Significant threat - VPN over DNS and Are Threat Intelligence organizations really dying off?

1. In 2012, Wapack Lab’s began examining the use of VPN-over-DNS and the potential risks of insiders and external users from applications used circumvent authentication mechanisms, introduce new applications (tools) into the environment, and exfiltrate sensitive information through DNS’s always-open port. We've provided reporting of possible VPNs running over DNS to literally several dozen companies. Wapack Labs continues to advise organizations to closely examine its DNS name registers for VPN-over-DNS entries and monitor its DNS traffic closely; and policies should be considered to disallow the use of this application. This week, we published a detailed report on the VPN-over-DNS tool.

   
   

   Executive Summary 

   
   

   VPN-over-DNS, is a free Android application available on the Google Play store, downloadable to both Android telephones and as a web-based application. It boasts fully integrated DNS Tunneling combined with several mail clients, and while some organizations allow this application, Wapack Labs believes it to be a significant counterintelligence threat to companies who both allow it, and companies who may not be aware of its use. 

   
   

   
   

   VPN-over-DNS was first released to the Google play store on August 20th of 2012 by a French developer and is advertised as “data exfiltration, for those times when everything else is blocked.” VPN-over-DNS fully qualified domain names (FQDN) have been observed with passive DNS to resolve to a wide array of IP spaces including education, government, corporate, military, and even unassigned IP ranges. However, FQDNs resolving to an organization’s IP space may not be an indication that users within that IP space are actively using VPN-over-DNS, but rather VPN-over-DNS has been used in the past, and that the tunnel may still be available for use. Wapack Labs is providing this analysis because of widespread observation in the wild as well as situational awareness of an application with insider threat potential. 

   
   

   The analysis, including mitigation strategies is available to Wapack Labs customers, including Red Sky Alliance members. 

   
   

   BT BT

   
   

   Are Threat Intelligence organizations really dying off?

   
   

   I heard it three times this week. Threat intelligence shops integrating into the Security Operations Centers are being killed off because managers can't seem to show ROI.
   
   Here's the dirty little secret... There's a model for this.. you should be able to actually track the cost of your intelligence process and make an informed make/buy decision on intelligence offerings as a service (like ours!). I'm sorry. I can't credit the source. I've worked on so many of these, but every one that I've worked on all look much the same. I start with a basic CMM maturity model and adapt it. It looks a bit like Figure 1. Click to enlarge.
   
   

   

   
   
   Immature infosec teams are indiscriminate feeders when it comes to intelligence. They devour everything only to realize that much of what they ate might have been tin cans, steel belted radials, and general garbage. The good stuff that they actually needed, was somewhere in there, but that bad stuff really tastes bad. During this immature phase, operations drives intelligence. Incident response analysis is mistaken for intelligence, and open sources of information are consumed without regard for quality.
   
   As the team moves up the maturing model, they start realizing that they want more data, better tools, and they start participating externally with smarter groups... The bird dog is training the bird dog. Now the costs REALLY go up. Learning lessons from their own environment becomes crucial, and analysis of internal data becomes key. The team finds more and more vulnerabilities, frustrating management. This costs money. The team is learning. During this phase, operations still drive intelligence, but the pendulum is beginning to swing the other way. The team starts hunting. They don't yet understand the concept of 'collecting against requirements' but they do have a standing set of information on which they maintain constant vigil...
   
   And then it gets better. It's when the teams become mature. Collection requirements, EEIs, and scouring the landscape for new threats becomes the norm. Many teams realize the value of (select) home grown and open source tools, complimenting the COTs suite, and depending on the size of the team (I know BRILLIANT small teams that do very well!) they realize the value of intelligence in the SOC. When the team becomes an intelligence producer instead of an intelligence consumer. In fact it's almost magic. This is when intelligence feeds operations.
   
   Closing in on maturity, the model should start to look like figure 2 (forgive the slide!):
   

   

   So how do you know?
   
   Measure it!... Intel should do a couple of things for you:
   
   

   • At the strategic level, intelligence gives executives (and your marketing team!) an idea of what's coming. The more you know, and the better you plot it out, the better you'll be.
   • Intel should help with the tactical.. Not only the "what's going to hurt me tomorrow" but more priority questions like "what is going to hurt me today?" Intel should compliment your SOC operation. The should know on a daily basis, what Intel thinks they should be protecting against... What's coming for us? What's coming for our industry? And what is everyone else seeing?
   • And... when you can show drops in reaction times as a result of intel, or perhaps, faster reaction times resulting from very typical intel techniques - tabletop exercises, formalized brainstorming, greybeard sessions, and white/blackhat sessions (note I didn't mention penetration or vulnerability testing??), you know you've arrived.

   
   When you can show results like this... and your intelligence is fast turn, very actionable, and as right as it can be, you'll have no problems communicating the value of your team to upper management.
   
   So start here...  if you're an immature team, and need to keep your costs low, join an open source group. Learn as much as you can. Bounce indicators off of Threat Recon (it's free to 1000 queries per month), and start looking for badness in your network. Need help? Call us.
   
   On another note, I'm going to start posting as Wapack Labs instead of Red Sky Alliance. The portal is strong, but we've talked with a professional marketing guy who suggests we think about branding. Much of what I blog about falls outside of the information sharing construct. When we present, we talk of intelligence services and delivering it in many forms and in many forums --Red Sky Alliance, the FS-ISAC, through a community in Threat Connect (Beadwindow is on Threat Connect), and OEM'd (Threat Recon is available through ThreatQuotient). I'll be messaging from Wapack Labs from here out. Please use my Wapack Labs email account... jstutzman@wapacklabs.com.
   
