Red Sky Weekly - Fusion Report 17 released

This week we released Fusion Report 17. FR12-017 details an adversary who is active in Defense Industrial Base industry sector. The report provides an in depth analysis on the actor's known TTPs and their flagship malware to include tailored SNORT signatures and over 140 host and network-based indicators. Also, due to related indicators provided by a member, Red Sky analysts identified high-probability targeting of as many as 22 other non-member companies.

For those Red Sky Alliance members not in the Defense Space, one member's detection just became your prevention. This group has been active for quite some time, We strongly suggest you implement protections from this report immediately.

The addition of FR12-017 was only the beginning of the week. It’s been a bit of a wild ride. I’ve been in Vegas for Blackhat, meeting current members, demo’ing potential members, sitting in talks, supporting associate members (technology partners), and of course, attending a few parties!

Highlights from the week:

• Published Fusion Report 17

• I spent the brunt of the week at Blackhat while Chris held down the portal –which appeared to be pretty busy! We finalized membership with a couple of new companies, and a few current members enrolled more of their Infosec team members. Chris has been busy this week. He's working the next Fusion Report, training two analysts, and it appears slogging through a new, unusual piece of malware.

• Blackhat was cool. I did a demo in shorts and a polo sitting on a bench outside of the executive briefings on Tuesday night. During the talk, a current member was walking by and stopped to rave about how much he liked being in the Alliance. Needless to say, we have a new company joining as a direct result of the reviews offered. Thanks Don!

• I spent a ton of time with our Associate members. Associate members are vendors who perform analysis in the backend of the Red Sky Portal. LookingGlass and Norman both did a heck of a job. I tried where I could to offer my testimonials to folks coming to their booths, as both provide analytics, and both have strong peer reviews. I hope it helped! 

• LookingGlass threw a party on Thursday night at a club in the bottom of Aria. Love you guys man, but I’ve got to say, meeting Randy Couture was probably the highlight of my day. Randy is supporting wounded warriors through his own organization, the Xtreme Couture GI Foundation. LookingGlass sold T-Shirts all day and during the party to support Randy's Foundation. At the end of the night presented them with a check for $10,000. It was a heck of a night.  Well done guys. Bravo Zulu!

• Last, I’m on my Delta flight from Vegas to Detroit for a layover before heading into Boston. Sitting next to a VP from Qualys. We struck up a great conversation about things we’re both doing (I’m liking the new web application firewall!). When we talked Red Sky, I gave him a quick look at the portal and walked him through the story of an ‘overseas’ hacker using the ISP in the US, and then the ensuing fusion report (having WiFi on the airplane is really sweet!). We’re now LinkedIn, he’s sending me a couple of referrals, and maybe we’ll see Qualys joining the Alliance sometime soon. Who knows! We’ll see!

 

We’re at 19 companies in the portal today with four more working their way through the membership process. We don’t require cleared facilities, government inspections, or secret spy handshakes. We only require that you pass muster when we ask our Advisory board if you should be admitted, participate, and follow the information handling rules. It’s that simple. Vendors are also welcome as analytic/defender participants. Some really good stuff comes from having vendors in the community. How else will they know what holes they have to fill in their products? Also, having vendors in the portal is a great (GREAT!) way to find out if they can do what they say they can do! They get peer reviewed just like everyone else. So far, so good!

Still not sure about joining? Not a problem. Call us when you’re ready. Quoting Tom Bodett (Motel 6) “We’ll leave the light on for ya!”

I’m heading on vacation starting today. I’m turning off my electronics for the next week.  If you need help, please don’t hesitate to reach out to Jim. He’s standing by to take your call!

Have a great weekend!
Jeff

Red Sky weekly - FR12-016 details second non-public trojan

Red Sky Analysts released Fusion Report 16 this week. FR12-016 detailed a newly observed web-based Remote Access Tool (RAT) which was used in the same campaign as Trojan.Eclipse (named Eclipse by Red Sky analysts) from FR12-015. FR12-016 offered a custom C2 decoding script, Snort signatures, and a number of new indicators that may be used to detect and proactively mitigate the intrusion attempt.

