Red Sky Weekly - From the users perspective...

From the users perspective...

This week we released Fusion Report 27. FR12-027 contains analysis on the Citadel Banking trojan to include details on how the malware encrypts communications and behaves differently in a virtual environment. While this activity was not targeted in nature, the malware appeared to be widespread and affected users in both of our Red Sky and Beadwindow communities. This prompted me to thinking.. what does a typical user think about simple intrusions like this one?

To that, I took I the opportunity this week to have great conversations with users whose machines had been victimized during various events. I wanted to bring this back to a “human” perspective and write this week’s blog and talk a bit about how users react when their computer starts to act funny. These are great observations. Infosec folks should pay attention. This is important. Here are a couple of observations and thoughts:

Users are becoming numb

This user, deep in work, checked his email, never suspecting that simply previewing email might launch a host-side attack, allowing the attacker access. The problem started with the bluetooth being turned on on his computer without his taking any action. The user simply closed the laptop assuming the operating system was acting up. Small issues, when noted on computers running multiple applications don’t mean much. One issue, when seemingly cleared up on reboot is far less trouble than contacting the helpdesk.

Agents on enterprise computers do funny things

When your computer slows down for no apparent reason, a typical user chalks it up to bad bandwidth, or all of the agents running on a computer. Antivirus slows performance, as do other agents running. Many applications fire up the webcam momentarily to gain situational awareness for later use, and contact lists are routinely updated, exported and interact with social networking sites --all creating small ‘glitches’ that are normal, but make real ‘gotchas’ seem normal too. Users can’t tell the difference.

Spearfishing and waterhole tactics are invisibile

Does the human have the advantage when identifying spearphished emails before they infect their computer? I’d argue not. What about waterhole attacks where frequently visited websites are poisoned in hopes users would stop by and become infected without knowing? Absolutely users are at a disadvantage. Users must take responsibility for their actions, but many, many of these attacks are designed to get past the user or infect their computer when they visit their favorite web page.

It’s easier to reboot or work through it

What’s more important, worrying about the obscure chance that someone is in your computer, or meeting the deadline? We work all hours day and night, and the inconvenience of something happening (for reasons known or unknown), simply mean a little extra work or inconvenience. The dedicated user works through it, waiting to see if it worsens. If so, they might contact the helpdesk or Infosec, but heck, we’ve got an Infosec team and they’re watching anyway, so if there’s really something wrong, Infosec will call.. right?

Bottom line: Users are learning to live with risk. Agents running on machines, the constant threat of bad email, and simple enterprise issues that arise daily are all causing users to work through the pain.

Users don’t know how to prioritize those risks that might really be stealing information, or how to recognize the symptoms. How do we reach them? I’m interested in your feedback and thoughts.

Thoughts?
Jeff

Suspected Palestinian malware? Why a Red Sky Associate Membership?

We sent folks to training in Vegas this week, one to Marine Corps drill weekend, another heading for a week off in Steamboat, and me holding down the fort. So, no published Fusion Reports this week. We did however have some interesting threads and analysis via the portal. We analyzed our first suspected Palestinian malware specimen which consisted of an open source RAT. While the malware was not unique, we did derive tailored mitigations to protect against future attacks from this tool. Additionally, an Associate member used their resources to help identify a substantial amount of related infrastructure which was reported out to the members.

… This is a great example of why Red Sky welcomes certain vendors to the table. We call them Associate Members, and we believe that they, if they can do what they say they can do, should be rewarded. When vendors bring great analytics to the table, like we mentioned above, and the membership sees the value in their offerings, they get rewarded -through peer reviews, networking in a great community, and exposure. We don’t allow active selling, nor do we tolerate ambulance chasing, but we do believe that vendors were probably operational security folks at one point too, but now they’re entrepreneurs in the infosec space. Just like turning management, we lose a little bit of our operational skill and situational awareness every day we’re not pounding a keyboard and scouring PCAP for the nuggets. Smart folks who chose the entrepreneurial path lose their edge as well. So in Red Sky, vendors get the benefit of being analytic members of the community. They pay a fee for membership, must pass the advisory board, and then play by the rules. In exchange they get to participate in a forum where some of the best minds in some of the best infosec teams are looking at some of the hardest problems. They participate like any other analyst, get peer reviewed like any other analyst, and are rewarded by showing off their wares. There is no better way to show what your products/services can do than to actually do it... and there’s no better way to buy, than to see what it can do first.

