Red Sky Weekly: At the Intersection of Financial Warfare and Cyber

Financial Warfare? Carried out in cyberspace?

http://www.newsweek.com/2014/05/02/art-financial-
warfare-how-west-pushing-putins-buttons-248424.html

For months, we've been following the Russia | Ukraine conflict from the perspective of cyber as a means to an end. We've tracked and reported, both in this blog, and in more detail for our members and customers, the exploits of Cyber Berkut, Green Dragon, and suspected Russian involvement in the Ukrainian Presidential election (shortly after the US Congress passed legislation to back a US$1 billion loan guarantee, and US$50 million to help guarantee a fair election). And a few days ago, after much hand wringing, heated discussion, and finally, normalizing a would-be intelligence assessment, we published a piece that suggested that large investors and holders of long-term debt in the region are at higher risk than others for cyber attack. And we didn't talk about it, but the reality is,  those who've participated in sanctions should expect retaliation --and probably via cyber.

On that, I remembered a Bloomberg piece from July. The piece described a tool in the diplomacy toolkit that our leaders have been using for some time. Bloomberg describes it as Financial War.  In May, Newsweek published a similar piece entitled"How the west is pushing Putin's buttons".

"The U.S. antiterror arsenal includes Predator drones, Tomahawk missiles and men in gray suits who target rogue regimes' finances." (http://online.wsj.com/news/articles/SB10001424127887324665604579080260261350776)

So why is a cyber guy talking about Financial War, quoting Bloomberg and the Wall Street Journal? Because financial warfare, delivered via cyber is quickly becoming the diplomatic weapon of choice. What happens when bankers uphold sanctions by blocking wire transfers and suffer retribution as a result? When the owners of the banks that are blocked from receiving money grouse to their childhood friend, and when that friend is Vladimir Putin, and when even today, they practice judo together --when all of this occurs, it should come as no surprise that the bankers that our administration used as a weapon are retaliated against.

I'm keeping it short today, but want to leave you with a couple of think points...

When bankers (or others) are retaliated against, who will protect them? What kind of regulatory action will occur when bankers stick their neck out in support of diplomacy? Will bankers be punished for being hacked? And will (should) the government offset losses to investors if/when they occur as a result? 

BT BT

• Red Sky turned THREE this week! It's amazing, and it went by in a flash, but three years ago, Red Sky Alliance Corporation was born. 
• We've begin populating reporting in the Beadwindow portal in Threat Connect
• ...And the analysis engine has been in overtime. The portal is busy --it has been all summer, and going into labor day weekend, for some reason, we've started getting calls for new memberships. 

I'm keeping it short. It's the one sunny day we're expected to have this weekend, so I'm going to take advantage of it. I hope you do too.

Have a great Labor Day weekend!
Jeff

Wapack Labs Blog: Wapack Labs Technical Analysis: VSkimmer and Black...

Wapack Labs Blog: Wapack Labs Technical Analysis: VSkimmer and Black...: Originally published on January 30, 2014, this analysis product was offered privately during the height of the Target breach. Over the weeke...

Red Sky Weekly: Shocking!

Author: Cuban political cartoonist Antonio Prohías

German intelligence spies on Americans and Turks?

Chinese Hackers targeting information on MH370?

Malware targeting ex-Soviet states has Russian hallmarks?

Say it ain't so!

For months we've read stories about the NSA. I thought I'd take a moment and talk about the second oldest profession in the world: spying. Every country has organizations dedicated to this craft. And with 196 plus or minus countries in the world (depending on who's counting), you'd be hard pressed to find a country with just one intelligence organization. Most have several. Add in another 10,000 marketing/intelligence shops owned by companies, the fact that the Society of Competitive Intelligence professionals boasts chapters all over the world, and a quick Google for Competitive Intelligence yields over 10 million hits. Ever read an analyst report when you're thinking about buying stock?  When you're using it to make decisions about what to buy, that's intelligence...

There is no escaping this fact. Intelligence is everywhere. And cyber is one easy place to get it.

In 1999, I gave a talk at SANS on this very topic. At the time, I was both an intelligence officer and a SCIP member. I talked of the movement of spying toward cyberspace, offering examples of paid intelligence collectors, working in the private sector, grabbing precious information from other companies via computers. I spent some time actually teaching my audience how this is done, and for all of the work I'd done preparing the presentation, my reviews came back with comments like "Stutzman is selling snake oil", "The sky is not falling!" and "What planet is this guy from?" I'll never forget it. I was not invited back.

Since then, I've given that same talk, unedited, in pieces or in its entirety, as if was still 1999, dozens of times --Navy War College's Strategic Studies Group (where Navy Captains go when they're about to put on a star), during classes at Norwich, Worcester Polytechnic Institute and Harvard, and more times than I can count to new analysts. It was a simpler time, but none-the-less, that talk from 1999 holds true today, and was dead on then. I remember it well. I liken good intelligence to information presented by securities researchers when their bosses are playing the market. The reports offer recommendations at the top of the page; it offers some kind of a mechanism to score the researcher, and then lay. (I'll save this for another blog entitled.. what does good intelligence actually look like?). It's beautiful!