BT BT

When preparing this week’s blog entry, I miscounted, thinking this was six months in operation. In fact it’s five, with our corporate one-year anniversary coming up at the end of August.  Regardless, five or six, the numbers are still pretty exciting.

·      Our Advisory Board is currently looking at one more company for membership. The company is one of the five largest law firms in the country, boasting 1750 attorneys and 27 global offices. We currently have four companies being vetted by our Advisory board, and if all are offered membership, we’ll have 16 top companies in nine of the US’s critical infrastructures. Our ranks have grown 36.5% in the last two months!

·      We're actively tracking on at least eight groups. Two groups were both known in one sector, but not widely known in others. The cross sector participation of Red Sky has produced (as I read it) two cases where a group moves from one industry sector to another.

·      In five months we’ve profiled a bad ISP, analyzed two 0-days, at least three newly discovered pieces of code, named two new TTPs and published over 2000 indicators in Kill Chain format. Over 500 threads are tracking with over 9000 comments and page views generated.

Five months in, results like this are the tip of the iceberg. The conversational format of the social environment can be rough getting used to, but the richness of the information is FAR better than the format we used in report driven portals that I’ve participated in in my past. (Report driven portals are easy to parse but the data is generally light.) Cross sector and international participation has been huge! The ability to contact members in Japan directly, or analyze malware captured on members’ global networks is a luxury I’ve not been accustomed to. I like it.

Bottom line is this. I'm happy it's working. Not without growing pains, but nothing good ever comes without a few bumps/bruises. Five months. It’s working.

See you at Black Hat!

Jeff

Red Sky Alliance Weekly - 7/14/12 - FR12-015 published

Been a heck of a busy week. This is exactly the way we like it. The portal is active, the membership requests are coming in, and the crowd-sourced analysis model in the portal is purring along nicely.

On a side note, in every call or meeting, a CISO tells me how much data they receive. Most when asked list a slew of open source lists, RSS feeds, and almost all have at least one (usually several) of the premium subscription services available. In almost every case, I ask the CISO “How much of that information do you act on?” The answer? Less than 10%! So to be clear, every piece of information must be read, evaluated, and if needed, acted upon. This means lost labor in evaluating the other 90%. How inefficient! And then, what makes something actionable? Is there a standard tripwire that is used in your company to signal a piece of information that’s more important the others you’ve read that day?  I’m scratching my head on this one. If an aggregated feed costs you $100,000 per year and you only act on 10%, shouldn’t you be paying $10,000 for it? Would you pay $100,000 for a car that’s only worth $10,000 to you?

So here is what I hear: CISOs have data. What they really need is knowledge.  They need it delivered in a way that makes it highly relevant/actionable, and preferably prequalified.

Enter Red Sky Alliance. Red Sky focuses on conversations. You know what’s important because other members tell you. Right now, there are sixty-two pairs of eyes reading the wire in their own large enterprises. Those conversations are distilled into data. We add open source information, and expert analytics, and then feed that knowledge back to the entire membership in the form of a Fusion Report. The fusion reports transfer knowledge in a smart, meaningful and actionable way. We want our members to know how we did our analysis -maybe teach them -maybe be taught --we show all of our work. Every source is clearly referenced. And, every report offers signatures and indicators in an easily digestible list that may be copied directly into the appropriate location in your defense in depth.  Our goal? 100% of our information should be actionable, and received in a timely manner. 

Did I mention it was a busy week? Here are some of this week’s highlights:

·      Fusion Report 15 (FR12-015) was released earlier this week. The report details a previously unknown Trojan discovered by one of the members. Red Sky has named this Trojan “Eclipse”. Eclipse operates completely encrypted and we do not believe it will be detected using traditional network/signature based defenses. This report is 12 pages long. It’s ten pages of analysis and lists 79 ways to identify the Trojan in your enterprise.