This week we observed our first occurrence of targeted activity which was independently reported from both Beadwindow and Red Sky members. This is to be expected and just goes to show that while we have two separate communities, the threat is sometimes the same. This activity will be detailed in an upcoming report to be released to both communities.

Those of you who know me know I’m a ‘keep it simple stupid’ kinda guy. All the data in the world, even when aggregated smartly, should never be implemented in your network without evaluating it first. So while aggregated security data may look great on paper, it still needs evaluation locally before implementing --locally meaning by your infosec team. How much time does it take to validate indicators in a security aggregation feed? My personal opinion is this... I’d rather ask someone smarter than me if the data was useful to them before I implement. I’d like to know what others found and of any lessons learned. There are two companies I’ve seen who I believe do aggregation well -they come at it from different perspectives. One is malware as the tripwire for aggregation and the other begins the process with browser-based data. Both offer real good perspectives on hard problems, but, there is a lot of malware out there, and there’s a lot of host based badness out there. Can you implement a steady stream potentially hundreds of thousands of indicators on your network and in your host based IPS in near real time? Could you evaluate all of the data coming from them? How much labor would that cost? Me? I’d rather ask someone else how they did it, and then do it my way using their lessons. That’s what Red Sky and now Beadwindow are all about.

Why do I mention this?

I had a call this week with a large enterprise company -pretty typical of the companies that we work with on a daily basis. This company had been an ‘anchor’ in another information sharing environment. The guy I talked to told me he’d dropped his membership in this other group, and asked what Red Sky does differently. It was interesting to me to hear about this one group. The claim (as they all seem to be) is aggregation of the meta-data associated with APT activities. I like to call this “Utopia” (I didn’t come up with this, a friend did), but here’s what I know. I’ve been tracking Utopia for many, many years. So far it doesn’t seem to exist. Me? I’m going to use my phone-a-friend. And yes, this company will continue to be attacked, and continue to receive aggregated open and premium sourced (ahem) security intelligence feeds, and yes, *I believe* we’ll be seeing that ‘anchor’ company joining Red Sky soon.

It’s not always about tech. Sometimes it’s about people.

Have a great weekend!
Jeff

Red Sky Weekly: What lies behind the DDoS?

Interestingly enough, I’ve got folks now sending me inputs for the portal, but they’re not members. Their management probably doesn’t know that they’re sending me good information, but they (the practitioner level) know they need help and one of the best ways to get help is to ask.

This week I received a call from a large credit card company wanting to know what Red Sky knows about the DDoS attacks. While we don’t much track DDoS, we do track activity going on in the noise. So one thing I can tell you is this.. while the DDoS got the press because of potential geopolitical connections, the real story is what was going on behind the noise. So let’s try this:

1. Major changes in the way one fairly prolific (economic espionage focused) group does business ---and a resulting uptick in their activity during the DDoS activities.
2. Two others (both non-members) wanted to know what we knew about malware used to steal accounts and money from banks. Evidently there was an uptick there too.
3. Did anyone else find it interesting that the DDoS attacks seemed to go quiet during a Chinese Golden Week?
4. This week we released Fusion Report 26 which details a new variant of downloader leveraged by a known threat group. The report also included information on the potential targeting of 13 additional entities ranging from  government organizations to defense contractors. We provided a targeted analysis on the inner workings of the new malware and a tailored signature for identification of it on the wire. FR12-026 provided over 60 new indicators and artifacts for proactive defense.

Our answers to those questions resulted in two new membership packages being sent out, and two new applications both now in legal review of our terms and conditions. This is exciting stuff. What’s even more exciting is that at least three CISOs that have moved to new positions are buying Red Sky accounts almost immediately upon arrival at their new jobs. One of them (who just left a defense contractor) told me he’d made it a condition of his employment! How freakin cool is that!?

I’ve got a bunch of consulting work this week, and will be attending DARPA’s Plan X and then the i4 Conference in DC next week, so I’m hitting the road today. I’ll be driving for about nine hours, so if you want information about Red Sky, Beadwindow, or our Research Service, give me a call. It’s a long drive!

Until next week,
Jeff

Red Sky Weekly - Which CISO would you rather be?

If you were breached...

Would you rather be in the press, or silently (but completely) p0wned and gutted?

In the last two weeks I’ve told stories of breaches into a billion dollar company and a large research library. You’ve learned that attackers can, and do come back regularly for data updates or things they’ve missed. Neither of these attacks have shown up in the press, but the effects are devastating.

Which CISO would you rather be?