What does intelligence look like in cyberspace? How does one go about collecting it? My talk included that too... and at the time, the USSR was breaking up and those spies, needing jobs, migrated largely to countries in Europe... including Germany. Many worked for the banking community, attempting to help protect investments. Think they're the only ones? Many of my former co-workers and peers also now work for corporate America. And what do you think they (we) do? Intelligence, research and analysis. Pick a country and I'll tell you a non-military story of how someone is spying on someone else for money. We expect it from the government. It's the second oldest profession in the book.

So, hold on to your hats folks. Cyber increases the speed by which access can be gained to specific information. It offers access to vastly larger caches of data as storage become smaller and the amount of data they can hold becomes bigger. And computers can be targeted like no human ever could... silent, fast, accurate. And it is very much taken advantage of.

Does it come as a surprise that German intelligence folks are spying on the US and Turkey? No. Pick a country.. they're spying on someone; either for military or economic gain.... and your computer is the easiest place to get information from.

I love my job!

If you'd be interested in seeing the presentation, drop me a note. We'll set something up.

BT BT

It's been a great week.

Announcing Beadwindow on Threat Connect!

I'm happy to announce that we've partnered with Threat Connect to make our Beadwindow portal (our open portal) available on Threat Connect. The site is set up and we're moving content over as we speak. Interested in membership?  Rick is the Beadwindow Community Director and can get you set up. Contact Rick.

In the Red Sky private portal:

• The Red Sky portal has been really busy. Normally over the summer it takes a dip, but not this year. We added a couple of new members, including one this week. 
• We continue to watch and blog lessons from the cyber activities undertaken during the Ukraine/Russia conflict, we posted updated GEOPOL reporting. 
• And this week we loaded up caches of tools, known used by a couple of prolific groups. It's not all been analyzed, but there's plenty of talent in the portal to assist.

In Wapack Labs:

Threat Recon adoption continues to grow. 

https://pypi.python.org/pypi/threatrecon

Yesterday, Seth Bromberger, one of our friends and an expert in the industrial controls security community, posted a Threat Recon python module to python.org and GitHub. In the last 24 hours, there've been 478 downloads!

We've put up our internal Maltego server. The transforms work wonderfully (thanks Bart!).

We're not a CRITs shop, but there are scripts written and posted on the GitHub for CRITs integration.

And standby folks, Splunk is coming!

Enough for now. Until next week, have a great weekend!
Jeff

New API module for Wapack's ThreatRecon!

Thanks to Seth Bromberger for writing Python module for our cyber threat intelligence system ThreatRecon.  You can download the module here:  https://pypi.python.org/pypi/threatrecon

Thanks Seth!

Red Sky Weekly: The unsexy truth about cyber insurance.

I know cyber risk insurance isn't one of life’s most sexy topics, but one worthy of discussion.  I was reading an article by Craig Carpenter titled “Lack of Incident Response Holding Back Cyber insurance Market” this afternoon (The article can be found here: http://tinyurl.com/pn2yjs8).  Craig made some very good points in his “Three Simple Steps” that will help both the insured, and the insurance companies, in working together towards a common ground.  These steps include: detection and swift response, full-fledged incident resolution teams, and working with clients to develop best practices starting with “Mean Time to Response (MTR).”  Each step should be considered by any organization, if not already in place, and are really part of good overall cyber hygiene With these steps in place, organizations are already mitigating much of the cyber risks and insuring themselves from costly, and often, cyber incidents. 

What if insurance companies planning to write cyber risk insurance took the time to assess the “Cyber Health” of the potentially insured before writing policies?  When I shopped for life insurance when my children were young, I answered pages of health history questions about myself and my family.  Then there was the urine and blood tests and the blood pressure cuff.  The insurance company was really interested in my current health condition(s) prior to estimating how healthy I would be in the future.  Why are insurance companies not requesting a cyber “health” assessment prior to insuring companies, not just from a cyber risk standpoint but from a all-inclusive business risk perspective?

Network data can be analyzed through a number of tools, ThreatRecon comes to mind www.threatrecon.co .  Tools to that can quickly assess the malicious activity found on the potentially insured network, can go a long way in helping actuaries assess the potential for financial loss in the event of a network breach.   Indicators from a client’s network data can be run against indicators known to be questionable or even dangerous.  Wouldn't an underwriter be interested in knowing if a potential insured was already p0wned before writing any coverage?  Tools such as ThreatRecon, could also allow a business owner or third party analyst review their data before calling their insurance agent for bid.  If you have a verified “sound” cyber health check, shouldn't you get a better price on your new policy?  Knowing the context behind threats that may already be hitting your servers would even be better, why not raise the level of prevention before you experience a breach?

The question will arise, who will pay for the cyber assessment?  Of course the insurance company will not want to absorb the expense, but it could be listed on the insurance invoice as a consulting fee.  I would hope that a business owner would like an independent assessment of their cyber health, especially since they are shopping for cyber insurance.  When taking into account the costs associated with cyber breaches, both financial and reputational, the costs of an assessment are a fraction of post breach cleanup.  A sound plan to assess a business’s network and knowing the cyber health of your own company first, then implementing Craig’s Three Simple Steps looks like a winning combination to me.