·      Two new companies have begun Red Sky Alliance membership processes.

o   A large Oil and Gas company received first credentials today, making this our first –and this company is probably one of the best that could have lead the way for that industry.

o   The second is a company who specializes in large airport and municipal projects. Again, a first for us. Our membership now spans almost all of the global “Critical Infrastructures” and includes some of the largest companies in them.

·      We’ve begun testing CIF (Collective Intelligence Framework) as one model for sharing information between members. There are several models for sharing data in the membership. I’ve been invited to DHS to talk about TAXII on Monday, but in Red Sky, we’re pulling the membership together for a virtual meeting looking for the happy mean; to figure out what’s going to work for us. To date, we’ve been using Kill Chain.

·      We had a bit of a stumbling block this week with our new authentication system, but it seems we’ve worked that out. Even with the stumbling block, at last look (this morning) Red Sky members are tracking over 480 different threads. Malware and submissions to our Security Intelligence area are easily topping the list of most participated areas. Our membership is active.

Red Sky Alliance continues to grow. Won’t you join us?

Until next week.
Have a great weekend.
Jeff

Red Sky Alliance Weekly 7/6/12 - Fusion report 14 published

It was a short week, but none the less, busy.

·       This week, actors dubbed “Pearl Net” by Red Sky analysts, registered several new domains that we believe may be leveraged by attackers in the near future. FR12-014 details nearly 200 new indicators of potential compromise, published to the membership in a simple Kill Chain format. Members were urged to implement these indicators immediately as preventative measures.

·      Red Sky Alliance is growing! Two new members committed to joining Red Sky Alliance this week and other requested a membership package. We seem to be bringing in at least one new member per week. When these two committed companies wrap up, we’ll be closing Founding Memberships* in that industry sector.

* Founding Members form our Advisory Board. We limit the number of Advisor to four per industry sector. The benefit of being a Founding Member is half price membership, extra seats, expanded participation in the Annual meeting in March, and an 18” x 24” framed Plankowners Certificate in exchange for early enrollment and participating in our Advisory board.

One of the most exciting things about Red Sky is our Intern program. This week Dave Chauvette joined us as the Director of Academic Services after a long career in STEM Charter Schools (32 years!). Dave’s role is two-fold – being the focal point for bringing schools into the Alliance, and heading up our Internship program. This year we interviewed scores of candidates. Out of those, four were offered spots, and two ended up coming in.  One was hired away immediately (a PhD candidate), and the second (a MS candidate in Criminology/Cyber) authored his first piece of analysis just before his finals - 51 pages and one of our most read papers. The idea is this… there’s a skill gap between new college graduates and required analysis in the emerging threats space. Red Sky brings interns into the program for two semesters. Our first (Bruno) is receiving three credits for his internship. Other colleges are offering up to six, and we’re working hard to complete a syllabus for something more formal to begin working toward training wounded warriors.  The interns are mentored by Red Sky and its members, are asked questions and peer reviewed like any other crowd-sourced analyst. In addition, interns can certify through Red Sky simply by peer reviewing in the top 10% like any other analyst! When they’re ready to graduate and are looking for their first job, we’ll introduce them to the companies who have been peer reviewing them through the course of their internship. How cool is that?!

So it’s been another great week for the Red Sky Alliance.

Have a great weekend!
Jeff

Red Sky weekly wrap-up – 6/29/12

We held our offsite, starting with happy hour at the Union League of Philadelphia and a day of talks in the boardroom of one of our members in Delaware. The portal, as a result was slow. No fusion reports this week.

Regardless, our Threat Day was a fantastic success.

·      Early polling of the members suggest all left happy with the way the day went. I know this group was larger than last time, and this one, unlike the last was members only.

