Red Sky weekly update - Six months in operation and a new Fusion Report!

This week, we released FR12-020, which detailed a Poison Ivy variant provided by one of our members. Analysis of delivery indicators and TTPs linked the incident to known first-stage infrastructure, which is exclusively intended for the delivery of Poison Ivy (PI) payloads. The report provided new insight into the social engineering tactics employed by the actors, and also revealed correlations among the leveraged URLs and domains. This resulted in the development of 6 new signatures to aid in the detection of related activity. Moreover, indicators provided in FR12-020 allowed for the identification of a compromised site belonging to a major software provider for corporate applications.

As of today, our six-month operational anniversary, it’s been a heck of a ride.

• We’re now at 19 companies in the environment –including four vendors who provide analytic assistance to the members, and have three others going through legal review of our terms and conditions
•  We’ve authored 20 fusion reports detailing analysis on submissions from the membership 
• As of today we’ve racked our automated malware analysis suite, and will make that available for the membership as soon as we finalize our configuration changes
• We bootstrapped (self funded) Red Sky, so as not to be beholden to external pressures from institutional funders, and I’m happy to say, we’re cash flow positive, having hit breakeven within our first four months! 
• We now have a solid analytic capability backing the membership. Our members have done a heck of job helping each other. Crowdsourced analytics from the membership, distilled into actionable, usable indicators and knowledge by the Red Sky staff and analytic vendor partners is working wonderfully! As a side note, a woman from Network World interviewed me today. She was surprised when I told her we allowed vendors as analytic members. I believe we have to partner with vendors, not exclude them. How else will vendors know what emerging threats look like and how to shape their futures? We have to tell them. They play by the rules (no ambulance chasing, just good analytic support to the membership). So far, so good!
• Our intern program and participation in Wounded Warrior is hitting on all cylinders and we’ve brought in a long time educator to ensure our curriculums are done right. We’re hoping to establish a pipeline of qualified analysts to our membership starting in December when our first intern graduates from his Masters program in criminology and cyber. Starting in the fall, we’re hoping to have new faces in the program from Wounded Warriors and will begin training them, preparing them for positions in our members workforces
• And best of all? We’re receiving referrals from our members for new members. That's the best compliment ever. Thank you!

  

So for now, I’m making this a short blog. I’m driving from the Baltimore to Atlanta for GFIRST. I hope to see many of you there! Ask me for a demo!

Have a great weekend!
Jeff

Red Sky weekly - Two new Fusion Reports!

I apologize for the length of this blog, but it’s been two weeks since my last post (sounds like I’m at confession!), and wow has it been a great two weeks. 

• Two new fusion reports have been posted to the portal -one offering a campaign profile and a combined 250+ new indicators and several new snort signatures
• We’ve become part of the Wounded Warrior program
• Our Tech Analysis Lead attended an FS-ISAC sponsored ICS program 
• Membership continues to grow

We released Fusion Report 18 last week, which details a previously unobserved malicious downloader. The malware is suspected to be of Russian origin and employs multiple layers of protection to include encryption, compression and suspected custom packing code. Despite the better OPSEC practiced on the part of the Russian actors, we were still successful in deriving multiple related indicators.

The skillset inside the membership was apparent last week. Multiple encoded binaries were posted to the portal and another member analyst was able to recognize the obfuscation scheme and provided a decoding script which enabled the malware to be analyzed. Just another benefit of crowd-sourced malware analysis!

As a result of this work, our team reached out to over 40 government contractors who we believe (with high confidence) to have been affected by the targeting of a specific aerospace program.

FR12-019 was released today. Fusion Report 19 details a set of attacks from a known group of operators. This represents the second report detailing an intrusion campaign and is a reflection of the quality of data provided by our members. Campaign analytics are crucial in adversary profiling and is one of our main goals going forward. The report provided analysis on the adversary's targeting, malware evolution, and included three new snort signatures and over 80 new indicators of APT activities (APT defined as espionage by real bad guys.

From a non-analytic perspective great things are happening. We’ve been operational for six months in a week. A couple of highlights:

• Since my last blog post we’ve added four new Fortune 500 companies to the portal. With today’s addition, I believe we’re at 21 with three others working through legal processes to join.
• We held our first internal meeting last week on standardizing data being passed. We had a great meeting with DHS a few weeks ago, and had been heading down our own path in parallel, but we want to find the right middle ground. Our membership are all large companies. Some have written their own taxonomies. We’ve been using a simple kill chain format. It’s a work in progress, but right now, people are talking. That’s important too.
• This week we received “Preferred Employer” status with the Wounded Warrior program as we continue to build out curriculum for retraining Wounded Warriors and interns coming through Red Sky Alliance enroute new employment. The majority of the Red Sky team is made up of former or current military, representing active duty Navy, Coast Guard, and Army, Marine Corps reserves, and civilian Air Force. We LOVE the Wounded Warrior program and are VERY excited to be given the opportunity to teach returning vets how to do cyber analysis in this most challenging space!
• Last, but certainly not least, Thank You! to the FS-ISAC who allowed our Tech Lead to attend an ICS program with them in NY this week. Our Tech Lead came back with some great new ideas, an education in industrial controls, and a newfound perspective on other areas of threat.