BT BT

Yesterday, we held our first webinar for ThreatRecon, Wapack Labs’ cyber threat intelligence API.  The webinar was very well attended by more than thirty of some of the best analysts in the industry.  We couldn't have been more pleased!   The feedback from the cyber community remains very positive and the adoption rate for the platform is growing daily.  Giving cyber security teams the means to look at hundreds of thousands of high confidence indicators with full context and full attribution is fill not only the quick answers needed by the analysts but also compelling stories required by CISO’s when advocating for the need to keep their operations fully funded.

Wapack Labs’ offers ThreatRecon for free for the first thousand queries – we believe that strongly in our mission and core values of protecting organizations from cyber threats.  You can get started by going to the ThreatRecon website at https://www.threatrecon.co  If you didn’t have the opportunity to see the webinar, you can watch it here: https://vimeo.com/103543432   

Red Sky Weekly: What can we learn from the soft targets?

When I asked someone about what the marketing hook at Black Hat was this year he simply replied, “Apparently to scare the $#!^ out of everyone!”   I couldn’t help but laugh but having been to those events before, sounds like business as usual but I doubt it was any less fun this year. :) Back in the lab, the past 72 hours has been incredibly busy chasing down things that should really scare you, if you're not prepared for it!  

About mid-week, one of our honeypot email recipients received several spear phish attempts in rapid succession.  This particular honeypot is one that gets spear phished in more-or-less a, programmatic manner so when we had seen such a quick burst of activity, it caught our attention.  All three samples are currently being reversed by the lab’s analysts but of them, two really caught our attention!  

The first was a very complex piece of malware that we’ve yet to identify completely.  A look at the IDA map, looks like a flowchart for the launch sequence for the space shuttle!  A complex executable with lots of interesting loops and calls with many layers of obfuscation and encryption; this one is going to take a bit to reverse but it should provide for interesting discussion among the Red Sky analysts!  The most interesting attribute of this nasty bug is that it appears to be operating system agnostic, due in part to its unique exploit attributes, with the ability to infect most modern systems.  We’ll see if that is true. With time being limited, we switched gears and took a look at the second piece of malware we found interesting.

When examining this second piece of malware, we identified the C2 node and ran it through Threat Recon.  Immediately, the results came back and we knew we had something very interesting on our hands.   Taking the C2 as the pivot in our analysis, with Threat Recon we were able to identify an additional 3 IP addresses and over a hundred new indicators in a matter of minutes, with context that helped identify the nastiness we were seeing.  As someone who’s been in this game a long time, I think that’s pretty damn cool to get results that fast!  So what did we find and why is it significant?

If you’re in the banking sector, the Win32.Banload Trojan a.k.a. Ikarus, may conjure up some bad memories. First seen as early as 2008, perhaps earlier, the Banload Trojan is associated with thea Win32/Banker Trojan family; Trojans, notorious for stealing banking credentials.  In all, our original pivot point and Threat Recon helped identify several variants of banking Trojans including Malgent, Camec, Orsam!rts being served up from more than two dozen domains.  All that analysis and context is good and should keep analysts busy for a bit, but why is this significant?  

Wapack Labs has been following adversaries targeting political dissidents for some time now.  By doing this, we’ve been able to capture malware samples that have never been seen in the wild, this alone is helpful in identifying new variants of malware quickly and pushing that analysis to the membership for mitigation; however, by examining the targets themselves, another story emerges.

It’s not surprising that malware used to steal banking credentials, even older variants, are being used to target individuals, particularly those who are outspoken towards governments and high profile political causes.   Many of these dissident groups, and those running them, collect millions in donations for the causes they support.   Charitable organizations and non-profits may be perceived as “soft targets” with weak defenses and the disruption of money flowing from these groups could disrupt or even halt the ability of the cause to effect the changes they seek.  By striking at the bottom lines of some of these organizations, adversaries may be able to silence their voices and lessen their effectiveness.  Besides, the disruption of money, compromising the private databases and correspondents of political action groups could be a treasure-trove of information in identifying other targets for future attacks or used as criminal or political leverage.

What we’ve come to realize over the past year or so is that the soft target paradigm is one that security teams should be examining much closer.  The low effort and high return on investment is a value proposition too lucrative for adversaries to ignore.  For us on the defense, the value proposition is equally as high. From our research, targets with inadequate defenses make excellent proving grounds for new malware development without risking leaving breadcrumbs on Virus Total for the world to examine.  Additionally, the wealth of information you capture allows you to develop new tools to systematically process all the pivoted information into actionable information to protect yourself.  This is why Threat Recon was such an important tool for us to build and offer to the security community – it saves time and returns quantified and qualified actionable information very quickly.  As we continue to collect from these soft targets, Threat Recon and the results it provides will only become that much more valuable

BT BT

The community of Threat Recon users continues to grow and the feedback remains very positive. This week, we’ve heard from several early adopters as to how they’re using Threat Recon in their enterprises and we’re starting to hear the creative ways other cyber security teams have developed tools around Threat Recon’s API.  One example is the integration of the tool into CRITS and another is creating a Java application to do bulk queries.   If you’re one of those working on your own tools using the API, we would love to hear from you, even if you have questions feel free to reach out to us directly!

To that point, this past week, the lab has been working on our own application that we will be publishing on the Threat Recon GitHub that will included the ability to query indicators in bulk against the API.  Pizza Cat, as we call it, is a parsing engine that will be available to those who want to use Threat Recon but may not have the expertise on staff to develop their own tools, or have the time.   If you’re interested in trying it, please drop mean email at rgamache@wapacklabs.com or go to https://www.threatrecon.co

Next week, Jeff should be back to the blog.  With two weeks to clear his mind, I’m sure he’ll have plenty to say.  Thanks for the audience the past two weeks!