·      We issued our first “Plankowner Certificate” to our first Founding Member. The senior member of each team receives an 18” x 24” professionally framed, matted certificate.

·      We recognized our top 10% peer reviewed analysts. We do this each quarter, and at the end of the year they’ll receive a certificate and a certification good for one year. It goes like this: If a member peer reviews in the top 10% over the previous 12 months of their participation, they’ll be recognized as “Red Sky Certified” (RSc), and can use the designation as a certification behind their name. I like the idea of certification through peer review over the course of a year. 

·       We’ve got a couple of new research items – standardizing means of communicating, tests of linguist capabilities beyond the main threat areas, and the addition of new capabilities to the Red Sky portal.

So, positive trends, building face-to-face trusts, and growing collaborative capabilities.

Have a great weekend!

Jeff

Red Sky Alliance weekly wrap-up. FR12-013 released.

Another busy week for the Red Sky Alliance! FR12-013 released.

I’m almost glad it’s Friday night. I’m exhausted… although I’m having a heck of a lot of fun in my new job!

It's been a fun week. The work never stops. This is a major pace change from my previous life in the government. Work stopped at the end of the day. I slept, and went back at it. Now the lines seem to blur. It's 9:30 and I'm writing a blog and a paper. I was at it at 6:30 this morning, and nearly every waking minute is devoted to ensuring the success of the Red Sky Alliance.

What's been keeping me so busy?

·      Earlier this week we released our latest fusion report (FR12-013), which offered supplemental information on Team Taidor activities, including new malware and a slight shift in TTPs.

·      Following up from the Gartner conference last week, one new member has decided to join the Alliance. The prospective member (they still need thumbs up from our Advisory board) is another large Managed Security Service Provider. This will be two for us, and if you’ve heard me speak about scaling the protective capabilities of Red Sky, you’ve heard me talk about bringing MSSPs into the alliance.

·      We wrapped an important evolution in Red Sky. We’ve completed (with the exception of a few outliers) the integration of our new authentication mechanisms. As we head into the second generation portal, adding new services, this is going to be more and more important. We’re moving forward on a mission, and with a plan!

·      Last, we’re holding our quarterly face-to-faces next week with Happy Hour at the Union League of Philadelphia followed a one-day “Threat Day” in Delaware. We look forward to these sessions with our members, and this will be our first members-only event. So far we’re expecting about 20 people –a really nice size for great conversation!

So, it’s been a great week, and next week looks to be even more fun. I’m looking forward to seeing everyone in Philadelphia (drinks on me!) and the following day in Delaware.

Have a great weekend!
Jeff

Red Sky Weekly Wrap-up

I’m just back from nearly four full days at the Gartner Risk and Security Summit held at the National Harbor in MD. This is one of my favorite conferences. There’s SO much activity. If you don’t like the presentation you’re in, go next door. Chances are you’ll like that one! Besides coming home with the ‘conference crud’, this was a great week.

Gartner was terrific for me, and for Red Sky. For me personally it meant reconnecting many of the connections lost during my last couple of years working for the government. It’s easy to do, and I (inadvertently) let them go.  For Red Sky however, it was a very different story.  On my second day I sat in on an earlier session by Dan Blum. Dan was talking about information sharing. Much of his talk was really on ‘security intelligence’, or in my lexicon, aggregation of loads of data, but maybe not actionable knowledge.  I was just about ready to bail when he brought up the next slide and said he’d heard about a new group called the ‘Red Sky Alliance’ and it sounded promising.

I raised my hand and told him that I was the COO. There were several questions, and after the meeting I presented and demo’d to him and three others at a huddle table in the hotel.  I ran the presentation over my blackberry, but the slowness of my connection didn’t seem to bother them at all. They got it; and best of all, I think they loved it. Long story short? Seven new companies will be mailed our membership package this week. I fully expect all seven will come into the portal (I’ve already received confirmation from one!).

Why? The model produces actionable results.