   Have a great weekend!
   Jeff

   Posted 8 hours ago by Jeff Stutzman, Wapack Labs

     

   0 

   Add a comment

2. SEP

   14

   Threat Recon web interface is now live! 

   It's a big day!
   
   When Harvard was built they waited until students created paths in the grass, to and from class, before they built the sidewalks. We developed the Threat Recon API first to see how it would be used. And today (moments ago), we launched its first web interface for single search queries! We'll build features as users request them.
   
   Try it out for free for 1000 queries! threatrecon.co
   
   Please provide feedback and feature requests to threatrecon@wapacklabs.com
   
   Enjoy! Jeff

Wapack Labs Blog: Threat Recon web interface is now live!

Wapack Labs Blog: Threat Recon web interface is now live!: It's a big day! When Harvard was built they waited until students created paths in the grass, to and from class, before they built the...

Red Sky Weekly: American Sanctions Dumps, Threat Day

I'm reading an underground carding forum where the cards (presumably) from the Home Depot breach are being sold. The card dumps are labeled "American Sanctions Dump", and currently, there appear to be 13 dump files.  I've not purchased any cards, nor have we broken any rules, but there's a pretty nice catalog showing what's for sale... and it's pretty amazing.  I apologize for the sizing of the image below but wanted to show readers what these markets actually look like. I've obfuscated the names/addresses of the issuing banks, and the name of the user who actually pulled them, but the rest is all real.

Interestingly enough, the Canadian card (shown in the first row) is selling for $51.48 while most of the US cards sell for significantly less. Not sure why. Canadians have better credit? Even more shocking was the number of credit cards in the dump was dwarfed by the number of DEBIT cards! I'm not sure about you, but my mother always told me "don't use your debit card like a credit card! It's not safe!" ...I'll have to remember to ask my banker friends if this is really so. I'm not normally into tracking carding, there are loads of folks who do, but this was just to rich. The idea that a dump would be named "American Sanctions" after only recently I blogged about bankers being used as unprotected pawns by the Treasury department. This really got my analytic juices pumping.

Here's the other thing I thought was interesting. We obtained a dump of the credential database used by a (different) forum (we didn't dump it). When we started analyzing it, we realized that the passwords used by the guys stealing cards from folks with bad passwords, were actually pretty bad themselves. No password at all was used in nearly half of the accounts in the dump, and qwerty, was easily the next most used. It went downhill fast from there. Literally thousands of them used the same password (black, qwerty, 123456, etc.). Not sure why, but that really took me by surprise. This, a fairly well known hacker forum (fairly well known meaning over 10,000 regular users), and the guys grabbing tools had both lousy passwords and bad OPSEC! Why do I care?

Years ago when I first started in the intel business, profiling attacks, victims, attackers, etc., I worked with a couple of really cool guys. My team profiled over 3000 attackers with the idea of understanding not only who these guys were, but how they operate, what their motivations were, and if, over time, they got better. The nice thing was, many of them were new. When they hacked, we saw it, knew who they were (because of their poor OPSEC) and through a combination of means, could track their growth (and attacks) throughout the years. And of course it worked. I have a feeling we're seeing the same thing on this hacker forum. Young users grabbing tools practicing terrible OPSEC. They'll get better. And we'll know. And yes, we're posting this stuff to our membership, and indicators to Threat Recon.

BT BT

We had a heck of a great time this week. I've not been to Manhattan for more than a couple of hours at a time in years. Usually I take the train in, attend a meeting or two, and take the last train out. And now, I've spent most of the last two weeks there. Last Tuesday was with the Chertoff Group (thanks Mark for the invite!) before doing cocktails with Red Sky members at the Vander Bar in midtown, and Threat Day on Wednesday at the HQ of a large Manhattan based bank. What a place.. we were on the 26th floor, facing south, right on Times Square. The presentations were incredible --one member talked about building a DNS filtering tool that he uses to analyze all of his DNS requests. Another talked about joining a botnet to analyze activity. Another detailed an APT event that they'd lived through, and yet another profiled an APT actor. Every quarter I get reenergized when I sit through Threat Day. It's not about having 2000 people in Vegas, it's about 30 really smart ones sitting in a room, watching the screen, interacting and sharing notes. And that's what we did. That's what I like about Red Sky.

I'm going to close out this week with this. A Mitre PhD just published a piece entitled "Turning the Tables on Cyber Attackers...." I especially like the section "Mixing Automated Tools with Human Analysis" (as a side note, nine providers set dozens of cookies on my browser when I opened it). That said, Mitre is now espousing the idea that humans must be involved in analysis to turn the tide on cyber attacks. Say it ain't so! Mitre called out Red Sky Alliance about a year ago as one of the better sources for human analysis, crowdsourced in our private portal. And today, the idea that humans need to look at both the forest and the trees is a massive step forward in thinking. What's old is new again. I love it. The paper in its entirety may be viewed on the Mitre site. For now, know this. It's true. Relying on open source of big data always requires further analysis. Someone MUST sort through, evaluate and prioritize findings. That's where we come in.

I especially love this paragraph:

"... Automated tools are incredibly useful, but detecting advanced cyber intruders also depends on skilled and experienced defenders. These defenders are like detectives at the scene of a crime—looking for clues, following leads, making connections, and using intuition as well as hard data to figure out who did what." 