Red Sky Weekly: Would you respond to Zeus differently than ZXshell? Why, context is king.

Jeff is off on a much deserved break so he’s left me in charge of the blog.

As you may be well aware of by now, Wapack Labs, Red Sky Alliance’s threat intelligence arm, has released its first iteration of Threat Recon via a web enabled API.  The response this week has been tremendous!  With hundreds already signed up and more each day, the feedback we’ve received among the many people throughout the cyber security community has been both helpful and supportive and for that we are very grateful.

Here’s a real world example of how we’re using Threat Recon in our everyday analysis.  While preparing a presentation I have to give this week for some folks in the financial sector, I had some questions about Zeus Game Over botnet.  Wapack Labs is very familiar with this campaign and our Near East intelligence people watch the activity closely.  Wanting to illustrate the pervasiveness, I opened the API and did a search on a particular set of indicators I know are bad and in a matter of seconds and I had enough context to fill up and hour of presentation time and new stuff I hadn't seen before!

What is particularly powerful about the results out of Threat Recon is the context is both technical in nature and context rich, allowing me to scale the presentation to the level that the attendees are most interested in.  But that’s not the real cool part!  The best part was, I was able to pivot off that information and see how newly contextualized indicators were being added from the wide dragnet of collection techniques we use every day in the lab.  Result?  A much deeper understanding of Zeus Game Over’s activity and the people behind it!   Members of Red Sky are going to love the resulting reports from our findings. :)  

When we started Red Sky Alliance in 2011, our focus fell squarely on quality of analysis that the contributing members and not the quantity of the threads.  In fact, in the Red Sky community, all analysts are peer reviewed as to the accuracy and quality of their analysis and that continues to this day.  This quality-over-quantity approach has proved to be an extremely valuable tool for both our Red Sky members and Wapack Labs customers.  Our high quality, high confidence, indicators gives first responders’ laser focused information on what threats they’re dealing with when the alarms start pinging.  At the same time, the rich context of our reports allows CISO’s to quickly sum up the crisis as they prepare to brief the C-suite to the things they really need to know. 

Over the past three years, we’ve seen the discussion of intelligence turn into a question of “How much data do you have?”   Despite that, we’ve stayed the course and continued to focus on qualified, highly actionable intelligence.  

Through Wapack Labs, we’ve develop a robust collection effort, but we’ve never lost sight about our core belief that intelligence must be contextualized and you can never remove the human element from the process.  If you’re one of the many who have used Threat Recon already, you’ll notice that every query with a result, returns context to help you pivot off for deeper analysis.

When I’m asked, as I often am, “How many indicators do you have?”   My response is generally met with some incredulity because it sounds like a small number compared to other “intelligence” companies publicly claiming to host many millions of indicators; however, when I explain how we collect and process our intelligence, and I mean the full spectrum of cyber intelligence, HUMINT, OSINT, SIGINT, and TECHINT we conduct on a daily basis, it commands attention. 

If the old saying goes, “We’re looking for a needle in a stack of needles” and I can confidently tell you that one needle is slightly smaller than all the others, I’m pretty assured you’d want to know about it and find that information useful in your search.  This alone, is what differentiates Threat Recon from any other analysis tool you’ve ever used.

The debate about the usefulness of Big Data will be around for a long time and the jury is still out but here’s something to think about.  If you’re like almost most  the incident responders I talk to, there’s very little time in the day and too few resources to sift through false positives.  Would you choose four million indicators with little or no context or half a million high confidence, vetted indicators, many supplied with full attribution to focus your effort and assets?  How you respond to Zeus will most likely be far different than how you respond to ZXshell.   Context is king, when you have limited resources!

If you’re interested in what we have to offer, see for yourself.  Threat Recon is available now through our web API and can be found at https://threatrecon.co   Join the many that are already using it to help them in their cyber security efforts.

BT BT

Red Sky Alliance has entered a formal partnership with Threat Connect and is moving Red Sky’s public-to-private portal “Beadwindow” to the Threat Connect platform.   We’re excited to move forward on our plans on making this portal an ever better tool for incident responders, analysts, researchers, and CISOs.  Beadwindow members include federal, state, local agencies as well centers of higher education and the medium to small businesses who can’t dedicate a lot of time to cyber security analysis.  

Through Beadwindow, you’ll have access to a managed community and the participation from some of the best minds, analysts, and security strategists in the business as well as all reporting we’ve published in the last three years.  If you’re interested in becoming a member, email to me directly at  rgamache@wapacklabs.com .

Wapack Labs Blog: Wapack Labs announces our new API, Threat Recon™.

Wapack Labs Blog: Wapack Labs announces our new API, Threat Recon™.

Threat Recon API Version 1.0

Threat Recon™ is a new threat intelligence API developed by Wapack Labs and powered by GO.

 

The Threat Recon™ threat intelligence API leverages Wapack Labs human analysis, open source information, and machine generated metadata such as Whois records, historical and current DNS information, tagging, and includes a proprietary confidence algorithm to provide as much context as possible about a single indicator, and a prioritization by confidence.

Basics and Getting Started

Getting started is easy!

