adversary (change in behavior is always the goal), and it could be accomplished without using kinetic options (dropping bombs, shooting at people, etc.), and the risk of human loss is minimized on both the attacker and defender side --if one could take power, food, water, transportation, command and control/communications, or whatever someone chooses to take down, simply by hacking a computer and turning it off --even if only for an hour or two... would it work? You bet.  

It's going to become really easy to do. How many times have you been asked to answer a 'security question'.."What is your mothers maiden name?" "What was your first car?" "What is your favorite movie?" Add to that, your car, the airplane you fly, the train you take to work, heck, your refrigerator and toaster all have things the communicate with the internet. The amount of intelligence that is stored by companies asking these questions, intelligence that can be collected, based only on personal questions, added to the devices and data in your everyday life, geo location services of GPS turned on in nearly every device, and the ability to target very specific people or things to effect change? Wow. The bits of information out there --even today, that will enable massive opportunities for cyber exploitation --and very personalized cyber exploitation. 

And now it appears countries are turning off their Internet gateways when the Internet is threatened. The risk of an espionage attack, or DDoS, or the likelihood of loss of integrity has overshadowed open communications across borders, and the ability to hear directly from journalists, citizens, the persecuted and the attackers during crisis is being slowly turned off. Isn't this where we came from? Let's not go back. 

What will the cyber of my grandchildren look like? 

I don't have an answer. 

BT BT

In the last few weeks I've been making the rounds, talking with Red Sky members face-to-face. We've grown a lot in the last two years, and in many cases, in areas we never thought we would. I'm looking for feedback from our customers as we head into normalization phase of moving from a bootstrapped, cash-flow company to small enterprise. We didn't take venture money when we started this two years ago. We built this ourselves with the idea that we could work with our membership and shape the offering to them.. and I believe we have. 

We're reshaping our message, and looking at how we currently deliver analysis. Some love the portal. In fact, many log in first thing in the morning and stay on all day. Others check it once a month or so. Some get a digest. Our bottom line? Wapack Labs looks for things to provide our members. We're looking for ways to innovate. And for our members who love the Red Sky portal, we'll continue to push information into it, participate in conversations, and rub antennas with the techies. For those members who need information delivered in other ways, and in other forms? We want to know that too. 

So I'm looking forward to seeing you all as I make the rounds. And I'm hoping to see many of you at our Threat Day in Tampa in June. 

For non members.. we're going to host an offsite following the Threat Day. Come meet the team! Have a cocktail on us. I'll post the time and place as we get closer.

Ok. It's a sunny day, and I've got work to get done.
Until next time,
Have a great weekend!
Jeff

Red Sky Weekly - Can YOUR box serve whoopie pies?

My history, and cynicism are good indications that I'm long in the tooth in the space, although I've never been able to grow that grey beard. You can apply the codger moniker with high confidence based on the analytic rigor of multiple primary sourced blog entries by me over the years. Yes, I look at cyber in a very specific way and I've been around long enough to consider myself seasoned and experienced.

I had beers and cigars last night at the Cancun Cantina with three old friends. One of the guys was a Marine E6 when we met. I was a new LTjg. He's preparing to retire as a Warrant Officer now. Another was the head of Incident Response when we worked together, now, Chief Technology Officer. The last is the CISO for a local defense contractor.

Our talk sounded like sea stories. In the late 90s my Marine friend and I (and others) earned our stripes analyzing Moonlight Maze, Solar Sunrise, the downing of the EP3 in Hainan Island and just about any cyber event (they weren't called cyber at the time), or events with cyber consequences. Our team authored first models for behavioral analysis, spending countless hours with Suresh Konda coding thousands of compiled computer intrusions, to be used in the early days of SiLK models.

I was reintroduced to this world in 2006 as Titan Rain was wrapping down, and another set of intrusions (perhaps just renamed?) was ramping up --known by a name I believe to be still classified, I'll refer you to a link. Before any new attribution names were assigned to the new activities, my incident response buddy and I sat on opposite sides of the table. Me, the intel guy wanted to leave systems up to learn the lessons. His job was to get them back online. We joked about lots of beer, midnight Guitar Hero in our Mass based lab, and many, many near fistfights with wide open screaming mouths, and a LOT of spit flying over the table as we discussed ways forward.