On that, ThreatRecon.co is going well. We'll have a simple web interface up soon. Red Sky is welcoming new members, and Wapack Labs is busy. Need information? Drop us a note. Red Sky for collaboration; Wapack Labs for subscriptions; and Threat Recon (API) for up to a thousand free queries per month.

Until next time,
Have a great week!
Jeff

Red Sky Weekly: Malware analysis leads to widely used infrastructure, 500+ domains

Normally I lead off with a bit of a story or a lesson, or a gripe. Not this week. This week I'm
leading off with a piece of work that we published yesterday --a deep-dive piece of analysis on new malware being leveraged in 



targeted cyber crime operations. 



Working from an open sourced lead, Wapack Labs identified and analyzed a new piece of malware. We've dubbed the malware family Backdoor.KLGConfig.  Two variants were identified. One variant was observed specifically targeting credentials for a popular banking application believed used by many Financial Institutions. Further analysis exposed a wide criminal infrastructure consisting of over 500 domains.



Fusion Report 14-023 (FR14-023) was published. It's ten pages of analysis and over 20 pages of indicators. The indicators are available in Threat Recon API* with a "reference" search for "FR14-023". 


(*The Threat Recon web front end is in the works. If you need scripts for the API, you can find them here. If you prefer, we've got a down and dirty desktop application available that will also front-end Threat Recon. It ain't pretty, but for those who prefer point and click, Pizza Cat is on GitHub as well. It works well, parses darn near everything and then runs the queries through our API. Simple stuff. You can find Pizza Cat here.)


BT BT




Now I'll free form it a bit. First, I attended the AT&T Security Conference this week. This is a smaller conference in comparison, but in my opinion, and one of the reasons I've attended for the last few years is because there's something about the AT&T message. Yes, there's a bit of pitch involved, but how many places can you go to hear a full day of talks from a major carrier... folks analyzing 60Pb of data per day. It's a VERY different perspective. Endpoints = mobiles and cloud is the way of the future. And that's something that interests me immensely. Use cases, virtualization, speed, cost, benefit, and of course, my favorites, security, complexity, and new disruptive ways of doing a whole lot of things. When we're looking at endpoints going from millions to billions with the introduction of the internet of things and the only place to hold all that data is, you guessed it, in the cloud! So imagine the opportunity (for good or bad) and what that'll mean for IT and security pros. As a starter, it means you better keep up. For me? This is cool stuff! I'm planning on playing in it in the future! I want to learn as much as I can.


Next, the portal continues to be busy, and more-so, we've begun pushing Beadwindow documents into Threat Connect. That's right. If you'd like to buy Beadwindow reporting and access it through Threat Connect, give us a call. For now we'll sign you up the old fashioned way, over the phone with a credit card, but hopefully that'll change soon.


Red Sky is doing well, but we heard loud and clear that members wanted automated means of accessing intel. If you'd like to access feeds of information, we're all for it. So for that, we now push lab sourced reporting in subscription feeds, or through Threat Recon. If you're one of those users that needs (must have) a web interface, hang in there. It's coming soon and you're API key will still work. If not (yesterday), we wrapped up prototyping our initial Splunk connector. Our friend Seth Bromberger authored a python module and others have contributed connectors to CRITS, and a Maltego transform. The python queries have been converted to Ruby for those who prefer Ruby, and the community and the number of Threat Recon users, and those who wish to integrate/OEM with it grows by the day. In fact, by next blog, I fully expect to announce the integration and availability of a Wapack Labs feed through at least two new OEM partners! 



Threat Recon can be found at threatrecon.co.


Until next week, check out Threat Recon. Give us a call if you'd like to talk OEM, and at Red Sky, when you want full content, this is where you go to get it. And quoting Tom Bodette, Come on in. We'll leave the light on for you!



Have a great weekend!
Jeff

Red Sky Weekly: At the Intersection of Financial Warfare and Cyber

Financial Warfare? Carried out in cyberspace?

http://www.newsweek.com/2014/05/02/art-financial-
warfare-how-west-pushing-putins-buttons-248424.html

For months, we've been following the Russia | Ukraine conflict from the perspective of cyber as a means to an end. We've tracked and reported, both in this blog, and in more detail for our members and customers, the exploits of Cyber Berkut, Green Dragon, and suspected Russian involvement in the Ukrainian Presidential election (shortly after the US Congress passed legislation to back a US$1 billion loan guarantee, and US$50 million to help guarantee a fair election). And a few days ago, after much hand wringing, heated discussion, and finally, normalizing a would-be intelligence assessment, we published a piece that suggested that large investors and holders of long-term debt in the region are at higher risk than others for cyber attack. And we didn't talk about it, but the reality is,  those who've participated in sanctions should expect retaliation --and probably via cyber.

On that, I remembered a Bloomberg piece from July. The piece described a tool in the diplomacy toolkit that our leaders have been using for some time. Bloomberg describes it as Financial War.  In May, Newsweek published a similar piece entitled"How the west is pushing Putin's buttons".