First sign-up to receive your free API key. Read the 'Usage' section for example queries. 

Need tools? Test it from command line, or if you prefer, download example scripts from the Threat Recon™ hosted github repository. First scripts were provided by us in Python. Shortly into beta and load testing, Justin and Nick at CBTS converted them to Ruby, and our friends Bart O and Brian at HP authored and posted Maltego Transforms!  Any programming language that can parse our JSON output will work with the API.

Give us a try!

Get your first 1000 queries for free. Sign-up is easy at threatrecon.co.
Feedback so far has been amazing. If you have any questions, comments, or problems, please let us know... threatrecon@wapacklabs.com.

Red Sky Weekly: Flight MH-17 shot down over the Ukraine

It is a sad day for all of us when a civilian airliner is shot down.  It is not as if a commercial airliner is trying to sneak across borders at 33,000 feet emitting a code that identifies the carrier and the flight number to all air traffic controllers.  The first question we all asked was, “Who shot down Flight MH-17?”  We wanted immediate proof of who did it.

Let’s back track to the recent articles of the abuses of the NSA and our intelligence officers who are working abroad collecting information.  Without intelligence gathering, who would we turn to for answers?  We know that our former friends in Russia will likely not tell us the truth.  They are fighting to take over a neighboring country, they will use this as an excuse to blame the Ukrainian government and perhaps justify their actions.  Wasn’t it nice for all of us watching the evening news last night that we were able to see/hear the radio transmissions of the guilty parties explaining that they had shot down a civilian airliner.  This was the same crew that was bragging about shooting down a Ukrainian cargo plane, also with no survivors.  These radio transmissions were recorded too.

How do you suppose our government came by these radio transmissions?  Well, they were collecting intelligence and did not know what may or may not be important.  They did collect these radio transmissions and a lot of other chatter, but these turned out to be the proof that the world needed.  It makes me glad that all of the bad press about the Snowden incident did not cause our country to cease all intelligence gathering.

At Wapack Labs, we collect intelligence on state sponsored cyber terrorists, hackers, hacker groups and the tools that they use.  Not everything we collect has value, but we do our best to collect that information which will help our customers and Red Sky members best protect themselves. By collecting information --hopefully the right information, we could, and often do, have the pieces of information that could very well protect your business when you really need it.

BT BT

For those of you who follow our blog, we have been talking about our new product, ThreatRecon.  We have one more week of load testing and a number of Red Sky Alliance members and others are hitting it hard and are happy with the results.  The feedback to date has been amazing. 

On the analysis side, earlier this week we published a report detailing what we believe to be the first piece of malware (a banking trojan) embedded on mobile phones at the factory. We broke down the malware and identified the author.

We added to the Ukraine | Russia discussion. Our Eurasia team is watching intently, adding this week to the discussion of Russian involvement in the break-in at NASDAQ several years ago.

Last, the alliance is growing slowly and nicely. We're not as much worried about having hundreds (thousands?) of members as much as we are a small group of really good ones. So this week we did an orientation session with a new member from an Icelandic bank, and will soon be bringing in our first Austrian company. I'm very much looking forward to visiting both locations.. fly rod in hand for one, and skis over my shoulder for the other!

Until next time,

Have a great week!

Jim McKee

Red Sky Weekly: if you want to check the engine, you've got to look under the hood!

Let me ask a simple question. If you took your car to the mechanic and he never lifts the hood to check the noise you've been hearing, would you trust him when he makes his diagnosis and hands you an estimate? Some mechanics have more oil under their nails than my car has had in its oil pan but those guys have more time under the hood than nearly anyone I know, or have MIT degrees (the Car Talk guys?!) and can diagnose problems based on sounds made by the owners. But for most, if you want to check the engine, you've got to look under the hood!

Why am I talking about cars and mechanics? Because believe it or not (hell, I can hardly believe it myself!) I'm going to defend NSA... this week marked yet another piece stemming from the Snowden leaks (The Washington Post, republished by the Boston Globe). I'm not going to defend only the NSA, rather the idea that to catch criminals using the internet, we need to monitor the internet! It's a simple concept!

As a security pro, if I want to know what's going on in your computer, I need to be able to look at it. If I think it's been broken into, I need to look at processes running, files on the machine, and for those really pesky APTs, I'm going to need full packet captures on all comms going in and going out of your network. And yes, I may need to read your email! I promise, if I don't need to I won't, but sometimes... well.

I consider myself an inactive middle of the road Libertarian. I don't participate in Porcupine events. I'm not an anarchist, and I'm not a hemp wearing hippie, but I do believe that my freedoms are really important. I have no problem with the EPA taking water samples to make sure our watershed hasn't been polluted or poisoned, and while I'm not a fan of NSA reading traffic over the wire, if in fact they really do (I don't really know), I'm as much a fan of having someone reading my email as I am my annual prostrate exam. In either case, there's a necessary evil that must be endured for the sake of long term health.

Need examples?

• Last year, while watching activities related to folks breaking into computers, we were tipped off to a cache of videos of bad guys teaching other bad guys how to make bombs in their garage... about 30Gb of the stuff. Don't worry. We did the right thing.. but at the same time, we had evidence of bad guys doing bad things on a good tool.. bomb makers teaching others to make bombs and distributing them on the internet. 
• How many dirt bags are taking liberties with kids and pushing their stuff around the internet? 
• And I haven't even talked about espionage, credit card theft, banking account takeover, or fraud yet... 