I could have gone on for at least another page. Red Sky is doing well, and we’re receiving interest from companies on almost a daily basis. One told us today that he’d participated in meetings in DC yesterday with a group of CISOs who all talk about Information Sharing and restrictions placed on some of the others out there who are focused on APT. Red Sky Alliance was built with those lessons learned in mind, and the idea of correcting those restrictions. We want it to be easy to share information smartly and safely, and allow members to be able to use the information published to the maximum extent needed to protect their networks. Another this morning (yes, I actually received TWO nice pieces of feedback just this morning!), left a position with a large defense company in NJ to take a Threat Intelligence position at a global credit card company. He told me that he wanted to join Red Sky because he’d been hearing so much about the ‘real time intelligence’. He was very excited!

Until next week!
Jeff

Red Sky Weekly - Fusion Report 17 released

This week we released Fusion Report 17. FR12-017 details an adversary who is active in Defense Industrial Base industry sector. The report provides an in depth analysis on the actor's known TTPs and their flagship malware to include tailored SNORT signatures and over 140 host and network-based indicators. Also, due to related indicators provided by a member, Red Sky analysts identified high-probability targeting of as many as 22 other non-member companies.

For those Red Sky Alliance members not in the Defense Space, one member's detection just became your prevention. This group has been active for quite some time, We strongly suggest you implement protections from this report immediately.

The addition of FR12-017 was only the beginning of the week. It’s been a bit of a wild ride. I’ve been in Vegas for Blackhat, meeting current members, demo’ing potential members, sitting in talks, supporting associate members (technology partners), and of course, attending a few parties!

Highlights from the week:

• Published Fusion Report 17

• I spent the brunt of the week at Blackhat while Chris held down the portal –which appeared to be pretty busy! We finalized membership with a couple of new companies, and a few current members enrolled more of their Infosec team members. Chris has been busy this week. He's working the next Fusion Report, training two analysts, and it appears slogging through a new, unusual piece of malware.

• Blackhat was cool. I did a demo in shorts and a polo sitting on a bench outside of the executive briefings on Tuesday night. During the talk, a current member was walking by and stopped to rave about how much he liked being in the Alliance. Needless to say, we have a new company joining as a direct result of the reviews offered. Thanks Don!

• I spent a ton of time with our Associate members. Associate members are vendors who perform analysis in the backend of the Red Sky Portal. LookingGlass and Norman both did a heck of a job. I tried where I could to offer my testimonials to folks coming to their booths, as both provide analytics, and both have strong peer reviews. I hope it helped! 

• LookingGlass threw a party on Thursday night at a club in the bottom of Aria. Love you guys man, but I’ve got to say, meeting Randy Couture was probably the highlight of my day. Randy is supporting wounded warriors through his own organization, the Xtreme Couture GI Foundation. LookingGlass sold T-Shirts all day and during the party to support Randy's Foundation. At the end of the night presented them with a check for $10,000. It was a heck of a night.  Well done guys. Bravo Zulu!

• Last, I’m on my Delta flight from Vegas to Detroit for a layover before heading into Boston. Sitting next to a VP from Qualys. We struck up a great conversation about things we’re both doing (I’m liking the new web application firewall!). When we talked Red Sky, I gave him a quick look at the portal and walked him through the story of an ‘overseas’ hacker using the ISP in the US, and then the ensuing fusion report (having WiFi on the airplane is really sweet!). We’re now LinkedIn, he’s sending me a couple of referrals, and maybe we’ll see Qualys joining the Alliance sometime soon. Who knows! We’ll see!

 

We’re at 19 companies in the portal today with four more working their way through the membership process. We don’t require cleared facilities, government inspections, or secret spy handshakes. We only require that you pass muster when we ask our Advisory board if you should be admitted, participate, and follow the information handling rules. It’s that simple. Vendors are also welcome as analytic/defender participants. Some really good stuff comes from having vendors in the community. How else will they know what holes they have to fill in their products? Also, having vendors in the portal is a great (GREAT!) way to find out if they can do what they say they can do! They get peer reviewed just like everyone else. So far, so good!

