Red Sky Weekly - Which CISO would you rather be?

If you were breached...

Would you rather be in the press, or silently (but completely) p0wned and gutted?

In the last two weeks I’ve told stories of breaches into a billion dollar company and a large research library. You’ve learned that attackers can, and do come back regularly for data updates or things they’ve missed. Neither of these attacks have shown up in the press, but the effects are devastating.

Which CISO would you rather be?

Telvent is company that manufactures remote administration and monitoring tools to the energy sector --remote administration for SCADA computers. Telvent this week showed up in Brian Kreb’s blog where Brian describes an APT event targeting Telvent.  Press references to the “APT attack” suffered by Telvent are largely non-existent, other than secondary reporting of Brian’s work (this completely amazes me!). To ensure continued secure operations, Telvent had to author new procedures for their customers to use to connect. According to Krebs, their products are used in every Fortune 100 Energy producer. Their products are used for remote administration of their SCADA systems. The system believed breached tied older controllers to new systems. I’d bet a dollar that the effects are more widespread. Regardless, how can it be that a cyber event of such potential magnitude, reaching DEEP into a global critical infrastructure had less coverage in the press than a denial of service attacks on banks.

Wanna know why?

• Denial of service is easy. Any reporter can understand, and therefore easily communicate the pain of a denial of service attack. When consumers can’t get to their banking websites, reporters can easily tell a story of cranky consumers (like my partner) who were denied access.
• Telling the story of a group with a foriegn name, and posting warnings on pastebin is sexy. Reporters like sexy.
• Journalists write well, and likely have strong education in journalism, but the important cyber stories -those having to do with hard to understand techniques, motivated by espionage, with potentially devastating effects are really hard to understand (or even believe) if you’ve not been immersed. The story is hard to write. Journalists largely don’t have technical backgrounds, and most infosec people are not journalists.

Reporting on espionage or cyber attacks is hard...

Telvent manufactures remote administration and controllers for SCADA systems. SCADA --those systems used to turn on and off nearly every motor, pump, generator, or switch in a way which makes the generation and movement of electricity smooth and efficient. Think about it like this.. the fuel delivery system in your car could be thought of as a SCADA system. When you push down on the gas pedal, the car’s onboard computer controls the mix of fuel and air that gets delivered to the engine. Another part of the computer tells the spark plugs to fire, thereby generating energy that move the pistons up and down in a cylinder, generating force that’s then transferred throughout the car to the tires.  In energy plants, computers control (turn on, turn off, and regulate) devices (generators, switches, pumps, motors, etc.) to ensure the most efficient and correct distribution of power, fuel, water, etc., and to ensure energy output and distribution across the country to consumers who need it.

What strikes me odd is that the press in general can’t seem to figure out that DDoS renders companies inaccessible for as long as the attacks continue... and then they stop. APT events, botnets, and targeted attacks steal information that will leave a company with a hell of a lot less capability to operate, even long after the attack... but it’s hard to report. Only the most tech savvy of the bunch (like Brian) understand the devastation that occurs (silently) during an APT event.

As an aside, Red Sky analysts, based on indicators taken from Kreb’s blog, believe the symptoms match with a TTP shift in a fairly prolific and highly skilled group. A significant shift in this group’s TTPs occurred approximately two months ago and information in Kreb’s blog match directly with the resultant change in the group’s infrastructure. We issued the information as Fusion Report 16. I suspect Red Sky isn’t the only organization to warn their members, but many CISO’s haven’t been enlightened to the very positive effects of information sharing yet.

BREAK BREAK

As always, here’s the happenings in Red Sky this week:

We had a small, but great Threat Day. We’d expected to do it in NYC, but never got the coordination done with the member, so we did a short notice event in Washington DC. The presentations were outstanding (slides are posted in the portal).

• Jay Healey came in from the Atlantic Council and spoke on Cyber Conflict history and futures, including parallels in what we say ‘then’ versus now.
• Our Red Sky Tech Analysis Lead did a great talk on the different facets of a highly skilled APT actor set.
• We received a brief from one of the members who specializes in looking at bad guys in other countries. It was a non-tech brief, but talked about the who and why, with pictures.
• Last, but absolutely not least, we talked with another member about his discovery of an old tool being used for new tricks. Windows Credential Editor is being used extensively by attackers in his network to dump Windows credentials (through Windows 7) from unencrypted running memory... all of them back to the last reboot. Apparently there are no fixes in sight. Yikes.

That’s it for now.
Have a great weekend!
Jeff

Red Sky | Beadwindow - Hoot and Holler!