The last, the CISO, has been doing this from the start, but we only met a couple of years ago. He's seen it all, developed all of his own tools, and takes pride in changing log-in credentials to offensive messages because he knows the attackers will read them.

It was a fun night. Working 166 of the 168 hours available during the week at the time burns you out fast, but looking back on it now, it doesn't seem so bad. The shared experience of having been on the cutting edge of this new era of cyber, while not good for computers, was a real learning experience for us. All three of us --and many others, had real impact on the way these events are handled today, and the lessons that will be passed to those who've not yet experienced their oh sh*t moment... that moment when you realize someone is in your network; you've never seen it before, and you have absolutely no idea what to do about it.

For us, I wish we knew then what we know now. In uniform, who we asked for help was easy. Unfortunately we were the experts! Roughly 10 years ago we joined FIRST, and looked for active places to share lessons learned and ask for help, but FIRST members hadn't been seeing the kinds of activities we were working, so out of sheer exhaustion, three companies signed NDAs and started sharing APT information. I believe they're up to about 60 or so now.. I've not kept up.

Today, there's no end to the number of places that'll sell you Indicators of Compromise (IOCs). You can read about much of the happenings in open source Google groups, an endless supply of links on LinkedIn. There is no easy button, but there are seemingly hundreds of vendors that'll sell you a box with a red light that lights up when spies or thieves are being gangster-slapped at the border router automatically by your new magic box, or a green light when that sexy magic box is humming along, bored, because it's not killing connections.

So yes, the codger moniker? The idea that I look at everything in this space with one eye closed, squinting with the other isn't just because my bifocals require their now annual update. It's because when I hear a vendor tell a customer that their magic 8 ball answers 'yes you can' to the question 'can I buy a box that'll kill every bad connection, allow every good' at at the same time fill all of the compliance needs, supply metrics required by management, and when asked, prepare and deliver a perfect whoopie pie in a little glass door that serves as both the ingestion spot for gobbling all of those IOCs and when needed, the dispensing door for that really awesome chocolatey creamy taste of heaven... I laugh... out loud.

Yup. I've been doing this a while. I need some intellectual tennis with people new to the space, so Monday morning before heading out of Manchester, I spoke to a class at the University of New Hampshire. The class had kids from all areas - computer information systems/science, liberal arts, business, and included a couple of veterans. I offered a talk, as I often do, on the state of cyber --What is APT? How is it that companies lose credit cards? ..a basic threat brief. I wasn't peppered with questions, but the ones I did get were good:

• Are we winning the cyberwar? If not, why not?
• What are my thoughts on Edward Snowden?
• How do we get involved? What is the path to follow to get into information security?

Great questions all. I did my best to explain the complexity in current networks. Cloud, mobile, virtualization. Insourcing, outsourcing. They got the point. Complexity kills, and in this case complex cyber leads to holes.

I won't go into the others, but then I turned my question cannon on them...

"Should we be able to fire back?" I asked?

Without hesitation, a young (sophomore?), who looked like she should still be in High School, answered "YES!" Why? I asked.

"It's fun!" When someone hacks me, it's fun to hack them back!

I can't wait until she's ready for an internship! 

BT BT

I'm running around the country this week doing face-to-faces with Red Sky members. It's two years in, and seems like a good time to get some honest feedback. As far as I can tell.. I've heard many times.. companies love our analysis products, and those who like to work in the portal --typically the deep tech folks, are always in the Red Sky portal, talking, working, sharing. We have power users. Others are less enthusiastic about logging into yet another portal. So as I meet with customers, I'm looking for good feedback on what they like, and what we could do better! 

If you're interested in having a look at what Red Sky Alliance does, or some of the tailored intelligence and analysis coming from Wapack Labs, drop me a note. We're pushing before summer sets in, and happy to set up a time!