"The U.S. antiterror arsenal includes Predator drones, Tomahawk missiles and men in gray suits who target rogue regimes' finances." (http://online.wsj.com/news/articles/SB10001424127887324665604579080260261350776)

So why is a cyber guy talking about Financial War, quoting Bloomberg and the Wall Street Journal? Because financial warfare, delivered via cyber is quickly becoming the diplomatic weapon of choice. What happens when bankers uphold sanctions by blocking wire transfers and suffer retribution as a result? When the owners of the banks that are blocked from receiving money grouse to their childhood friend, and when that friend is Vladimir Putin, and when even today, they practice judo together --when all of this occurs, it should come as no surprise that the bankers that our administration used as a weapon are retaliated against.

I'm keeping it short today, but want to leave you with a couple of think points...

When bankers (or others) are retaliated against, who will protect them? What kind of regulatory action will occur when bankers stick their neck out in support of diplomacy? Will bankers be punished for being hacked? And will (should) the government offset losses to investors if/when they occur as a result? 

BT BT

• Red Sky turned THREE this week! It's amazing, and it went by in a flash, but three years ago, Red Sky Alliance Corporation was born. 
• We've begin populating reporting in the Beadwindow portal in Threat Connect
• ...And the analysis engine has been in overtime. The portal is busy --it has been all summer, and going into labor day weekend, for some reason, we've started getting calls for new memberships. 

I'm keeping it short. It's the one sunny day we're expected to have this weekend, so I'm going to take advantage of it. I hope you do too.

Have a great Labor Day weekend!
Jeff

Wapack Labs Blog: Wapack Labs Technical Analysis: VSkimmer and Black...

Wapack Labs Blog: Wapack Labs Technical Analysis: VSkimmer and Black...: Originally published on January 30, 2014, this analysis product was offered privately during the height of the Target breach. Over the weeke...

Red Sky Weekly: Shocking!

Author: Cuban political cartoonist Antonio Prohías

German intelligence spies on Americans and Turks?

Chinese Hackers targeting information on MH370?

Malware targeting ex-Soviet states has Russian hallmarks?

Say it ain't so!

For months we've read stories about the NSA. I thought I'd take a moment and talk about the second oldest profession in the world: spying. Every country has organizations dedicated to this craft. And with 196 plus or minus countries in the world (depending on who's counting), you'd be hard pressed to find a country with just one intelligence organization. Most have several. Add in another 10,000 marketing/intelligence shops owned by companies, the fact that the Society of Competitive Intelligence professionals boasts chapters all over the world, and a quick Google for Competitive Intelligence yields over 10 million hits. Ever read an analyst report when you're thinking about buying stock?  When you're using it to make decisions about what to buy, that's intelligence...

There is no escaping this fact. Intelligence is everywhere. And cyber is one easy place to get it.

In 1999, I gave a talk at SANS on this very topic. At the time, I was both an intelligence officer and a SCIP member. I talked of the movement of spying toward cyberspace, offering examples of paid intelligence collectors, working in the private sector, grabbing precious information from other companies via computers. I spent some time actually teaching my audience how this is done, and for all of the work I'd done preparing the presentation, my reviews came back with comments like "Stutzman is selling snake oil", "The sky is not falling!" and "What planet is this guy from?" I'll never forget it. I was not invited back.

Since then, I've given that same talk, unedited, in pieces or in its entirety, as if was still 1999, dozens of times --Navy War College's Strategic Studies Group (where Navy Captains go when they're about to put on a star), during classes at Norwich, Worcester Polytechnic Institute and Harvard, and more times than I can count to new analysts. It was a simpler time, but none-the-less, that talk from 1999 holds true today, and was dead on then. I remember it well. I liken good intelligence to information presented by securities researchers when their bosses are playing the market. The reports offer recommendations at the top of the page; it offers some kind of a mechanism to score the researcher, and then lay. (I'll save this for another blog entitled.. what does good intelligence actually look like?). It's beautiful!

What does intelligence look like in cyberspace? How does one go about collecting it? My talk included that too... and at the time, the USSR was breaking up and those spies, needing jobs, migrated largely to countries in Europe... including Germany. Many worked for the banking community, attempting to help protect investments. Think they're the only ones? Many of my former co-workers and peers also now work for corporate America. And what do you think they (we) do? Intelligence, research and analysis. Pick a country and I'll tell you a non-military story of how someone is spying on someone else for money. We expect it from the government. It's the second oldest profession in the book.

So, hold on to your hats folks. Cyber increases the speed by which access can be gained to specific information. It offers access to vastly larger caches of data as storage become smaller and the amount of data they can hold becomes bigger. And computers can be targeted like no human ever could... silent, fast, accurate. And it is very much taken advantage of.

Does it come as a surprise that German intelligence folks are spying on the US and Turkey? No. Pick a country.. they're spying on someone; either for military or economic gain.... and your computer is the easiest place to get information from.

I love my job!

If you'd be interested in seeing the presentation, drop me a note. We'll set something up.

BT BT

It's been a great week.

Announcing Beadwindow on Threat Connect!

I'm happy to announce that we've partnered with Threat Connect to make our Beadwindow portal (our open portal) available on Threat Connect. The site is set up and we're moving content over as we speak. Interested in membership?  Rick is the Beadwindow Community Director and can get you set up. Contact Rick.

In the Red Sky private portal:

• The Red Sky portal has been really busy. Normally over the summer it takes a dip, but not this year. We added a couple of new members, including one this week. 
• We continue to watch and blog lessons from the cyber activities undertaken during the Ukraine/Russia conflict, we posted updated GEOPOL reporting. 
• And this week we loaded up caches of tools, known used by a couple of prolific groups. It's not all been analyzed, but there's plenty of talent in the portal to assist.

