Red Sky Weekly - New Fusion Report details shift in TTP

I posted earlier this week, so this one will be a little shorter. It’s September, and time to get back to work! Red Sky works hard to create forward movement every single week, and this week was a good one.

• Fusion Report 23 (and Beadwindow Fusion Report 001) were posted to the  portals earlier this week. The analysis was tipped from open source, but detailed a major TTP change in a prolific group, noted within about 24 hours after the shift, from a TTP the actors used for at least the last 18-24 months. This is as good (better!) than 0-day research as it showed a shift in TTPs and the new malware that goes with it. The report, because it was tipped from open sources, was made available to both the private Red Sky portal and our Private/Public portal - Beadwindow.

• Beadwindow is doing well. We’re in our first official week of operation and have a number of State/Local and Critical Infrastructure participants, as well as two of the original founding Red Sky members who’ve opted to participate directly with government users in the new, more open portal. We’re holding orientation for the new group today, and expect to see conversations starting next week. In fact, we’ve already got one participant authoring a search/retrieval application to interface with their city’s big data project. Very exciting!

• Threat Day! We’ve just finalized plans for next Threat Day, to be held at a member location in DC. We’ll be sending members invitations and calls for papers today. Our last went really well. I’m looking forward to this one too. Plan on cocktails at the Army Navy Club for the night before! For members reading this, please RSVP in the portal. I’ve posted details there.

From a growth perspective, I can tell we’re maturing. We had to add a ticketing system to our backend today. It doesn’t take long before we realized that not having process around workflow --as many bootstrapped startups realize quickly, creates problems in customer service. Even one is to many, and we had one today. Those who know me know I’m a process guy. I’m going to start walking through those checklists as we speak! We’re going to need it more as time goes on. We have three new companies receiving Red Sky  membership packages this afternoon!

Interested in joining Red Sky? While Founding memberships are basically filled, Founding member rates are being honored through 12/31.

Interested in joining Beadwindow? We have a government and academic rate structure to accomodate you too and Beadwindow is off to a great start! 

Drop us a note now at jmckee@redskyalliance.org or jstutzman@redskyalliance.org.

Until next week!
Have a great weekend!
Jeff

Wow! Beadwindow is going like gangbusters!

I realize this is an out of cycle posting, but I'm really happy today. We went live with Beadwindow on Monday, and in two days:

• We've created accounts for thirteen state and local users, three members of an ISAC SOC, two of our Red Sky Founding Members (a Global Bank and a Tech Company!), and our Red Sky analysts.
• Our first Fusion Report was posted to the Beadwindow portal. The report offers infrastructure analysis and a major TTP shift for a prolific group of APT actors
• Conversations have started, and are moving nicely!

I'm psyched!  Opening a portal to allow government participation looks, at least at the early (infantile) stages, as a really great P2 (private-public) interaction opportunity as few restrictions as possible (we have only three very simple rules!).

Red Sky | Beadwindow - New Fusion Report

This was an INCREDIBLE week for Red Sky. Here’s why:

• We brought Beadwindow® online this week and will begin orientation sessions and account provisioning for government users from several cities, two states, and an ISAC.
• Our new Director of IT starts Monday, I would like to introduce Rick Gamache.    
• We had our first 0-day reported in the portal by a member, and issued analysis and a threat alert within only a couple of hours 
• Fusion Report 22 published Monday night.

The details:

·      0-day Threat Alert: On Tuesday evening, following a tip and sample from one of the Red Sky® members, we released a threat alert to the Red Sky® community. The alert provided attribution and relevant data concerning a zero-day vulnerability being exploited in targeted attacks. As is typical in the portal, the alert was followed up by additional analysis and reporting from Red Sky® analysts and the membership.
·      We released Fusion Report 22 this week. FR12-022 provided a detailed analysis on malware and infrastructure belonging to a new actor. TTPs associated with the actor are consistent with other tracked APT activity originating from China. Red Sky members were given one new snort signature and 76 new indicators to search for (or proactively block) in their networks.
·      Beadwindow®! Using the same model as Red Sky Alliance, we opened a second portal under the name “Beadwindow®” this week. Beadwindow® is a separate portal offering the same level of commitment, process, operating rules, and hopefully (we’re sure it will!), results, to a members from the state, local, tribal, federal government, education, organizations, and also to others who may not wish (or may not qualify) to join the private Red Sky Alliance portal. A news release was posted on Monday morning this week, and as of tonight, has been picked up by over 1100 digital feeds around the world. Our announcement had a strong response, with membership requests coming in from government organizations, a major electricity producer and a national law enforcement organization.  Beadwindow® is a “private-public cyber partnership” and has approximately a half dozen early adopters from major cities and states, and analysts from Red Sky and an ISAC SOC starting on day one –covering critical infrastructures all over the country!
 
When I worked as a CISO, and just about every time I asked someone for money, the first question I was asked was "What are others doing about this?" The idea was that our CIO would spend just enough to keep up with the Jones's and maybe a little more if we could correctly articulate the need/requirement.

Do you want to know what your peers are doing? 

Ask them. It is far more cost effective to learn from other Red Sky Alliance members in either the Red Sky or Beadwindow portals than it is to go it alone. Learn to fend off cyber attackers smartly by asking your peers how they did it and employing their lessons learned. If you don’t talk because your lawyers are worried about antitrust, don’t worry about it. You’ll be probably be out of business soon anyway when you realize your G&A is broken through its four-point restraints and is heading through the roof. You must talk, and often, about how you’re protecting yourselves. Companies don’t give up proprietary information in the Red Sky portal. They exchange analysis, indicators and ideas of how to deal with different scenarios that are, on a daily basis, bombarding member’s networks with sticky, thieving malware, operated by trained professionals with real collection requirements. 

Last, I laughed out loud at a comment by Alan Paller this week. I love reading his commentary at the beginning of the weekly SANS email updates. It went like this...

Alan was referring to a piece in the news about a new rule being proposed by DoD, NASA and GSA (links footnoted below). His comments:
 
[Editor's Note (Paller): With the growing consensus that there is a minimum standard of due care in cybersecurity controls, and the fact that this proposed rule completely fails to meet that standard, and that the greatest losses of national security information were from the contractors' computers, (Wait, here it comes. I LOVE the next part!) whoever is managing the authors of this half-rule should assign them to some less important responsibilities and get people who understand the threat and the controls to write the rule. 

Rules are expensive to create (millions), take seemingly forever to vet through everyone who may have a stake, and there's no guarantee that even after all of the consultants, legal review, Washington process, publish for comment, public comment, (you get the picture) that anything is going to move forward. Add to that the fact that many of the rules are authored by consultants who rarely have actual information security experience (they may be great writers, but have little or no operational infosec experience). There's just nothing simple in DC is there?

It's to bad.

Until next week,
Have a great Labor Day weekend all!
Jeff

---

[1] http://www.nextgov.com/cio-briefing/2012/08/white-house-plans-regulate-contractor-computer-security/57668/?oref=ng-HPtopstory
http://www.bizjournals.com/washington/blog/fedbiz_daily/2012/08/feds-propose-rule-to-hold-contractors.html
https://www.federalregister.gov/articles/2012/08/24/2012-20881/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems#h-4

Red Sky - New Fusion Report; Announcing Gov focused portal

What a week! I just returned from GFIRST. Highlights include:

• Red Sky Alliance opens “Beadwindow®” for Federal, State, Local, Tribal cyber research and analysis
• Fusion Report 12-021 released
• Kudos to US-CERT

Building on success of the private Red Sky® Alliance cyber intelligence and analysis center, Red Sky Alliance is happy to announce the opening of a second, separate portal called the “Beadwindow® Center”.  Beadwindow® is intended for use by Federal, State, Local and Tribal Infosec teams. Inside the portal members share information about current advanced threats and assist each other with analysis, best practice, and preventing future attacks. Government users may also interact with corporate users through anonymization processes linking the two portals. On the back end, Red Sky analysts distill the conversations to author Fusion Reports that detail, in a clear and cohesive way, all information known about the subject. The Fusion Report includes an executive summary, detailed analysis, mitigation recommendations, and a list of indicators in an easy to use Kill Chain format.