So until next time,

Have a great weekend!
Jeff

Red Sky Weekly - "You don't know what you don't know"

We've been looking at a lot of data lately. Government, commercial, big company and small. Tests, logs, diagnostics, pre-audit, you name it. And in every case, the owners of the network are shocked. Most had no idea that so much activity is going on in their networks. Why? How could they not know? Hundreds of non-sensical domain names associated with port 53/UDP (hint - crimeware) on IP addresses used to allocate the movement of (ahem) a LOT of money, VPN over DNS in nearly every environment we look at, and worse, Windows Credential Editor - a tool that steal valid credentials from Windows web services --back to the last reboot.  

Without exaggeration, nearly every organization that we look at has hidden services like these running in their environment, and there's almost no way the owners will know unless someone like us tells them about it.

This a frequency analysis from a FireEye Blog from May through September 2012. It's one of my favorite graphics. It represents the problem perfectly. I show this graphic in the first slide of nearly every presentation I do. It showcases nicely why companies might not have any idea of the sheer volume of activity. In fact, I'd argue some of this is simply above the capabilities of many CISOs. (And by the way, NIST 800-53 was good in 2004, but it's not going to help you here...) 

Let me explain...

The red and blue lines across the bottom are detects and drops of inbound malicious links and attachments. The orange line is the outbound command and control --the remote control connection that the human at the other end of the connection uses to tell the victim computers what to do. The red and blue lines are knowns. The FireEye box was able to identify and stop these, as they were the orange --but what about the rest? The FireEye blog calls out the idea that there were obviously other things happening in the environment. Malware may have been in the environment before FireEye was loaded, or it may be that there is just so much stuff happening in the network that one box can't catch it all. Or perhaps one company doesn't have the necessary skills to identify all of the variations of activity that might occur. Maybe the company that bought this machine doesn't really know how to use it! Regardless, there's a ton 'o stuff happening in this network. 

FireEye is a great product, and the idea here isn't to take a swipe at a fellow security company. I like the company. The graphic shows clearly the problems we all face. CISOs don't know what they don't know. And the unknowns are going to kill them. It takes dozens of skillsets to identify the right information to be loaded into our sensors to make the pain stop. And even then, if you've got something they want --computing power (or hiding spots) for botnets, identity stealing malware, products, intellectual property, mergers & acquisition data (yes, law firms scare the hell out of me) or military secrets, the activity isn't going to go away... and the information that you need as the vaccination for your network probably resides elsewhere. 

That's cyber Intelligence.

So where do you get it? 

First, you need to know what you need. Cyber Intelligence is comprised of two basic elements:

• Indicators of  Compromise - IOCS (...although Indicators of compromise seems to late. I think I'd rather have a vaccine!). IOCs are things like domain names, IP addresses, email addresses of senders of malicious email, etc. Depending who you ask, there might be a hundred or so different kinds of IOCs.
• The context by which you prioritize your work: You need a way to know which of those millions of IOCs you implement in your network first, then after that, and what you need to think about next month (or which ones you tell your MSSP to implement on your behalf). This is really hard. The context by which you prioritize your defenses can mean the difference between a normal Monday - Friday, ten hour workday, or seven-day, 22 hour work day week with a short nap, a Mountain Dew and a bag of Cheetos before starting all over again.

Interestingly enough, over the last two years, analysts on the backend of Red Sky Alliance have sought out, identified, and now collect and analyze sources of information unique to our problem sets. In fact, the primary focus of Wapack Labs is intelligence and analysis. We use the lab to support the FS-ISAC, a bunch of companies, and the Red Sky Alliance. 

Wapack Labs sells intelligence and analysis. 

And we can deliver it in just about any format you need it. 

• Want intelligence through a collaborative? For those who know the value (it's HUGE btw), we have that in Red Sky Alliance and Beadwindow. Our members get the analysis produced by the lab, and when needed crowdsource the analytics. Sometimes they simply have more to add. It's very cool, and works like you wouldn't believe!
• Need answers to hard problems?  We do research and author point project reports. In one case, we identified an application sold by one large company to another --and 15G of exfiltrated, encrypted .rar files from what we believe was the trojan'd application. In another, we authored a country study on Iceland -for those considering using Icelandic datacenters as an offshore option.
• Looking for context for your SE/IM? We can help with that too. We're collecting information from about 500 highly targeted honeypots, adding more daily. The information we get is high confidence, nearly no latency, in many cases, 0-day. This stuff is the perfect feeder for gateway anti-virus, DLP, email filtering, and spam solutions. Yes, we can feed your Arcsight --and your brain.