Last week was a very productive and rewarding week for Beadwindow.  Along with reaching out to community members, we held our first “Hoot and Holler”, a bi-weekly gathering of community members to share their intelligence and what they're experiencing on their networks and systems.  It was a very well received event for those who attended and a wealth of information for Beadwindow.

Having worked in the government sector for most of my career, I am very familiar with the constraints unique at local and state government levels.  While working for a large state agency, we were often short staffed, making it difficult to respond to problems that were deemed “critical”.  With the importance of network security being punctuated by the events of 9/11, state agencies across the board scrambled around looking for not only qualified security people, but also money to acquire the necessary tools.  I spent a lot of time sitting across the desks from executives describing nebulous concepts like intrusion detection when the first reaction was often, “I have a firewall, and I need a what?”  It was particularly difficult dealing with a lifetime bureaucrat with a sharp pencil and “no need for fancy email!” 

Recognizing those challenges early on, state and local leadership in the IT sector came together and pooled resources.  Department of Labor reached out to Health Services who reached out to Public Safety and so on.  This collaborative effort was planting the seeds of interagency cooperation that saved time, money, and helped spread the wealth of knowledge across the enterprise.  Today, these concepts are commonplace and the sharing of resources is ubiquitous.

For this new business model to work, leadership had to fill the “trust gap”, the space between agencies that were all fighting for the same pot of resources.  Leadership had to be challenged that working together not only saved money but increased access to resources normally unaffordable or unattainable. This is the concept on which Beadwindow is founded upon.

The conversations had at the Hoot and Holler illustrates a need for governments to reach out to others to compliment the tools and expertise already in place.  With budget cuts and freezes in hiring, the left to right curve of available resources to cope with TTP’s arcs sharply downward while the threats arcs sharply upward.   Today, the onslaught of threats far exceeds the capabilities of many governments, requiring agencies to look beyond their traditional cooperative boundaries and reach out to new relationships for information and resources. Beadwindow is designed to close the gaps and facilitate those conversations.

If you’re a Beadwindow member, I encourage you to reach out to the Beadwindow community partners for help.  I heard several examples of where sharing information with the rest of community could help free resources in one place so they could be targeted elsewhere. 

By sharing with the community what you’re seeing on your networks, you are sharing intelligence that benefits all members.  It really is the “pay it forward” model.  You get out of it, what you put into it.  You share the information in the portal and in return it sparks conversation. In return, the likelihood of you gaining information that is important to you that you’ve not seen before, increases significantly.

To find out about how Red Sky can help your organization, please reach out to me at rgamache@redskyalliance.org In the meantime, please learn more about Red Sky @ www.redskyalliance.org or http://henrybasset.blogspot.com  

Have a great week and remember – If fighting is sure to result in victory, then you must fight!

Rick Gamache – Red Sky Alliance CIO – rgamache@redskyalliance.org – 207-449-8090

Red Sky Weekly - Research Libraries... Rich targets?

Imagine this: You go to the research library after receiving an assignment to prepare a brief for 9:00 Tuesday morning. You’ve been tasked with preparing thoughts regarding the acquisition of a new company and its technology, and you’re waist deep in due diligence by 2:00 Saturday morning --with no end in sight until that Tuesday morning presentation. You'll be pulling all-nighters through the weekend. You’ve got financials spread out all over the table, legal documents describing issues associated with purchasing companies in this part of the world, reference material and patent searches to confirm value of the intellectual property and you’re exchanging email with researchers elsewhere, as you and your virtual team pull together the deck and details you’ll be presenting in just a few days.

Now imagine this... those library computers, electronic searches, public internet access, probably wireless access that you connect to with your personal laptop, store all of those communications and queries somewhere -if not only in simple memory or cache. Every time you enter a query, search for a reference, send an email, receive an email or prepare work product on that library network or one of their public computers, you give a would-be competitive adversary a clear view into your specific research, sources, intellectual property review, etc. If that library hasn’t done the necessary work to ensure the privacy of their visitors, and don’t have ways of maintaining security, you might be giving away more research than you're getting. I would argue that librarians are not security people, and probably don’t know the value of the electronic treasure trove that exists in these otherwise quiet, relatively uneventful places of business.