Account provisioning is occurring as we speak. Early adopters of the Beadwindow® Center include six major US cities, two states, a major Information Sharing and Analysis Center SOC, and Red Sky Analysts. Members of Red Sky Alliance will, if they choose, be offered credentials allowing them to interact directly with government users. Interested in an account? Contact Jim Mckee.

This week we released Fusion Feport 21. FR12-021 provides incident details and analysis concerning malware leveraged by one of the most active threat actor groups. The malware was delivered by way of a redirect to a .gov website that was compromised in order to serve as a malicious host. Indicators also show the targeting and compromise of a major web based software provider for the financial and healthcare industries. Due to this compromise, actors may have acquired credentials or sensitive information on the provider's customer base which includes numerous banks and financial institutions.

Kudos to US-CERT. I’m happy to see US-CERT (Tom Millar and Richard Struse) championing the development of TAXII -a structured means for sharing attack data in a uniform way. This is LONG overdue, and I’m happy to see US-CERT taking a strong leadership role, stepping out, and getting this done!

BT BT

During my talk yesterday I stated something that I believe (and I’ve heard others say quietly) that I don’t think there’s a piece of intellectual property on a computer, attached to a network, anywhere in the world that’s safe from exploitation. Exploitation may mean theft, changing the code (integrity), or denial of use. This is not a local problem, nor a US problem. It’s a global problem. Our networks are crawling with bugs and those who wish to exploit them. The only way forward is to learn how to work within untrusted networks while we devise a long term strategy for weaning us off the current implementation of the Internet and design a next generation network (Nextranet?) with security built in to take it’s place. During the meantime, we MUST work together, else lose every piece of intellectual property we’ve ever created to those who choose to steal it rather than build their own.

Red Sky and Beadwindow are intended to do three things:

1. Help companies fight today’s cyber problem. Just about every bug flicked at our networks are sticky. The problem is becoming ubiquitous.
2. We partner with vendors in the communities to make sure they know exactly what members are seeing. We want vendors involved to make sure they know exactly what operational users of their products are seeing. We hope this will create a next generation of better security products.
3. Last, but certainly not least, we’re feeding the labor pool with trained analysts who are taught to analyze emerging threats.

Our community is not a means for investigation, rather network defense. We work hard to make sure that conversations remain focused, but unstructured. Members are notified of new inputs as they occur, thereby allowing those who have not been hit to protect themselves before they are. Feedback to date has been tremendous. When asked if State and Locals wanted their own portal using a separate but similar Red Sky environment, I was overrun with requests for accounts. We don’t see ourselves as competing with the ISAC --we see ourselves as an enhancement to the current model -highly complimentary. We work solely in the emerging, targeted and APT space. Our members benefit from knowledge imparted by others. Everyone is peer reviewed to ensure we know who generally has better gouge (technical term for really good stuff!) than others.

I am highly outspoken when discussing data versus intelligence. Aggregated feeds of data, because of the vast amounts available, are no longer actionable. Here’s what I know.. right or wrong.. it’s what I know and believe... the only way to get good intelligence out of the vast multi-industry international streams of data is to ask the originator of the data what it means. When you can’t verify the source, its credibility as a source, configuration of originating machines, context of the data or believed motive (of the human attacker as derived through analysis), aggregated data without trusted endpoints runs the risk of becoming a garbage in garbage out model, where users should question their confidence in its use.

Bottom line.

Public private partnerships are hard. Even after so many years, private sector companies rarely share openly and completely with the government --even in the best partnerships. Red Sky and Beadwindow together will give both sides the opportunity to talk and share cyber information --voluntarily, members of one may never choose to talk or expose their data to others.. that’s ok. The option exists. If Red Sky Alliance members find value in data received from the government, they’ll talk about it. If Beadwindow members need information from corporate users, they can ask. Their discussion will be moved to the private Red Sky portal where members can discuss the questions among themselves and submit an anonymous (or sourced if they choose) answers back to Beadwindow members. The process is designed to alleviate trust agita. We’re doing our best to connect the smartest people in a place where they can compare notes, share data, offer each other defensive tips from their own lessons learned, work through the hardest problems, and build a lasting bond among companies who have the ability to protect computers in over 140 countries in the world today.