Give me a shout. Let me show you. Red Sky Alliance collaboration, log diagnostics, high confidence targeted threat intelligence and analysis. We have something that can help you too. Want to know more about Wapack Labs? Drop me a note or sign up for our mailing list. 

Until next week. I'm off for a run.

Go Bruins!
Jeff

Red Sky Weekly: Threat Day Recap - March 2014

Anyone in the threat intelligence scene today knows that the best way to get information is to share information. And for that, personal contact, shaking hands, face-to-face conversation, and the ability to build relationships are required before building relationships online. And this is how we do it...

We hosted our March Threat Day this week at the Harvard Club of Boston. 

Thank you, everyone, for participating!

We started off on Wednesday evening when we met in the Commonwealth Lounge on the first floor of the Harvard Club. This was a bit different.. we combined our second annual Booz'n and Brainstorm'n session with the cocktail party that goes with the night before each Threat Day. 

With wine and bourbon flowing and chicken skewers and ribs piled high, a dozen Red Sky Alliance members mingled with about as many National Security Fellows from the Kennedy School at Harvard University. The National Security Fellows are members of various US Government agencies, such as Department of Defense, who spend a year studying at Harvard, afterward returning to their government roles – often in leadership positions. Conversations with this interesting group ranged from how to secure the nation’s electricity grid, to philosophical inquiries on the nature of identity and the future of personal identity. The evening ended with some of the guys smoking cigars in the parking lot and talking in greater detail.

The next morning, we all assembled on the third floor for a private breakfast and met our sponsors, CBTS and nCrypted Cloud. 

CBTS, also a Red Sky Alliance Associate Member, is a threat management service provider, headed up by the former CISO and incident response Director from GE Aviation –an APT Hardened group. These guys know APT, and have been building out capabilities to help others. nCrypted Cloud is a startup that provides an enterprise grade encryption service that connects to various collaboration environments -- securing information in Dropbox, Google Drive, One Drive, Box and more.

We kicked off at 9:00 with our day recorded for posting to the portal, and once we overcame small technical difficulties (gremlins!), a conference bridge. 

After a short introduction from Jeff, Chris Hall from Red Sky kicked us off with an overview of recent threat research -his analysis of MiniASP Remote Access Trojan. Chris and his team were able to dig deep into that threat after an Alliance member forwarded a clean sample for analysis. As part of his presentation, he showed how the Wapack Labs’ WhoisRecon tool was critical in his analysis.

A team of members presented next, describing some of the sophisticated attacks they encounter. One found a website where malware and malware distribution tools are marketed and sold. He shared an online exchange with an apparently Russian hacker, discussing how the hacker got started, how he performs his attacks, how he gets paid (game currencies), and his wish list for information and technology. 

Next up, Nick Hoffman from CBTS.  Nick presented a great lesson on building yara rules, and helped us all to understand best practices for making yara rules as good as they can be. YARA is a tool aimed at helping malware researchers to identify and classify malware families. Nick is funny, high-energy and playful – more playful than you’ve ever imagined anyone could be about yara rules. Fun. He amazed us with his analysis of Taidoor. He discovered the five loops that Taidoor often reuses. With YARA you can create descriptions of malware families based on textual or binary information contained on samples of those families. And nobody is more of a Yara geek than Nick!

Denis Borodin, a senior technology risk analyst, shared some of the techniques he uses to detect and analyze malware. He explained a subtle yet effective phishing campaign with a JAR attachment, and his view of Java Remote Access Tool jRAT, a particular pesky and difficult malware sample.

Rick Gamache recently lead a Wapack Labs team to author a great report aimed at describing the considerations in deploying outsourced datacenter services in Iceland. During this talk, Rick presented his analysis of Iceland’s society and critical infrastructure. He explained the pros and cons of Iceland as host to some of the largest data centers in the world, and massive bandwidth connecting all population centers of the globe. He described the datacenter, bandwidth, power and geopolitical considerations for companies considering Iceland as their offshore datacenter. And he talked about the up-and-coming cyber culture - the land of the ice and snow; from the midnight sun where the hot springs blow; and where hackathons are televised with the same energy and suspense as America’s Got Talent and televised winners are regailed as cyber security rock stars! 