In Wapack Labs:

Threat Recon adoption continues to grow. 

https://pypi.python.org/pypi/threatrecon

Yesterday, Seth Bromberger, one of our friends and an expert in the industrial controls security community, posted a Threat Recon python module to python.org and GitHub. In the last 24 hours, there've been 478 downloads!

We've put up our internal Maltego server. The transforms work wonderfully (thanks Bart!).

We're not a CRITs shop, but there are scripts written and posted on the GitHub for CRITs integration.

And standby folks, Splunk is coming!

Enough for now. Until next week, have a great weekend!
Jeff

New API module for Wapack's ThreatRecon!

Thanks to Seth Bromberger for writing Python module for our cyber threat intelligence system ThreatRecon.  You can download the module here:  https://pypi.python.org/pypi/threatrecon

Thanks Seth!

Red Sky Weekly: The unsexy truth about cyber insurance.

I know cyber risk insurance isn't one of life’s most sexy topics, but one worthy of discussion.  I was reading an article by Craig Carpenter titled “Lack of Incident Response Holding Back Cyber insurance Market” this afternoon (The article can be found here: http://tinyurl.com/pn2yjs8).  Craig made some very good points in his “Three Simple Steps” that will help both the insured, and the insurance companies, in working together towards a common ground.  These steps include: detection and swift response, full-fledged incident resolution teams, and working with clients to develop best practices starting with “Mean Time to Response (MTR).”  Each step should be considered by any organization, if not already in place, and are really part of good overall cyber hygiene With these steps in place, organizations are already mitigating much of the cyber risks and insuring themselves from costly, and often, cyber incidents. 

What if insurance companies planning to write cyber risk insurance took the time to assess the “Cyber Health” of the potentially insured before writing policies?  When I shopped for life insurance when my children were young, I answered pages of health history questions about myself and my family.  Then there was the urine and blood tests and the blood pressure cuff.  The insurance company was really interested in my current health condition(s) prior to estimating how healthy I would be in the future.  Why are insurance companies not requesting a cyber “health” assessment prior to insuring companies, not just from a cyber risk standpoint but from a all-inclusive business risk perspective?

Network data can be analyzed through a number of tools, ThreatRecon comes to mind www.threatrecon.co .  Tools to that can quickly assess the malicious activity found on the potentially insured network, can go a long way in helping actuaries assess the potential for financial loss in the event of a network breach.   Indicators from a client’s network data can be run against indicators known to be questionable or even dangerous.  Wouldn't an underwriter be interested in knowing if a potential insured was already p0wned before writing any coverage?  Tools such as ThreatRecon, could also allow a business owner or third party analyst review their data before calling their insurance agent for bid.  If you have a verified “sound” cyber health check, shouldn't you get a better price on your new policy?  Knowing the context behind threats that may already be hitting your servers would even be better, why not raise the level of prevention before you experience a breach?

The question will arise, who will pay for the cyber assessment?  Of course the insurance company will not want to absorb the expense, but it could be listed on the insurance invoice as a consulting fee.  I would hope that a business owner would like an independent assessment of their cyber health, especially since they are shopping for cyber insurance.  When taking into account the costs associated with cyber breaches, both financial and reputational, the costs of an assessment are a fraction of post breach cleanup.  A sound plan to assess a business’s network and knowing the cyber health of your own company first, then implementing Craig’s Three Simple Steps looks like a winning combination to me.

BT BT

Yesterday, we held our first webinar for ThreatRecon, Wapack Labs’ cyber threat intelligence API.  The webinar was very well attended by more than thirty of some of the best analysts in the industry.  We couldn't have been more pleased!   The feedback from the cyber community remains very positive and the adoption rate for the platform is growing daily.  Giving cyber security teams the means to look at hundreds of thousands of high confidence indicators with full context and full attribution is fill not only the quick answers needed by the analysts but also compelling stories required by CISO’s when advocating for the need to keep their operations fully funded.

Wapack Labs’ offers ThreatRecon for free for the first thousand queries – we believe that strongly in our mission and core values of protecting organizations from cyber threats.  You can get started by going to the ThreatRecon website at https://www.threatrecon.co  If you didn’t have the opportunity to see the webinar, you can watch it here: https://vimeo.com/103543432   

Red Sky Weekly: What can we learn from the soft targets?

When I asked someone about what the marketing hook at Black Hat was this year he simply replied, “Apparently to scare the $#!^ out of everyone!”   I couldn’t help but laugh but having been to those events before, sounds like business as usual but I doubt it was any less fun this year. :) Back in the lab, the past 72 hours has been incredibly busy chasing down things that should really scare you, if you're not prepared for it!  

About mid-week, one of our honeypot email recipients received several spear phish attempts in rapid succession.  This particular honeypot is one that gets spear phished in more-or-less a, programmatic manner so when we had seen such a quick burst of activity, it caught our attention.  All three samples are currently being reversed by the lab’s analysts but of them, two really caught our attention!  

The first was a very complex piece of malware that we’ve yet to identify completely.  A look at the IDA map, looks like a flowchart for the launch sequence for the space shuttle!  A complex executable with lots of interesting loops and calls with many layers of obfuscation and encryption; this one is going to take a bit to reverse but it should provide for interesting discussion among the Red Sky analysts!  The most interesting attribute of this nasty bug is that it appears to be operating system agnostic, due in part to its unique exploit attributes, with the ability to infect most modern systems.  We’ll see if that is true. With time being limited, we switched gears and took a look at the second piece of malware we found interesting.