And so you wonder why, when we're worried about terrorism, or millions of credit cards stolen from your favorite department store, or espionage targeting the very intellectual property that you work so hard to build and sell... why do people monitor raw data? To find those A-holes (yes, with a capital A) that keep stealing our stuff.

Yes, there are challenges with troubleshooting blood-borne computer illnesses, and certainly privacy concerns in having to look at the actual data to know when terrorists may be planning attacks over Twitter, but we'll figure that out. And the answer should not be black and white. It's going to land somewhere in the middle. So for now, I don't read the paper when I see yet another Snowden story. It pisses me off.

And yes.. I own Fireeye stock. I own Splunk stock. If NSA offered stock I'd buy it in a heartbeat. And I'd buy stock from others like them... UK, French, hell, even Chinese! If they sell stock, I'm in! When we finally do figure this out, I'm going to be ready :)

And for us? We're part of the solution.

This week we had some real successes in both Red Sky and Wapack Labs.

In the lab, we've got 'Threat Recon(tm)' in load testing. We've set up an API that'll really get your attention. If you like Virus Total, you're going to LOVE Threat Recon. As of today (Friday) two Red Sky members are set up and running first tests. We'll be adding more to the testing next week. I'll be announcing its public offering very soon, so hang in there. Only a couple of more weeks. Keep an eye out for it..

Our first university is joining Red Sky, as well as our first Icelandic bank. We've been holding steady on Red Sky membership, our community isn't big, but it's really smart. And our first IR team from a university is VERY exciting, and after spending time in Iceland, I can't tell you have happy it makes me that we're bringing in our first Icelandic member! I've got a reason to go back... but next time I'm taking my fly rod!

Adding to that, we've built a bunch of new tools, added some incredible new sourcing.. we've spent a bunch of time doing R&D this year and it's paying off! I've got the best job in the world. I haven't had this much fun in years!

So until next time,
Have a great week!
Jeff

Happy Fourth of July!

I'm going to forgo a blog post this week, and offer a simple message.

Happy Fourth of July!

Until next week...

Jeff

Red Sky Weekly: Quality over quantity!

I had an Intelligence Officer in the lab in Manchester a couple of weeks ago.. He told me a story. Apparently during his last rotation in-country, one of his big-data feeds didn't give him the granularity needed to accurately choose targets. So he spent most nights doing the analysis himself --deciphering the output, connecting the dots, and picking targets manually.

When I retold the story at the Gartner conference last week, I spoke of the parallels between what the Intel Officer told me, and what I hear from many, many infosec guys.

Let's try it this way. Last week I heard from a guy that he'd been approached by one of the new (newer than us) threat intelligence shops. Apparently they claimed that they had over 28 million indicators, and the numbers are growing daily. So let me ask you... the company has been in business for about a year.

Do you really think they've analyzed 28 million indicators?  

In less than a year in business? 

I'm throwing yellow card!

We use open source data like many other threat intelligence shops. But we can't verify sources or validate the analysis. Don't get me wrong, there are a few that we do consider high confidence, but... only a few. In those cases, we either know well, or work with the analysts. In most cases, we consider open source intelligence low confidence and use it only as situational awareness, or to pivot off of high confidence data derived from things we know.

In fact, of the last 700,000 open source indicators we've collected, we cleaned out nearly 550,000 duplicates! Add to that, some of these companies are using it as authoritative. One of the big data vendors we demo'd creates indices. And when we saw the data that they were using on the screen during the demo, we realized that they had the same typos in the indicators that we had! They'd collected it from the same open source that we did! The difference is, we consider it low confidence information and collect it only for situational awareness. This other company calls it high confidence and uses it like a report card.

Threat Intelligence vendors are becoming ubiquitous. You can't swing a dead cat without hitting one, and the Gartner exhibition floor was no different. And sadly, the marketing message is seemingly becoming much louder than the actual message --posters everywhere, every banner, every speaker.. they all know and sell cyber threat intelligence. Sadly, many still don't know the actual value, or what it means. Which is more important to have 28,000,000 indicators of compromise that have been harvested from virtually deployed honeypots (this is the anti-virus model!)? Or, would you rather have ten solid IPS rules that'll stop and drop outbound remote control channels in companies similar to yours? How many of those 28,000,000 indicators are you willing to roll up into your UTM, firewall, IPS and/or SEIM? Damn. I wouldn't want your job!

The better question isn't "how many indicators to you have?" it should be something like this...

• "My company manufactures widgets. How do other widget companies protect themselves? 
• "What IOCs are most effective?"
• "Who is trying to do this to us, and what do they want?" 
• ...and finally (my favorite)... "If you have so much data, how much do you already know about my company?"

These are the questions you should be asking of your threat intelligence vendor. Not "how many indicators do you have?" 

Before I go, I'm going to quote another friend... he's currently the CTO at one of the Aerospace companies. He was the head of Incident Response and Forensics when we worked together:

There are three things that every company needs to protect themselves from.. in this order:

1. Protect yourself from those things targeting your own company first.
2. Protect yourself from those things targeting your industry second.
3. Protect yourself from as much other as possible last. 