Why might I think this? Last week I told the story of a billion dollar defense company that maxed out their cyber insurance policy and now gets harvested monthly for updated technologies or those missed during earlier visits. That blog post, within one week, became my most read page since the blog's inception. Interestingly enough however, this isn’t the first time I’d heard this story. I heard exactly the same story three or four months ago in a conversation with a consultant that I’ve known for several years. The consultant lead a team of security people who did work in a large research library for about a year. He described the routine harvesting of electronic library queries, emails in/out of the library, etc., as “APT Day”. Apparently once every week, on the same day, the library is harvested for all of the previous weeks queries, emails to researchers, and work product residing on its own, and its public-use computers. Who would have thought!?  A LIBRARY!? Attackers, in one fell swoop, learn what is being researched, what forward thinking is happening here, and all of the sources used by the researchers!
We’re all at risk. If data, data about data, or communications about data exist, and someone wants it, there’s a pretty good chance they’re going to get it. Today, malware isn’t necessarily required. There are companies out there who sell VPN services using legitimate (but stolen) credentials. Bad guys are in your network using your remote access user name and password. The only way to know about them and defend your networks, computers and intellectual property is to talk with someone else who’s gone through the pain of defending against it already. You mustn't be shy. Attackers work in well orchestrated teams, choose their targets, operate with precision, and get what they want. They only have to find one way in. You have to defend every way in. This is Sun Tzu upside down, so forget that lesson of 'best to have a defensive position' and start asking questions of others -before it's too late.


BREAK BREAK

Red Sky had another terrific week. Here goes:

• Fusion Report 25 released: FR12-025 discusses the PlugX malware leveraged in the recent IE 0 day attacks. The report included an in-depth analysis on the malware's functionality and capabilities. We also identified likely targets for the 0 day activity and provided information on related infrastructure that has a high-likelihood of being leveraged in the near future. The queuing for the analysis came from a private company member who wishes to participate to both portals. As a result, the report was published to both the Red Sky private portal, and the Beadwindow private/public portal where our current state/local members can also access it.

• Beadwindow “Hoot ‘n Holler” call: We held our first Hoot ‘n Holler conference call with our Beadwindow members. The call included members from the Red Sky team, one state government and the CSO from a major metropolitan city. During the call, we assisted the government users with understanding the new TTPs from this week's Fusion Report, explained what they actually meant, and talked about how to protect from them.

• New Members: This week we signed one new member and a second was invoiced and is now in legal review. The first is a high tech/defense company, with about a billion dollars in annual revenue. The company has already started contributing to the portal and will be attending our Threat Day next week. The second is going through legal review as we speak, and when they come into the portal, they’ll bring the management lessons and visibility of their three million computer environment. The company is diversified with majority holdings in global retail, technology, real estate and energy. We’re very happy to have both companies join us in the Alliance!

So for the last several months I’ve been keeping you up to speed on the progress, growth, and significant happenings in Red Sky Alliance. The other day I was asked during lunch to quantify our membership, our business, and where we are in relation to others entering the information sharing space. I’ve done this informally before and here’s what I tell people:

We began bringing members into our empty portal in mid-February. Since then the participation has been terrific.  While the numbers are an estimate based on an informal survey of the members, we believe they’re pretty close, and very telling of the community we’re growing:

• As of today Red Sky Alliance hosts 15 large enterprise, and four associate (analytic) members. Our current membership includes major telecom, several global banks, several high tech internet companies, one global engineering/construction company, and a couple of large enterprise diversified companies engaged in everything from airplane manufacturing to electronics to energy production.
• We have five companies currently in various stages of the membership process. When these companies complete the process, we estimate that these 20 member companies will control close to 20 million devices in over 140 countries in the world in dozens of industry segments, including a global energy production, retail, real estate, and managed IT and security services. (Yes, we like MSPs. They help us scale protection while at the same time maintain opsec.)
• Financial members in Red Sky process the vast majority of credit card transactions in the world today, and manage the lion's share of money moved between stock exchanges and their clearing houses.

On the Beadwindow side, in less than a month, we’ve added a couple of new members, and now include:

• Three major US cities
• One state government
• One global bank
• One  ISAC
• One global Internet company

So, Red Sky is cooking with gas. The portal activity is picking up again post-summer, and solid activity is coming out of it. Fall is always busy until around Christmas. We’re geared up to handle it.

The Beadwindow portal is also doing well. New members mean new education. State and local governments (my first impression.. I’m learning too) seem to have very small information security budgets and little organization around managing across agencies. One CSO told us that his (one) IT Security guy was just moved out from under IT, and that neither the IT folks or the city government departments will let him look at data to perform his analysis. Whew. That must be exhausting, and a real morale dumper for the guy who’s going to be held responsible when something really does hit the fan (and it will!). There’s a major learning curve coming for these poor guys! We’re on it. We’ll do our best to help.