·       This week we issued our newest Fusion Report. It is number 12. FR12-012 talks about another domain in the dynamic DNS category, but calls out more unique indicators of how to track, and mitigate the activity. This fusion report seems to have created a bit of a following inside the portal, as several companies’ contributing analysts have commented on how well done the reporting is, and have offered other pieces of information that might be added (we’re all about crowd-sourcing!).

·      We’re tracking a new piece of code suspected of utilizing an 0-day. If true, it’ll be third we’ve identified.

·      We’ve got a couple of new threads going. One is a new group (at least for me); I don’t recall ever seeing this on in my past lives. Regardless, a member who has been tracking it for a few months, sent it in, and it is now a popular topic.

·      Our Associate Members from Kyrus, LookingGlass, and Norman are cranking up the analytic volume. This week we opened vendors to previously restricted analytic areas of the portal. For the last several weeks, members have been asking them for analysis, and they’ve come through nicely. I’ve talked with the vendors and they agree—no selling in the portal, but I can’t think of a better way to demonstrate capabilities to a high quality companies than actually doing real work for them! On top of that, they’re peer reviewing nicely and getting feedback on their work! Nice!

·      Last? Our blog is about to click past 10,000 hits since March! Wow!

So it’s been another GREAT week in the Red Sky Alliance! I know you’re probably tired of reading that, but the boards are on fire. Analysts are talking. New members (GREAT new members) want to come in. And, we’re being asked to speak to companies and their boards about how great companies operate with the threat of targeted attacks and APT.  We have people in St. Louis, Baltimore/Washington, and New England. We’re happy to schedule time to help.  

Until next time, have a great weekend.

Jeff

Red Sky Alliance weekly wrap-up - Fusion Report 11 published

It’s been a busy week.  Fusion report 10 was published late last week and Fusion Report 11 on Monday night this week. Fusion Report 11 was identified as a high confidence tightly targeted attack against a tech company who only joined just two weeks ago. What timing!

We’ve got a lot of things going on.

·      We’re preparing to host our second quarterly face-to-face ‘Threat Day’. This one will be hosted at the end of the month at a member site outside of Philadelphia. Cocktails the night before will be at the Union League. It’s a great place for happy hour, and we’re looking forward to getting together with our members!

·      We’re working through integration of our Norman MAG2 Analyzer, and beginning the planning for our first big data node.

·      I attended AT&T’s security conference this week. Great group of folks. Absolutely enjoyed the conference! Good to catch up with several folks that I hadn’t seen in a while.

Anyone who knows me knows how much I love metrics! Earlier this week I was asked by a board member in another information sharing environment what our participation looked like. At the time I answered off the cuff, but after looking at our numbers this morning, here’s what I found out:

We kicked off (live) in mid-February of this year. At the time, the portal was an empty shell…. No data. Since then we’ve worked hard to sign up new trusted members, get communications moving, author fusion reports, etc. In May we noted a nice uptick in member adoption. Today we host approximately a dozen companies, and if I trust my math, 88% of our participants authored three or more entries in May. It may not sound like a lot, but let me tell you what that equates to since mid February:

·      Over 250 active threads with over 9000 page views and comments

·      11 Fusion reports have been read or commented on 757 times by 43 people

·      Since going live, our malware lab has received 42 submissions, received 1047 crowd-sourced comments from by 44 users, and resulted in nine Fusion Reports.

·      1280 qualified indicators of targeted attacks pushed to the membership with another several hundred spanning three years, submitted this week by a non-member.* We published the indicators, all of which are believed to be involved in targeted attacks against this company, but they're currently undergoing correlation and qualification.

* Interestingly enough, we’ve started receiving requests for assistance from non-members ---connections to others during incident response, non-members interested in pushing targeted attack information through our members, and requests for speakers. We’re happy to help.

Crowd sourcing analytics works. Collaboration works.

Until next time,

Jeff