You too should join the conversation. We can’t win without honest discussion. We’re all standing around with our pants down (or dresses up Margie!), and you know what? We all have the same parts! Amazing! Let’s help each other.

Join the conversation.

Until next week,
Jeff

Red Sky weekly update - Six months in operation and a new Fusion Report!

This week, we released FR12-020, which detailed a Poison Ivy variant provided by one of our members. Analysis of delivery indicators and TTPs linked the incident to known first-stage infrastructure, which is exclusively intended for the delivery of Poison Ivy (PI) payloads. The report provided new insight into the social engineering tactics employed by the actors, and also revealed correlations among the leveraged URLs and domains. This resulted in the development of 6 new signatures to aid in the detection of related activity. Moreover, indicators provided in FR12-020 allowed for the identification of a compromised site belonging to a major software provider for corporate applications.

As of today, our six-month operational anniversary, it’s been a heck of a ride.

• We’re now at 19 companies in the environment –including four vendors who provide analytic assistance to the members, and have three others going through legal review of our terms and conditions
•  We’ve authored 20 fusion reports detailing analysis on submissions from the membership 
• As of today we’ve racked our automated malware analysis suite, and will make that available for the membership as soon as we finalize our configuration changes
• We bootstrapped (self funded) Red Sky, so as not to be beholden to external pressures from institutional funders, and I’m happy to say, we’re cash flow positive, having hit breakeven within our first four months! 
• We now have a solid analytic capability backing the membership. Our members have done a heck of job helping each other. Crowdsourced analytics from the membership, distilled into actionable, usable indicators and knowledge by the Red Sky staff and analytic vendor partners is working wonderfully! As a side note, a woman from Network World interviewed me today. She was surprised when I told her we allowed vendors as analytic members. I believe we have to partner with vendors, not exclude them. How else will vendors know what emerging threats look like and how to shape their futures? We have to tell them. They play by the rules (no ambulance chasing, just good analytic support to the membership). So far, so good!
• Our intern program and participation in Wounded Warrior is hitting on all cylinders and we’ve brought in a long time educator to ensure our curriculums are done right. We’re hoping to establish a pipeline of qualified analysts to our membership starting in December when our first intern graduates from his Masters program in criminology and cyber. Starting in the fall, we’re hoping to have new faces in the program from Wounded Warriors and will begin training them, preparing them for positions in our members workforces
• And best of all? We’re receiving referrals from our members for new members. That's the best compliment ever. Thank you!

  

So for now, I’m making this a short blog. I’m driving from the Baltimore to Atlanta for GFIRST. I hope to see many of you there! Ask me for a demo!

Have a great weekend!
Jeff

Red Sky weekly - Two new Fusion Reports!

I apologize for the length of this blog, but it’s been two weeks since my last post (sounds like I’m at confession!), and wow has it been a great two weeks. 

• Two new fusion reports have been posted to the portal -one offering a campaign profile and a combined 250+ new indicators and several new snort signatures
• We’ve become part of the Wounded Warrior program
• Our Tech Analysis Lead attended an FS-ISAC sponsored ICS program 
• Membership continues to grow

We released Fusion Report 18 last week, which details a previously unobserved malicious downloader. The malware is suspected to be of Russian origin and employs multiple layers of protection to include encryption, compression and suspected custom packing code. Despite the better OPSEC practiced on the part of the Russian actors, we were still successful in deriving multiple related indicators.

The skillset inside the membership was apparent last week. Multiple encoded binaries were posted to the portal and another member analyst was able to recognize the obfuscation scheme and provided a decoding script which enabled the malware to be analyzed. Just another benefit of crowd-sourced malware analysis!

As a result of this work, our team reached out to over 40 government contractors who we believe (with high confidence) to have been affected by the targeting of a specific aerospace program.