So when that next big data company stops in to boast about all of the indicators they've collected on their high speed, low drag collection system, ask them, what the hell am I supposed to do with 28,000,000 indicators? Who's going to stay up all night and boil those down to the top ten golden rules that I can implement tomorrow morning?

We do. You just have to ask. Drop me a note and I'll show you.

BT BT

Gartner was awesome as usual. While I don't always agree with the analysts.. in fact often times I don't, the audience is largely CISOs and the vendors are generally really high quality. This was my fourth year, and it did not disappoint. Except for the sales guy who was miffed that I wouldn't spend a my junior analyst's salary to sponsor a booth next year, it was really great seeing some of the new companies, growth of old companies, marriages of great companies, and having so many incredible conversations with CISOs all there trying to look for the same thing --the way forward; an edge on increasing threats; help in dealing with some of the hardest issues CISOs have faced to date. 

On the analytic side, the team is busy or on vacation. It seemed like the right time.. the week before the 4th of July. Even with two guys out this week, we published a couple of reports on the upcoming 'Week of Terror', wrapped some internal R&D, initiated an exciting new partnership (more on that later!), and made a bunch of new friends!

It's 7:40 and the grass is getting taller by the second. Time to fire up the Kubota!

So until next time,
Have a great weekend!
Jeff

Red Sky Weekly: We're STIX!

I'm happy to announce that we are now providing indicators in the STIX format.

https://stix.mitre.org/

Two weeks ago we pushed our first STIX package to the Red Sky portal. While not perfect, we received some good implementation feedback during our threat day this week. Next step? TAXII. I'm a huge fan of sharing information machine-to-machine, so this is very exciting!

Why'd we do it? Let me tell you a story. I promise, it'll come back to STIX!

About a year ago, we happened upon the entire active directory structure for a very large European company. Like a drunk who drives the back roads throwing their cans out the window into the woods as they drive, some sloppy cyber litterbug dropped a bunch of stuff on a couple of open nodes --that we then picked up as we walked along the road looking for clues. 

The data we'd acquired suggested that the company was compromised --and I mean completely compromised --caught, cleaned, and gutted, and had been so since probably mid-2008. There was a lot of stuff. Some of the information we saw suggested also that this company had sold an application to another ...and when this application was used, it was sending data from the application to computers outside of the company. So we tested the encryption with passwords we knew to be used in previous APT events, and were able to view enough files to know that the company used the application to make big things that float, fly, and sink themselves intentionally. 

Neither of the companies were involved with Red Sky Alliance, but we knew who they were, so we thought we'd be a good neighbor and let them know that we'd found their stuff on the endpoint of a command and control (C2) node. The European CISO was nowhere to be found. We know the company has one; we know they participate in security forums, but nobody would take our call. The second? We visited them in person. I know the CISO. We showed them (quietly) our story, but alas, their team is small. 

That was a year ago. In the last two years we've done victim notifications with private companies, federal agencies, supply chain partners, K-12 school systems, manufacturing/machining companies, security companies, universities, and more. Companies range from global in size to very small, in hundreds of industry segments. Our smallest notification - four people doing a half million dollars per year in business. The funny thing is, the smallest company that we notified hung up the phone with us and called the FBI (not on us!). We referred a local incident response company (a known - a Red Sky Associate Member) to assist with the clean-up, and I believe that as we speak, they're well into their get-well plan. 

So why do I tell this story? A year later? We're moving into the era of full automation. While I'm not necessarily a fan of full automation, I am a fan of stripping any and all barriers to a company's use of protective information. STIX puts data into format. TAXII moves it from company to company. The next step is moving data from that company repository directly to defensive tools. In every case where we've done victim notification, if we had this automation in place I could have simply shared data to the compromised company. They'd receive our indicator bundle, push the 'easy button', drop it into their defenses, and move along. Of course it's not that easy, but you get the idea. 

We're moving in the right direction!

BT BT

What's happening in Red Sky this week?

• First, as mentioned, we're now STIX! Members (and Wapack Labs subscription customers) can now get their indicators in .csv or STIX format.
• We issued a warnings this week to about a dozen companies. They're targeted, and we believe they'll be hit in about two weeks. The warning also included an analysis of the tools that will be used, and how to protect against them.
• We had our quarterly threat day in Tampa this week. We had cocktails and food at the Pebble Creek Country Club, with a day of meetings at a member location on Tuesday. What a great two days!
• Last, we continue tracking cyber activities between Russia and Ukraine. You just can't make this stuff up. The Christian Science Monitor ran a story on this as well. Since our original post, we've authored several more blog posts inside of Red Sky, and issued three priority analysis reports aimed at offering good situational awareness and defenses to our members who have business interests in the area. 

Last but not least - I just heard that the days will start getting shorter after today.

So please, enjoy the solstice! 

Until next week,

Have a great weekend.

Jeff

Red Sky Weekly: Reflections on a great career...

I spent Thursday morning at the retirement ceremony for an old friend - CWO3 Eric Slater, USMC

And while it didn't hit me then, in the quiet of that afternoon, when my email finally settled down, smoking a cigar on the back porch, I had the opportunity to reflect on what an amazing career this has been. And the idea that his and mine intersected made it only that much better.