When examining this second piece of malware, we identified the C2 node and ran it through Threat Recon.  Immediately, the results came back and we knew we had something very interesting on our hands.   Taking the C2 as the pivot in our analysis, with Threat Recon we were able to identify an additional 3 IP addresses and over a hundred new indicators in a matter of minutes, with context that helped identify the nastiness we were seeing.  As someone who’s been in this game a long time, I think that’s pretty damn cool to get results that fast!  So what did we find and why is it significant?

If you’re in the banking sector, the Win32.Banload Trojan a.k.a. Ikarus, may conjure up some bad memories. First seen as early as 2008, perhaps earlier, the Banload Trojan is associated with thea Win32/Banker Trojan family; Trojans, notorious for stealing banking credentials.  In all, our original pivot point and Threat Recon helped identify several variants of banking Trojans including Malgent, Camec, Orsam!rts being served up from more than two dozen domains.  All that analysis and context is good and should keep analysts busy for a bit, but why is this significant?  

Wapack Labs has been following adversaries targeting political dissidents for some time now.  By doing this, we’ve been able to capture malware samples that have never been seen in the wild, this alone is helpful in identifying new variants of malware quickly and pushing that analysis to the membership for mitigation; however, by examining the targets themselves, another story emerges.

It’s not surprising that malware used to steal banking credentials, even older variants, are being used to target individuals, particularly those who are outspoken towards governments and high profile political causes.   Many of these dissident groups, and those running them, collect millions in donations for the causes they support.   Charitable organizations and non-profits may be perceived as “soft targets” with weak defenses and the disruption of money flowing from these groups could disrupt or even halt the ability of the cause to effect the changes they seek.  By striking at the bottom lines of some of these organizations, adversaries may be able to silence their voices and lessen their effectiveness.  Besides, the disruption of money, compromising the private databases and correspondents of political action groups could be a treasure-trove of information in identifying other targets for future attacks or used as criminal or political leverage.

What we’ve come to realize over the past year or so is that the soft target paradigm is one that security teams should be examining much closer.  The low effort and high return on investment is a value proposition too lucrative for adversaries to ignore.  For us on the defense, the value proposition is equally as high. From our research, targets with inadequate defenses make excellent proving grounds for new malware development without risking leaving breadcrumbs on Virus Total for the world to examine.  Additionally, the wealth of information you capture allows you to develop new tools to systematically process all the pivoted information into actionable information to protect yourself.  This is why Threat Recon was such an important tool for us to build and offer to the security community – it saves time and returns quantified and qualified actionable information very quickly.  As we continue to collect from these soft targets, Threat Recon and the results it provides will only become that much more valuable

BT BT

The community of Threat Recon users continues to grow and the feedback remains very positive. This week, we’ve heard from several early adopters as to how they’re using Threat Recon in their enterprises and we’re starting to hear the creative ways other cyber security teams have developed tools around Threat Recon’s API.  One example is the integration of the tool into CRITS and another is creating a Java application to do bulk queries.   If you’re one of those working on your own tools using the API, we would love to hear from you, even if you have questions feel free to reach out to us directly!

To that point, this past week, the lab has been working on our own application that we will be publishing on the Threat Recon GitHub that will included the ability to query indicators in bulk against the API.  Pizza Cat, as we call it, is a parsing engine that will be available to those who want to use Threat Recon but may not have the expertise on staff to develop their own tools, or have the time.   If you’re interested in trying it, please drop mean email at rgamache@wapacklabs.com or go to https://www.threatrecon.co

Next week, Jeff should be back to the blog.  With two weeks to clear his mind, I’m sure he’ll have plenty to say.  Thanks for the audience the past two weeks!

Red Sky Weekly: Would you respond to Zeus differently than ZXshell? Why, context is king.

Jeff is off on a much deserved break so he’s left me in charge of the blog.

As you may be well aware of by now, Wapack Labs, Red Sky Alliance’s threat intelligence arm, has released its first iteration of Threat Recon via a web enabled API.  The response this week has been tremendous!  With hundreds already signed up and more each day, the feedback we’ve received among the many people throughout the cyber security community has been both helpful and supportive and for that we are very grateful.

Here’s a real world example of how we’re using Threat Recon in our everyday analysis.  While preparing a presentation I have to give this week for some folks in the financial sector, I had some questions about Zeus Game Over botnet.  Wapack Labs is very familiar with this campaign and our Near East intelligence people watch the activity closely.  Wanting to illustrate the pervasiveness, I opened the API and did a search on a particular set of indicators I know are bad and in a matter of seconds and I had enough context to fill up and hour of presentation time and new stuff I hadn't seen before!

What is particularly powerful about the results out of Threat Recon is the context is both technical in nature and context rich, allowing me to scale the presentation to the level that the attendees are most interested in.  But that’s not the real cool part!  The best part was, I was able to pivot off that information and see how newly contextualized indicators were being added from the wide dragnet of collection techniques we use every day in the lab.  Result?  A much deeper understanding of Zeus Game Over’s activity and the people behind it!   Members of Red Sky are going to love the resulting reports from our findings. :)  

When we started Red Sky Alliance in 2011, our focus fell squarely on quality of analysis that the contributing members and not the quantity of the threads.  In fact, in the Red Sky community, all analysts are peer reviewed as to the accuracy and quality of their analysis and that continues to this day.  This quality-over-quantity approach has proved to be an extremely valuable tool for both our Red Sky members and Wapack Labs customers.  Our high quality, high confidence, indicators gives first responders’ laser focused information on what threats they’re dealing with when the alarms start pinging.  At the same time, the rich context of our reports allows CISO’s to quickly sum up the crisis as they prepare to brief the C-suite to the things they really need to know. 