FR12-019 was released today. Fusion Report 19 details a set of attacks from a known group of operators. This represents the second report detailing an intrusion campaign and is a reflection of the quality of data provided by our members. Campaign analytics are crucial in adversary profiling and is one of our main goals going forward. The report provided analysis on the adversary's targeting, malware evolution, and included three new snort signatures and over 80 new indicators of APT activities (APT defined as espionage by real bad guys.

From a non-analytic perspective great things are happening. We’ve been operational for six months in a week. A couple of highlights:

• Since my last blog post we’ve added four new Fortune 500 companies to the portal. With today’s addition, I believe we’re at 21 with three others working through legal processes to join.
• We held our first internal meeting last week on standardizing data being passed. We had a great meeting with DHS a few weeks ago, and had been heading down our own path in parallel, but we want to find the right middle ground. Our membership are all large companies. Some have written their own taxonomies. We’ve been using a simple kill chain format. It’s a work in progress, but right now, people are talking. That’s important too.
• This week we received “Preferred Employer” status with the Wounded Warrior program as we continue to build out curriculum for retraining Wounded Warriors and interns coming through Red Sky Alliance enroute new employment. The majority of the Red Sky team is made up of former or current military, representing active duty Navy, Coast Guard, and Army, Marine Corps reserves, and civilian Air Force. We LOVE the Wounded Warrior program and are VERY excited to be given the opportunity to teach returning vets how to do cyber analysis in this most challenging space!
• Last, but certainly not least, Thank You! to the FS-ISAC who allowed our Tech Lead to attend an ICS program with them in NY this week. Our Tech Lead came back with some great new ideas, an education in industrial controls, and a newfound perspective on other areas of threat.

I could have gone on for at least another page. Red Sky is doing well, and we’re receiving interest from companies on almost a daily basis. One told us today that he’d participated in meetings in DC yesterday with a group of CISOs who all talk about Information Sharing and restrictions placed on some of the others out there who are focused on APT. Red Sky Alliance was built with those lessons learned in mind, and the idea of correcting those restrictions. We want it to be easy to share information smartly and safely, and allow members to be able to use the information published to the maximum extent needed to protect their networks. Another this morning (yes, I actually received TWO nice pieces of feedback just this morning!), left a position with a large defense company in NJ to take a Threat Intelligence position at a global credit card company. He told me that he wanted to join Red Sky because he’d been hearing so much about the ‘real time intelligence’. He was very excited!

Until next week!
Jeff

Red Sky Weekly - Fusion Report 17 released

This week we released Fusion Report 17. FR12-017 details an adversary who is active in Defense Industrial Base industry sector. The report provides an in depth analysis on the actor's known TTPs and their flagship malware to include tailored SNORT signatures and over 140 host and network-based indicators. Also, due to related indicators provided by a member, Red Sky analysts identified high-probability targeting of as many as 22 other non-member companies.

For those Red Sky Alliance members not in the Defense Space, one member's detection just became your prevention. This group has been active for quite some time, We strongly suggest you implement protections from this report immediately.

The addition of FR12-017 was only the beginning of the week. It’s been a bit of a wild ride. I’ve been in Vegas for Blackhat, meeting current members, demo’ing potential members, sitting in talks, supporting associate members (technology partners), and of course, attending a few parties!

Highlights from the week:

• Published Fusion Report 17

• I spent the brunt of the week at Blackhat while Chris held down the portal –which appeared to be pretty busy! We finalized membership with a couple of new companies, and a few current members enrolled more of their Infosec team members. Chris has been busy this week. He's working the next Fusion Report, training two analysts, and it appears slogging through a new, unusual piece of malware.

• Blackhat was cool. I did a demo in shorts and a polo sitting on a bench outside of the executive briefings on Tuesday night. During the talk, a current member was walking by and stopped to rave about how much he liked being in the Alliance. Needless to say, we have a new company joining as a direct result of the reviews offered. Thanks Don!