Still not sure about joining? Not a problem. Call us when you’re ready. Quoting Tom Bodett (Motel 6) “We’ll leave the light on for ya!”

I’m heading on vacation starting today. I’m turning off my electronics for the next week.  If you need help, please don’t hesitate to reach out to Jim. He’s standing by to take your call!

Have a great weekend!
Jeff

Red Sky weekly - FR12-016 details second non-public trojan

Red Sky Analysts released Fusion Report 16 this week. FR12-016 detailed a newly observed web-based Remote Access Tool (RAT) which was used in the same campaign as Trojan.Eclipse (named Eclipse by Red Sky analysts) from FR12-015. FR12-016 offered a custom C2 decoding script, Snort signatures, and a number of new indicators that may be used to detect and proactively mitigate the intrusion attempt.

BT BT

When preparing this week’s blog entry, I miscounted, thinking this was six months in operation. In fact it’s five, with our corporate one-year anniversary coming up at the end of August.  Regardless, five or six, the numbers are still pretty exciting.

·      Our Advisory Board is currently looking at one more company for membership. The company is one of the five largest law firms in the country, boasting 1750 attorneys and 27 global offices. We currently have four companies being vetted by our Advisory board, and if all are offered membership, we’ll have 16 top companies in nine of the US’s critical infrastructures. Our ranks have grown 36.5% in the last two months!

·      We're actively tracking on at least eight groups. Two groups were both known in one sector, but not widely known in others. The cross sector participation of Red Sky has produced (as I read it) two cases where a group moves from one industry sector to another.

·      In five months we’ve profiled a bad ISP, analyzed two 0-days, at least three newly discovered pieces of code, named two new TTPs and published over 2000 indicators in Kill Chain format. Over 500 threads are tracking with over 9000 comments and page views generated.

Five months in, results like this are the tip of the iceberg. The conversational format of the social environment can be rough getting used to, but the richness of the information is FAR better than the format we used in report driven portals that I’ve participated in in my past. (Report driven portals are easy to parse but the data is generally light.) Cross sector and international participation has been huge! The ability to contact members in Japan directly, or analyze malware captured on members’ global networks is a luxury I’ve not been accustomed to. I like it.

Bottom line is this. I'm happy it's working. Not without growing pains, but nothing good ever comes without a few bumps/bruises. Five months. It’s working.

See you at Black Hat!

Jeff

Red Sky Alliance Weekly - 7/14/12 - FR12-015 published

Been a heck of a busy week. This is exactly the way we like it. The portal is active, the membership requests are coming in, and the crowd-sourced analysis model in the portal is purring along nicely.

On a side note, in every call or meeting, a CISO tells me how much data they receive. Most when asked list a slew of open source lists, RSS feeds, and almost all have at least one (usually several) of the premium subscription services available. In almost every case, I ask the CISO “How much of that information do you act on?” The answer? Less than 10%! So to be clear, every piece of information must be read, evaluated, and if needed, acted upon. This means lost labor in evaluating the other 90%. How inefficient! And then, what makes something actionable? Is there a standard tripwire that is used in your company to signal a piece of information that’s more important the others you’ve read that day?  I’m scratching my head on this one. If an aggregated feed costs you $100,000 per year and you only act on 10%, shouldn’t you be paying $10,000 for it? Would you pay $100,000 for a car that’s only worth $10,000 to you?

So here is what I hear: CISOs have data. What they really need is knowledge.  They need it delivered in a way that makes it highly relevant/actionable, and preferably prequalified.

Enter Red Sky Alliance. Red Sky focuses on conversations. You know what’s important because other members tell you. Right now, there are sixty-two pairs of eyes reading the wire in their own large enterprises. Those conversations are distilled into data. We add open source information, and expert analytics, and then feed that knowledge back to the entire membership in the form of a Fusion Report. The fusion reports transfer knowledge in a smart, meaningful and actionable way. We want our members to know how we did our analysis -maybe teach them -maybe be taught --we show all of our work. Every source is clearly referenced. And, every report offers signatures and indicators in an easily digestible list that may be copied directly into the appropriate location in your defense in depth.  Our goal? 100% of our information should be actionable, and received in a timely manner. 

Did I mention it was a busy week? Here are some of this week’s highlights:

·      Fusion Report 15 (FR12-015) was released earlier this week. The report details a previously unknown Trojan discovered by one of the members. Red Sky has named this Trojan “Eclipse”. Eclipse operates completely encrypted and we do not believe it will be detected using traditional network/signature based defenses. This report is 12 pages long. It’s ten pages of analysis and lists 79 ways to identify the Trojan in your enterprise.