Over the past three years, we’ve seen the discussion of intelligence turn into a question of “How much data do you have?”   Despite that, we’ve stayed the course and continued to focus on qualified, highly actionable intelligence.  

Through Wapack Labs, we’ve develop a robust collection effort, but we’ve never lost sight about our core belief that intelligence must be contextualized and you can never remove the human element from the process.  If you’re one of the many who have used Threat Recon already, you’ll notice that every query with a result, returns context to help you pivot off for deeper analysis.

When I’m asked, as I often am, “How many indicators do you have?”   My response is generally met with some incredulity because it sounds like a small number compared to other “intelligence” companies publicly claiming to host many millions of indicators; however, when I explain how we collect and process our intelligence, and I mean the full spectrum of cyber intelligence, HUMINT, OSINT, SIGINT, and TECHINT we conduct on a daily basis, it commands attention. 

If the old saying goes, “We’re looking for a needle in a stack of needles” and I can confidently tell you that one needle is slightly smaller than all the others, I’m pretty assured you’d want to know about it and find that information useful in your search.  This alone, is what differentiates Threat Recon from any other analysis tool you’ve ever used.

The debate about the usefulness of Big Data will be around for a long time and the jury is still out but here’s something to think about.  If you’re like almost most  the incident responders I talk to, there’s very little time in the day and too few resources to sift through false positives.  Would you choose four million indicators with little or no context or half a million high confidence, vetted indicators, many supplied with full attribution to focus your effort and assets?  How you respond to Zeus will most likely be far different than how you respond to ZXshell.   Context is king, when you have limited resources!

If you’re interested in what we have to offer, see for yourself.  Threat Recon is available now through our web API and can be found at https://threatrecon.co   Join the many that are already using it to help them in their cyber security efforts.

BT BT

Red Sky Alliance has entered a formal partnership with Threat Connect and is moving Red Sky’s public-to-private portal “Beadwindow” to the Threat Connect platform.   We’re excited to move forward on our plans on making this portal an ever better tool for incident responders, analysts, researchers, and CISOs.  Beadwindow members include federal, state, local agencies as well centers of higher education and the medium to small businesses who can’t dedicate a lot of time to cyber security analysis.  

Through Beadwindow, you’ll have access to a managed community and the participation from some of the best minds, analysts, and security strategists in the business as well as all reporting we’ve published in the last three years.  If you’re interested in becoming a member, email to me directly at  rgamache@wapacklabs.com .

Wapack Labs Blog: Wapack Labs announces our new API, Threat Recon™.

Wapack Labs Blog: Wapack Labs announces our new API, Threat Recon™.

Threat Recon API Version 1.0

Threat Recon™ is a new threat intelligence API developed by Wapack Labs and powered by GO.

 

The Threat Recon™ threat intelligence API leverages Wapack Labs human analysis, open source information, and machine generated metadata such as Whois records, historical and current DNS information, tagging, and includes a proprietary confidence algorithm to provide as much context as possible about a single indicator, and a prioritization by confidence.

Basics and Getting Started

Getting started is easy!

First sign-up to receive your free API key. Read the 'Usage' section for example queries. 

Need tools? Test it from command line, or if you prefer, download example scripts from the Threat Recon™ hosted github repository. First scripts were provided by us in Python. Shortly into beta and load testing, Justin and Nick at CBTS converted them to Ruby, and our friends Bart O and Brian at HP authored and posted Maltego Transforms!  Any programming language that can parse our JSON output will work with the API.

Give us a try!

Get your first 1000 queries for free. Sign-up is easy at threatrecon.co.
Feedback so far has been amazing. If you have any questions, comments, or problems, please let us know... threatrecon@wapacklabs.com.

Red Sky Weekly: Flight MH-17 shot down over the Ukraine

It is a sad day for all of us when a civilian airliner is shot down.  It is not as if a commercial airliner is trying to sneak across borders at 33,000 feet emitting a code that identifies the carrier and the flight number to all air traffic controllers.  The first question we all asked was, “Who shot down Flight MH-17?”  We wanted immediate proof of who did it.

Let’s back track to the recent articles of the abuses of the NSA and our intelligence officers who are working abroad collecting information.  Without intelligence gathering, who would we turn to for answers?  We know that our former friends in Russia will likely not tell us the truth.  They are fighting to take over a neighboring country, they will use this as an excuse to blame the Ukrainian government and perhaps justify their actions.  Wasn’t it nice for all of us watching the evening news last night that we were able to see/hear the radio transmissions of the guilty parties explaining that they had shot down a civilian airliner.  This was the same crew that was bragging about shooting down a Ukrainian cargo plane, also with no survivors.  These radio transmissions were recorded too.

How do you suppose our government came by these radio transmissions?  Well, they were collecting intelligence and did not know what may or may not be important.  They did collect these radio transmissions and a lot of other chatter, but these turned out to be the proof that the world needed.  It makes me glad that all of the bad press about the Snowden incident did not cause our country to cease all intelligence gathering.