That’s it for now. Have a great weekend!
Jeff

Red Sky | Beadwindow - One Week Down, many more to go!

For those of you are new to Red Sky, you may not be familiar with Henrybasset’s “Red Sky Alliance” blog published each week by Red Sky co-founder, Jeff Stutzman.  As an extension to that blog, we will are publishing a second blog, Beadwindow.  This companion blog will communicate the weekly activity of the Beadwindow community.  As things grow, so too will the discussions and information.  It is our sincerest hope that you find this blog both informative and a reaffirmation that collaboration and information sharing DOES work and IS the model for success in fighting the TTP threat.

Beadwindow?  As the new CIO for Red Sky, one of my first tasks was to get the Beadwindow portal up and running and to immediately help our community members with collaboration in defining the threats they are seeing on their networks.  This is not an easy objective. Having come from the government sector, sharing information is not a natural habit.  Beadwindow, being private-public cyber partnership, is pushing those longtime cultural behaviors aside and providing both a means and trust to break through the barriers that have plagued the government sector.

With this in mind, I am very pleased to report that Beadwindow is already providing a valuable space for our early adopters from both significant municipalities and state governments to connect, interact, and build long-standing relationships with.  I believe that the only way we can protect our critical infrastructure as well as our intellectual property is if we work together – Red Sky provides the space, all we need to for you to do is maximize its potential.

Before I wrap up this first installment of the Beadwindow blog, I wanted to remind each everyone that Beadwindow members have access to Red Sky’s Norman Malware Analyzer (MAG2) device.  We are already seeing a lot of activity with our MAG2 – keep it coming!  The MAG2 device is capable of analyzing up to 40,000 separate pieces of malware a day!  The MAG2 is an excellent “first responder’s” device and should be an immediate resource in your triage plans.  DO NOT let this resource go unused. 

We are moving forward and growing. For those already aboard, keep the discussions going and the analysis coming. For those of you on the fence about how Red Sky can help your organization, please reach out to me @ rgamache@redskyalliance.org  In the meantime, please learn more about Red Sky @ www.redskyalliance.org or http://henrybasset.blogspot.com  

Have a great week and remember – If fighting is sure to result in victory, then you must fight!

Rick Gamache – Red Sky Alliance CIO – rgamache@redskyalliance.org – 207-449-8090

Red Sky Weekly - New Fusion Report details shift in TTP

I posted earlier this week, so this one will be a little shorter. It’s September, and time to get back to work! Red Sky works hard to create forward movement every single week, and this week was a good one.

• Fusion Report 23 (and Beadwindow Fusion Report 001) were posted to the  portals earlier this week. The analysis was tipped from open source, but detailed a major TTP change in a prolific group, noted within about 24 hours after the shift, from a TTP the actors used for at least the last 18-24 months. This is as good (better!) than 0-day research as it showed a shift in TTPs and the new malware that goes with it. The report, because it was tipped from open sources, was made available to both the private Red Sky portal and our Private/Public portal - Beadwindow.

• Beadwindow is doing well. We’re in our first official week of operation and have a number of State/Local and Critical Infrastructure participants, as well as two of the original founding Red Sky members who’ve opted to participate directly with government users in the new, more open portal. We’re holding orientation for the new group today, and expect to see conversations starting next week. In fact, we’ve already got one participant authoring a search/retrieval application to interface with their city’s big data project. Very exciting!

• Threat Day! We’ve just finalized plans for next Threat Day, to be held at a member location in DC. We’ll be sending members invitations and calls for papers today. Our last went really well. I’m looking forward to this one too. Plan on cocktails at the Army Navy Club for the night before! For members reading this, please RSVP in the portal. I’ve posted details there.

From a growth perspective, I can tell we’re maturing. We had to add a ticketing system to our backend today. It doesn’t take long before we realized that not having process around workflow --as many bootstrapped startups realize quickly, creates problems in customer service. Even one is to many, and we had one today. Those who know me know I’m a process guy. I’m going to start walking through those checklists as we speak! We’re going to need it more as time goes on. We have three new companies receiving Red Sky  membership packages this afternoon!

Interested in joining Red Sky? While Founding memberships are basically filled, Founding member rates are being honored through 12/31.

Interested in joining Beadwindow? We have a government and academic rate structure to accomodate you too and Beadwindow is off to a great start! 

Drop us a note now at jmckee@redskyalliance.org or jstutzman@redskyalliance.org.

Until next week!
Have a great weekend!
Jeff