·      Two new companies have begun Red Sky Alliance membership processes.

o   A large Oil and Gas company received first credentials today, making this our first –and this company is probably one of the best that could have lead the way for that industry.

o   The second is a company who specializes in large airport and municipal projects. Again, a first for us. Our membership now spans almost all of the global “Critical Infrastructures” and includes some of the largest companies in them.

·      We’ve begun testing CIF (Collective Intelligence Framework) as one model for sharing information between members. There are several models for sharing data in the membership. I’ve been invited to DHS to talk about TAXII on Monday, but in Red Sky, we’re pulling the membership together for a virtual meeting looking for the happy mean; to figure out what’s going to work for us. To date, we’ve been using Kill Chain.

·      We had a bit of a stumbling block this week with our new authentication system, but it seems we’ve worked that out. Even with the stumbling block, at last look (this morning) Red Sky members are tracking over 480 different threads. Malware and submissions to our Security Intelligence area are easily topping the list of most participated areas. Our membership is active.

Red Sky Alliance continues to grow. Won’t you join us?

Until next week.
Have a great weekend.
Jeff

Red Sky Alliance Weekly 7/6/12 - Fusion report 14 published

It was a short week, but none the less, busy.

·       This week, actors dubbed “Pearl Net” by Red Sky analysts, registered several new domains that we believe may be leveraged by attackers in the near future. FR12-014 details nearly 200 new indicators of potential compromise, published to the membership in a simple Kill Chain format. Members were urged to implement these indicators immediately as preventative measures.

·      Red Sky Alliance is growing! Two new members committed to joining Red Sky Alliance this week and other requested a membership package. We seem to be bringing in at least one new member per week. When these two committed companies wrap up, we’ll be closing Founding Memberships* in that industry sector.

* Founding Members form our Advisory Board. We limit the number of Advisor to four per industry sector. The benefit of being a Founding Member is half price membership, extra seats, expanded participation in the Annual meeting in March, and an 18” x 24” framed Plankowners Certificate in exchange for early enrollment and participating in our Advisory board.

One of the most exciting things about Red Sky is our Intern program. This week Dave Chauvette joined us as the Director of Academic Services after a long career in STEM Charter Schools (32 years!). Dave’s role is two-fold – being the focal point for bringing schools into the Alliance, and heading up our Internship program. This year we interviewed scores of candidates. Out of those, four were offered spots, and two ended up coming in.  One was hired away immediately (a PhD candidate), and the second (a MS candidate in Criminology/Cyber) authored his first piece of analysis just before his finals - 51 pages and one of our most read papers. The idea is this… there’s a skill gap between new college graduates and required analysis in the emerging threats space. Red Sky brings interns into the program for two semesters. Our first (Bruno) is receiving three credits for his internship. Other colleges are offering up to six, and we’re working hard to complete a syllabus for something more formal to begin working toward training wounded warriors.  The interns are mentored by Red Sky and its members, are asked questions and peer reviewed like any other crowd-sourced analyst. In addition, interns can certify through Red Sky simply by peer reviewing in the top 10% like any other analyst! When they’re ready to graduate and are looking for their first job, we’ll introduce them to the companies who have been peer reviewing them through the course of their internship. How cool is that?!

So it’s been another great week for the Red Sky Alliance.

Have a great weekend!
Jeff

Red Sky weekly wrap-up – 6/29/12

We held our offsite, starting with happy hour at the Union League of Philadelphia and a day of talks in the boardroom of one of our members in Delaware. The portal, as a result was slow. No fusion reports this week.

Regardless, our Threat Day was a fantastic success.

·      Early polling of the members suggest all left happy with the way the day went. I know this group was larger than last time, and this one, unlike the last was members only.

·      We issued our first “Plankowner Certificate” to our first Founding Member. The senior member of each team receives an 18” x 24” professionally framed, matted certificate.

·      We recognized our top 10% peer reviewed analysts. We do this each quarter, and at the end of the year they’ll receive a certificate and a certification good for one year. It goes like this: If a member peer reviews in the top 10% over the previous 12 months of their participation, they’ll be recognized as “Red Sky Certified” (RSc), and can use the designation as a certification behind their name. I like the idea of certification through peer review over the course of a year. 

·       We’ve got a couple of new research items – standardizing means of communicating, tests of linguist capabilities beyond the main threat areas, and the addition of new capabilities to the Red Sky portal.

So, positive trends, building face-to-face trusts, and growing collaborative capabilities.

Have a great weekend!

Jeff

Red Sky Alliance weekly wrap-up. FR12-013 released.

Another busy week for the Red Sky Alliance! FR12-013 released.