Telvent is company that manufactures remote administration and monitoring tools to the energy sector --remote administration for SCADA computers. Telvent this week showed up in Brian Kreb’s blog where Brian describes an APT event targeting Telvent.  Press references to the “APT attack” suffered by Telvent are largely non-existent, other than secondary reporting of Brian’s work (this completely amazes me!). To ensure continued secure operations, Telvent had to author new procedures for their customers to use to connect. According to Krebs, their products are used in every Fortune 100 Energy producer. Their products are used for remote administration of their SCADA systems. The system believed breached tied older controllers to new systems. I’d bet a dollar that the effects are more widespread. Regardless, how can it be that a cyber event of such potential magnitude, reaching DEEP into a global critical infrastructure had less coverage in the press than a denial of service attacks on banks.

Wanna know why?

• Denial of service is easy. Any reporter can understand, and therefore easily communicate the pain of a denial of service attack. When consumers can’t get to their banking websites, reporters can easily tell a story of cranky consumers (like my partner) who were denied access.
• Telling the story of a group with a foriegn name, and posting warnings on pastebin is sexy. Reporters like sexy.
• Journalists write well, and likely have strong education in journalism, but the important cyber stories -those having to do with hard to understand techniques, motivated by espionage, with potentially devastating effects are really hard to understand (or even believe) if you’ve not been immersed. The story is hard to write. Journalists largely don’t have technical backgrounds, and most infosec people are not journalists.

Reporting on espionage or cyber attacks is hard...

Telvent manufactures remote administration and controllers for SCADA systems. SCADA --those systems used to turn on and off nearly every motor, pump, generator, or switch in a way which makes the generation and movement of electricity smooth and efficient. Think about it like this.. the fuel delivery system in your car could be thought of as a SCADA system. When you push down on the gas pedal, the car’s onboard computer controls the mix of fuel and air that gets delivered to the engine. Another part of the computer tells the spark plugs to fire, thereby generating energy that move the pistons up and down in a cylinder, generating force that’s then transferred throughout the car to the tires.  In energy plants, computers control (turn on, turn off, and regulate) devices (generators, switches, pumps, motors, etc.) to ensure the most efficient and correct distribution of power, fuel, water, etc., and to ensure energy output and distribution across the country to consumers who need it.

What strikes me odd is that the press in general can’t seem to figure out that DDoS renders companies inaccessible for as long as the attacks continue... and then they stop. APT events, botnets, and targeted attacks steal information that will leave a company with a hell of a lot less capability to operate, even long after the attack... but it’s hard to report. Only the most tech savvy of the bunch (like Brian) understand the devastation that occurs (silently) during an APT event.

As an aside, Red Sky analysts, based on indicators taken from Kreb’s blog, believe the symptoms match with a TTP shift in a fairly prolific and highly skilled group. A significant shift in this group’s TTPs occurred approximately two months ago and information in Kreb’s blog match directly with the resultant change in the group’s infrastructure. We issued the information as Fusion Report 16. I suspect Red Sky isn’t the only organization to warn their members, but many CISO’s haven’t been enlightened to the very positive effects of information sharing yet.

BREAK BREAK

As always, here’s the happenings in Red Sky this week:

We had a small, but great Threat Day. We’d expected to do it in NYC, but never got the coordination done with the member, so we did a short notice event in Washington DC. The presentations were outstanding (slides are posted in the portal).

• Jay Healey came in from the Atlantic Council and spoke on Cyber Conflict history and futures, including parallels in what we say ‘then’ versus now.
• Our Red Sky Tech Analysis Lead did a great talk on the different facets of a highly skilled APT actor set.
• We received a brief from one of the members who specializes in looking at bad guys in other countries. It was a non-tech brief, but talked about the who and why, with pictures.
• Last, but absolutely not least, we talked with another member about his discovery of an old tool being used for new tricks. Windows Credential Editor is being used extensively by attackers in his network to dump Windows credentials (through Windows 7) from unencrypted running memory... all of them back to the last reboot. Apparently there are no fixes in sight. Yikes.

That’s it for now.
Have a great weekend!
Jeff

Red Sky | Beadwindow - Hoot and Holler!

Last week was a very productive and rewarding week for Beadwindow.  Along with reaching out to community members, we held our first “Hoot and Holler”, a bi-weekly gathering of community members to share their intelligence and what they're experiencing on their networks and systems.  It was a very well received event for those who attended and a wealth of information for Beadwindow.