At Wapack Labs, we collect intelligence on state sponsored cyber terrorists, hackers, hacker groups and the tools that they use.  Not everything we collect has value, but we do our best to collect that information which will help our customers and Red Sky members best protect themselves. By collecting information --hopefully the right information, we could, and often do, have the pieces of information that could very well protect your business when you really need it.

BT BT

For those of you who follow our blog, we have been talking about our new product, ThreatRecon.  We have one more week of load testing and a number of Red Sky Alliance members and others are hitting it hard and are happy with the results.  The feedback to date has been amazing. 

On the analysis side, earlier this week we published a report detailing what we believe to be the first piece of malware (a banking trojan) embedded on mobile phones at the factory. We broke down the malware and identified the author.

We added to the Ukraine | Russia discussion. Our Eurasia team is watching intently, adding this week to the discussion of Russian involvement in the break-in at NASDAQ several years ago.

Last, the alliance is growing slowly and nicely. We're not as much worried about having hundreds (thousands?) of members as much as we are a small group of really good ones. So this week we did an orientation session with a new member from an Icelandic bank, and will soon be bringing in our first Austrian company. I'm very much looking forward to visiting both locations.. fly rod in hand for one, and skis over my shoulder for the other!

Until next time,

Have a great week!

Jim McKee

Red Sky Weekly: if you want to check the engine, you've got to look under the hood!

Let me ask a simple question. If you took your car to the mechanic and he never lifts the hood to check the noise you've been hearing, would you trust him when he makes his diagnosis and hands you an estimate? Some mechanics have more oil under their nails than my car has had in its oil pan but those guys have more time under the hood than nearly anyone I know, or have MIT degrees (the Car Talk guys?!) and can diagnose problems based on sounds made by the owners. But for most, if you want to check the engine, you've got to look under the hood!

Why am I talking about cars and mechanics? Because believe it or not (hell, I can hardly believe it myself!) I'm going to defend NSA... this week marked yet another piece stemming from the Snowden leaks (The Washington Post, republished by the Boston Globe). I'm not going to defend only the NSA, rather the idea that to catch criminals using the internet, we need to monitor the internet! It's a simple concept!

As a security pro, if I want to know what's going on in your computer, I need to be able to look at it. If I think it's been broken into, I need to look at processes running, files on the machine, and for those really pesky APTs, I'm going to need full packet captures on all comms going in and going out of your network. And yes, I may need to read your email! I promise, if I don't need to I won't, but sometimes... well.

I consider myself an inactive middle of the road Libertarian. I don't participate in Porcupine events. I'm not an anarchist, and I'm not a hemp wearing hippie, but I do believe that my freedoms are really important. I have no problem with the EPA taking water samples to make sure our watershed hasn't been polluted or poisoned, and while I'm not a fan of NSA reading traffic over the wire, if in fact they really do (I don't really know), I'm as much a fan of having someone reading my email as I am my annual prostrate exam. In either case, there's a necessary evil that must be endured for the sake of long term health.

Need examples?

• Last year, while watching activities related to folks breaking into computers, we were tipped off to a cache of videos of bad guys teaching other bad guys how to make bombs in their garage... about 30Gb of the stuff. Don't worry. We did the right thing.. but at the same time, we had evidence of bad guys doing bad things on a good tool.. bomb makers teaching others to make bombs and distributing them on the internet. 
• How many dirt bags are taking liberties with kids and pushing their stuff around the internet? 
• And I haven't even talked about espionage, credit card theft, banking account takeover, or fraud yet... 

And so you wonder why, when we're worried about terrorism, or millions of credit cards stolen from your favorite department store, or espionage targeting the very intellectual property that you work so hard to build and sell... why do people monitor raw data? To find those A-holes (yes, with a capital A) that keep stealing our stuff.

Yes, there are challenges with troubleshooting blood-borne computer illnesses, and certainly privacy concerns in having to look at the actual data to know when terrorists may be planning attacks over Twitter, but we'll figure that out. And the answer should not be black and white. It's going to land somewhere in the middle. So for now, I don't read the paper when I see yet another Snowden story. It pisses me off.

And yes.. I own Fireeye stock. I own Splunk stock. If NSA offered stock I'd buy it in a heartbeat. And I'd buy stock from others like them... UK, French, hell, even Chinese! If they sell stock, I'm in! When we finally do figure this out, I'm going to be ready :)

And for us? We're part of the solution.

This week we had some real successes in both Red Sky and Wapack Labs.

In the lab, we've got 'Threat Recon(tm)' in load testing. We've set up an API that'll really get your attention. If you like Virus Total, you're going to LOVE Threat Recon. As of today (Friday) two Red Sky members are set up and running first tests. We'll be adding more to the testing next week. I'll be announcing its public offering very soon, so hang in there. Only a couple of more weeks. Keep an eye out for it..

Our first university is joining Red Sky, as well as our first Icelandic bank. We've been holding steady on Red Sky membership, our community isn't big, but it's really smart. And our first IR team from a university is VERY exciting, and after spending time in Iceland, I can't tell you have happy it makes me that we're bringing in our first Icelandic member! I've got a reason to go back... but next time I'm taking my fly rod!

Adding to that, we've built a bunch of new tools, added some incredible new sourcing.. we've spent a bunch of time doing R&D this year and it's paying off! I've got the best job in the world. I haven't had this much fun in years!

So until next time,
Have a great week!
Jeff