I’m almost glad it’s Friday night. I’m exhausted… although I’m having a heck of a lot of fun in my new job!

It's been a fun week. The work never stops. This is a major pace change from my previous life in the government. Work stopped at the end of the day. I slept, and went back at it. Now the lines seem to blur. It's 9:30 and I'm writing a blog and a paper. I was at it at 6:30 this morning, and nearly every waking minute is devoted to ensuring the success of the Red Sky Alliance.

What's been keeping me so busy?

·      Earlier this week we released our latest fusion report (FR12-013), which offered supplemental information on Team Taidor activities, including new malware and a slight shift in TTPs.

·      Following up from the Gartner conference last week, one new member has decided to join the Alliance. The prospective member (they still need thumbs up from our Advisory board) is another large Managed Security Service Provider. This will be two for us, and if you’ve heard me speak about scaling the protective capabilities of Red Sky, you’ve heard me talk about bringing MSSPs into the alliance.

·      We wrapped an important evolution in Red Sky. We’ve completed (with the exception of a few outliers) the integration of our new authentication mechanisms. As we head into the second generation portal, adding new services, this is going to be more and more important. We’re moving forward on a mission, and with a plan!

·      Last, we’re holding our quarterly face-to-faces next week with Happy Hour at the Union League of Philadelphia followed a one-day “Threat Day” in Delaware. We look forward to these sessions with our members, and this will be our first members-only event. So far we’re expecting about 20 people –a really nice size for great conversation!

So, it’s been a great week, and next week looks to be even more fun. I’m looking forward to seeing everyone in Philadelphia (drinks on me!) and the following day in Delaware.

Have a great weekend!
Jeff

Red Sky Weekly Wrap-up

I’m just back from nearly four full days at the Gartner Risk and Security Summit held at the National Harbor in MD. This is one of my favorite conferences. There’s SO much activity. If you don’t like the presentation you’re in, go next door. Chances are you’ll like that one! Besides coming home with the ‘conference crud’, this was a great week.

Gartner was terrific for me, and for Red Sky. For me personally it meant reconnecting many of the connections lost during my last couple of years working for the government. It’s easy to do, and I (inadvertently) let them go.  For Red Sky however, it was a very different story.  On my second day I sat in on an earlier session by Dan Blum. Dan was talking about information sharing. Much of his talk was really on ‘security intelligence’, or in my lexicon, aggregation of loads of data, but maybe not actionable knowledge.  I was just about ready to bail when he brought up the next slide and said he’d heard about a new group called the ‘Red Sky Alliance’ and it sounded promising.

I raised my hand and told him that I was the COO. There were several questions, and after the meeting I presented and demo’d to him and three others at a huddle table in the hotel.  I ran the presentation over my blackberry, but the slowness of my connection didn’t seem to bother them at all. They got it; and best of all, I think they loved it. Long story short? Seven new companies will be mailed our membership package this week. I fully expect all seven will come into the portal (I’ve already received confirmation from one!).

Why? The model produces actionable results.

·       This week we issued our newest Fusion Report. It is number 12. FR12-012 talks about another domain in the dynamic DNS category, but calls out more unique indicators of how to track, and mitigate the activity. This fusion report seems to have created a bit of a following inside the portal, as several companies’ contributing analysts have commented on how well done the reporting is, and have offered other pieces of information that might be added (we’re all about crowd-sourcing!).

·      We’re tracking a new piece of code suspected of utilizing an 0-day. If true, it’ll be third we’ve identified.

·      We’ve got a couple of new threads going. One is a new group (at least for me); I don’t recall ever seeing this on in my past lives. Regardless, a member who has been tracking it for a few months, sent it in, and it is now a popular topic.

·      Our Associate Members from Kyrus, LookingGlass, and Norman are cranking up the analytic volume. This week we opened vendors to previously restricted analytic areas of the portal. For the last several weeks, members have been asking them for analysis, and they’ve come through nicely. I’ve talked with the vendors and they agree—no selling in the portal, but I can’t think of a better way to demonstrate capabilities to a high quality companies than actually doing real work for them! On top of that, they’re peer reviewing nicely and getting feedback on their work! Nice!

·      Last? Our blog is about to click past 10,000 hits since March! Wow!

So it’s been another GREAT week in the Red Sky Alliance! I know you’re probably tired of reading that, but the boards are on fire. Analysts are talking. New members (GREAT new members) want to come in. And, we’re being asked to speak to companies and their boards about how great companies operate with the threat of targeted attacks and APT.  We have people in St. Louis, Baltimore/Washington, and New England. We’re happy to schedule time to help.  

Until next time, have a great weekend.

Jeff