Eric and I worked together at the Office of Naval Intelligence (ONI) in Washington in the late 90s. We've stayed in touch over the years, occasionally over a beer and cigar at a local watering hole, but today, when I think back, it hit me like a ton of bricks. For those who started in this field -this amazing field of information security, like Eric and I (and many others), the realization that many of the things we did in the late 90s really shaped many of the things we do today. This was a time of massive experimentation, a lot of failures, a lot of successes, and best of all, a WHOLE lot of FUN!

At the time, we were one of the few places in the DoD allowed to partner with Carnegie Mellon's Software Engineering Institute. Our entire team were signed on as Visiting Scientists (I think the correct term was Resident Affiliate??), regardless, during this tour we worked with many great folks, but one in particular impacted the world of cyber in the most profound way. We worked with this really cool old guy -Suresh Konda (Dr. Suresh Konda), who was building the prototype of SiLK --or for those of you who don't know SiLK, think Einstein. This small invention was a means of monitoring and analyzing network flow information. For the uninitiated, think 'cell phone bill'; a detailed list of who called who, how long the session lasted, and a few other tidbits of information.  Our role in this was the behavioral analysis of roughly 3500 intrusion cases where we systematically coded the motivations, behaviors, and actions taken during an attack. Think LM's Kill Chain, only 15 years ago. If you've heard me say it once, you've heard me say it a thousand times, What's old is new again and temporal connectivity to map interception and defensive locations is not new. The idea at the time was this -we could temporally connect a bunch of disparate attacks and then code them into SiLK, and when an attack occurred that matched one of our profiles, we'd have the ability to know --quickly. And although early versions were mostly manual, those (then) manual processes are now automated and built into almost every network security device. And our first victory, the one that worried us most at the time, was the low and slow attack... one packet daily over the course of several months.. and yes, we tracked several. 

At the same time, many of those behaviors that we coded were used in ways that (then) were cutting edge --but today are considered routine. And the best part? That was only the beginning.

Eric worked with another Marine in Pittsburgh with the early malware guys and analysts. Gil (another teammate) and I worked with Suresh. We took those models and built them into processes used in Intrusion Detection Systems, behavioral analysis tools, and more.

Eric went on to build the Marine Corps schoolhouse that taught many of those techniques, how to recognize them, and then, how to mitigate those risks. So this morning, after a cutting edge career, I was proud to watch him retire. He retired as the Ops Boss at Lima Company. For those of you who know what this is, you know its pretty cool. For those of you who don't.. we'll I'll tell you, it's pretty cool!

BT BT 

While I was off playing Marine, the team was busy. 

In one of the pieces published this week we told a story (actually not just a story, but a great piece of analysis!) about the Tunisia Hacker Team. The story developed because a source gave us a tip and that tip turned into a question and that question turned into a really great story. Today, we know far more than what was previously known in open source reporting because we had data that was begging to be asked questions.

Often, the answers to a problem are there but it requires a bit effort, a little luck, and a lot of patience to discover them. Behind every hack, breach, and DDoS is a story. So what story does your SIEM going to tell you? Your firewalls, IDS, and systems are full of stories to be told. Maybe the story is one of a really good security team or may one of team that is in need of assistance. Often, at Wapack Labs, we run into organizations that never asked the questions in the first place!

Fact is, story telling takes time, which is something most security teams don't have the luxury of having. Maybe you know the "what?" or maybe even the "why?" but when it comes to the "who?", things start getting a little fuzzy.  

So here's the deal. I had a great week fly fishing in Tennessee last week. During one of our late night bourbon lubricated conversations, we talked about spend strategies for CISOs worried about risk. We described it differently, but the thought process is the same. Spend money to defend against the threats to your company first. Spend money to defend against threat to your industry second, and spend money on the broad based cross sector threats next. 

Where does this information come from? Red Sky Alliance members are cross sector. You get everything from industry happenings to broader trends. Wapack Labs gives you focus. Are you a banker? We know a little bit about banking. Manufacturer? We can do that too. Heck, we did a piece on counterfeiting not that long ago. 

The "bringing together the meaning of why we care, and what story the intrusion tells" is something we do well, really well. What does this mean to your business? Every question can be answered with data and every piece data is waiting to be questioned. 
And if you thought I'd walk off without talking current events...

• Certainly, the Tunisia Hacking Team is banging the heck out of the Brazilians right now.
• Cyber Berkut is running a new DDoS tool against Ukrainian targets.
• I'm dying to see how ISIS is using Cyber in Iraq.
• What do the WEBC2 indictment confirm about the Chinese operational procedures?  
• And where is Edward Snowden? I miss that guy! I've gone almost two whole weeks without my Snowden fix. What's he gonna leak next?!

We're watching it all. And having a hell of a lot of fun doing it. Hell, you can't make this stuff up! The truth is SO much better than fiction! I love my job!

And last, but certainly not lease, our Threat Day is coming up this week. We're headed to Tampa for happy hour at the Pebble Beach Country Club, followed by a day at a member location talking security. If I don't see you there, maybe I'll see you at Gartner the following week. I'll be the one with the Red Sky shirt!

Want to talk Red Sky Alliance? Wapack Labs? Are you taking over as a new CISO? Think about a baseline assessment. Send us your logs and we'll tell you what we know. It's a great starting point for a new CISO (I promise... you'll get your budget!). Drop me a note. We're here to help.

Until next time,Have a great week!Jeff