• I spent a ton of time with our Associate members. Associate members are vendors who perform analysis in the backend of the Red Sky Portal. LookingGlass and Norman both did a heck of a job. I tried where I could to offer my testimonials to folks coming to their booths, as both provide analytics, and both have strong peer reviews. I hope it helped! 

• LookingGlass threw a party on Thursday night at a club in the bottom of Aria. Love you guys man, but I’ve got to say, meeting Randy Couture was probably the highlight of my day. Randy is supporting wounded warriors through his own organization, the Xtreme Couture GI Foundation. LookingGlass sold T-Shirts all day and during the party to support Randy's Foundation. At the end of the night presented them with a check for $10,000. It was a heck of a night.  Well done guys. Bravo Zulu!

• Last, I’m on my Delta flight from Vegas to Detroit for a layover before heading into Boston. Sitting next to a VP from Qualys. We struck up a great conversation about things we’re both doing (I’m liking the new web application firewall!). When we talked Red Sky, I gave him a quick look at the portal and walked him through the story of an ‘overseas’ hacker using the ISP in the US, and then the ensuing fusion report (having WiFi on the airplane is really sweet!). We’re now LinkedIn, he’s sending me a couple of referrals, and maybe we’ll see Qualys joining the Alliance sometime soon. Who knows! We’ll see!

 

We’re at 19 companies in the portal today with four more working their way through the membership process. We don’t require cleared facilities, government inspections, or secret spy handshakes. We only require that you pass muster when we ask our Advisory board if you should be admitted, participate, and follow the information handling rules. It’s that simple. Vendors are also welcome as analytic/defender participants. Some really good stuff comes from having vendors in the community. How else will they know what holes they have to fill in their products? Also, having vendors in the portal is a great (GREAT!) way to find out if they can do what they say they can do! They get peer reviewed just like everyone else. So far, so good!

Still not sure about joining? Not a problem. Call us when you’re ready. Quoting Tom Bodett (Motel 6) “We’ll leave the light on for ya!”

I’m heading on vacation starting today. I’m turning off my electronics for the next week.  If you need help, please don’t hesitate to reach out to Jim. He’s standing by to take your call!

Have a great weekend!
Jeff

Red Sky weekly - FR12-016 details second non-public trojan

Red Sky Analysts released Fusion Report 16 this week. FR12-016 detailed a newly observed web-based Remote Access Tool (RAT) which was used in the same campaign as Trojan.Eclipse (named Eclipse by Red Sky analysts) from FR12-015. FR12-016 offered a custom C2 decoding script, Snort signatures, and a number of new indicators that may be used to detect and proactively mitigate the intrusion attempt.

BT BT

When preparing this week’s blog entry, I miscounted, thinking this was six months in operation. In fact it’s five, with our corporate one-year anniversary coming up at the end of August.  Regardless, five or six, the numbers are still pretty exciting.

·      Our Advisory Board is currently looking at one more company for membership. The company is one of the five largest law firms in the country, boasting 1750 attorneys and 27 global offices. We currently have four companies being vetted by our Advisory board, and if all are offered membership, we’ll have 16 top companies in nine of the US’s critical infrastructures. Our ranks have grown 36.5% in the last two months!

·      We're actively tracking on at least eight groups. Two groups were both known in one sector, but not widely known in others. The cross sector participation of Red Sky has produced (as I read it) two cases where a group moves from one industry sector to another.

·      In five months we’ve profiled a bad ISP, analyzed two 0-days, at least three newly discovered pieces of code, named two new TTPs and published over 2000 indicators in Kill Chain format. Over 500 threads are tracking with over 9000 comments and page views generated.

Five months in, results like this are the tip of the iceberg. The conversational format of the social environment can be rough getting used to, but the richness of the information is FAR better than the format we used in report driven portals that I’ve participated in in my past. (Report driven portals are easy to parse but the data is generally light.) Cross sector and international participation has been huge! The ability to contact members in Japan directly, or analyze malware captured on members’ global networks is a luxury I’ve not been accustomed to. I like it.

Bottom line is this. I'm happy it's working. Not without growing pains, but nothing good ever comes without a few bumps/bruises. Five months. It’s working.

See you at Black Hat!

Jeff