Jeff Stutzman took us home with a discussion on collaborative and retained threat analysis –

what’s the current state and how is it evolving. Why Red Sky makes sense: our members have the ability buy, and do buy, any number of feeds and subscription services, but still lack the ability to talk in a trusted, private way about threats. That is what the Alliance provides. Jeff also took us on a journey through the future of the Red Sky portal and ways to make information sharing easier.

The entire day and previous evening were jam packed with relevant and intriguing problems and solutions. I look forward to the next one.

-       -Steve

Red Sky Weekly: Rising from the ashes

I just read the Business Week piece on Target. The thing that strikes me is this... most companies still don't understand (information) security. I realize that's a pretty broad statement. Let me explain.

On the physical side of security, my bet is, Target has eyes on every customer that walks through the door. Even if not watching live, every customer and every action is probably recorded. There are probably algorithms that set off alarms when predetermined events take place. My bet is also, should one of those alarms go off, some discrete investigator would hit the floor, following the suspected thief, and probably stop them. If something more serious happened --bombing, armed robbery, kidnapping --the alarms go off and so do the gloves --predetermined, preplanned, rehearsed escalations.

My point is this. Many, many companies have yet to realize that the risk models of physical security apply as well to information security. Target's organic physical security team is probably staffed on pre-determined models of various threats to big box retail. But on the information security side was apparently not; even though the probability of being accessed on any given day is nearing (if not hit) a 100% probability of successful compromise. The only question is, how bad is the breach? What were the attacker's motives? Was the hacker a kid stealing a pack of gum by the checkout counter? Or was the hacker set on stealing millions of credit card numbers, pulling off one of the largest heists in the news today on one of the most market-critical days of the year?

I haven't been to Target since before Black Friday. I buy my Fruit of the Looms elsewhere. I'm betting I'm not the only one. Why?

It's confidence.

When RSA was broken into, my (then) boss and I had many discussions on how it might play out. He thought customers would run screaming from RSA. My position was that RSA would probably have a temporary setback, but find a way to recover. Although I have no empirical evidence, my guess is, and seemingly others in my circles believe, RSA today is probably more secure today than it was three years ago. And with all other factors being equal (price, competitors, market choices, substitutes for RSA tokens, etc.), the idea is that the business that is RSA is probably stronger today than others in its class is because they've lived (and survived) their oh sh*t moment. 

Survival becomes a real competitive differentiator, and Target today has exactly this same opportunity. 

BT BT

We're hosting our next threat day this week. There's a lot going on this week, so we're expecting a smaller crowd than usual, but that's fine. We're hosting the National Security Fellows from the Kennedy School on the 18th with our threat day on Wednesday. We will, as always, run a conference bridge and record the sessions. It's going to be small, but this should be a good one. 

In Red Sky Alliance this week we posted products on the Nuclear exploit kit, a new phishing campaign and at a member request, one of our interns first fusion report: First sighted in early June 2013, H-Worm is an obfuscated VBScript employed in both mass malware and targeted attacks on the energy, government, telecommunications, and manufacturing industries. The source code is widely available on Arabic hacking forums. The report describes the attack details and provides information on the H-Worm malware family. 

In Wapack Labs, we've had some pretty amazing results with Allagash. Allagash gives us the ability query via web interface, or to load samples taken from requester networks -netflow data, various logs, registry key exports, system inventories, etc. and diagnose happenings in a network -very quickly. Our largest sample to date was nearly 4Tb and took us a little longer, but we're beefing up hardware as we speak, to be able to handle these larger diagnostic requests. Interested in Allagash? Sign on to our Constant Contact list. We'll keep you informed. Interested in a diagnostic run? Drop us a note. 

It's been a long two weeks on the road, so I'm going to keep this short. 

For those of you traveling to Boston this week, we look forward to seeing you!

Until next week,
Have a great weekend!
Jeff