Having worked in the government sector for most of my career, I am very familiar with the constraints unique at local and state government levels.  While working for a large state agency, we were often short staffed, making it difficult to respond to problems that were deemed “critical”.  With the importance of network security being punctuated by the events of 9/11, state agencies across the board scrambled around looking for not only qualified security people, but also money to acquire the necessary tools.  I spent a lot of time sitting across the desks from executives describing nebulous concepts like intrusion detection when the first reaction was often, “I have a firewall, and I need a what?”  It was particularly difficult dealing with a lifetime bureaucrat with a sharp pencil and “no need for fancy email!” 

Recognizing those challenges early on, state and local leadership in the IT sector came together and pooled resources.  Department of Labor reached out to Health Services who reached out to Public Safety and so on.  This collaborative effort was planting the seeds of interagency cooperation that saved time, money, and helped spread the wealth of knowledge across the enterprise.  Today, these concepts are commonplace and the sharing of resources is ubiquitous.

For this new business model to work, leadership had to fill the “trust gap”, the space between agencies that were all fighting for the same pot of resources.  Leadership had to be challenged that working together not only saved money but increased access to resources normally unaffordable or unattainable. This is the concept on which Beadwindow is founded upon.

The conversations had at the Hoot and Holler illustrates a need for governments to reach out to others to compliment the tools and expertise already in place.  With budget cuts and freezes in hiring, the left to right curve of available resources to cope with TTP’s arcs sharply downward while the threats arcs sharply upward.   Today, the onslaught of threats far exceeds the capabilities of many governments, requiring agencies to look beyond their traditional cooperative boundaries and reach out to new relationships for information and resources. Beadwindow is designed to close the gaps and facilitate those conversations.

If you’re a Beadwindow member, I encourage you to reach out to the Beadwindow community partners for help.  I heard several examples of where sharing information with the rest of community could help free resources in one place so they could be targeted elsewhere. 

By sharing with the community what you’re seeing on your networks, you are sharing intelligence that benefits all members.  It really is the “pay it forward” model.  You get out of it, what you put into it.  You share the information in the portal and in return it sparks conversation. In return, the likelihood of you gaining information that is important to you that you’ve not seen before, increases significantly.

To find out about how Red Sky can help your organization, please reach out to me at rgamache@redskyalliance.org In the meantime, please learn more about Red Sky @ www.redskyalliance.org or http://henrybasset.blogspot.com  

Have a great week and remember – If fighting is sure to result in victory, then you must fight!

Rick Gamache – Red Sky Alliance CIO – rgamache@redskyalliance.org – 207-449-8090

Red Sky Weekly - Research Libraries... Rich targets?

Imagine this: You go to the research library after receiving an assignment to prepare a brief for 9:00 Tuesday morning. You’ve been tasked with preparing thoughts regarding the acquisition of a new company and its technology, and you’re waist deep in due diligence by 2:00 Saturday morning --with no end in sight until that Tuesday morning presentation. You'll be pulling all-nighters through the weekend. You’ve got financials spread out all over the table, legal documents describing issues associated with purchasing companies in this part of the world, reference material and patent searches to confirm value of the intellectual property and you’re exchanging email with researchers elsewhere, as you and your virtual team pull together the deck and details you’ll be presenting in just a few days.

Now imagine this... those library computers, electronic searches, public internet access, probably wireless access that you connect to with your personal laptop, store all of those communications and queries somewhere -if not only in simple memory or cache. Every time you enter a query, search for a reference, send an email, receive an email or prepare work product on that library network or one of their public computers, you give a would-be competitive adversary a clear view into your specific research, sources, intellectual property review, etc. If that library hasn’t done the necessary work to ensure the privacy of their visitors, and don’t have ways of maintaining security, you might be giving away more research than you're getting. I would argue that librarians are not security people, and probably don’t know the value of the electronic treasure trove that exists in these otherwise quiet, relatively uneventful places of business.

Why might I think this? Last week I told the story of a billion dollar defense company that maxed out their cyber insurance policy and now gets harvested monthly for updated technologies or those missed during earlier visits. That blog post, within one week, became my most read page since the blog's inception. Interestingly enough however, this isn’t the first time I’d heard this story. I heard exactly the same story three or four months ago in a conversation with a consultant that I’ve known for several years. The consultant lead a team of security people who did work in a large research library for about a year. He described the routine harvesting of electronic library queries, emails in/out of the library, etc., as “APT Day”. Apparently once every week, on the same day, the library is harvested for all of the previous weeks queries, emails to researchers, and work product residing on its own, and its public-use computers. Who would have thought!?  A LIBRARY!? Attackers, in one fell swoop, learn what is being researched, what forward thinking is happening here, and all of the sources used by the researchers!
We’re all at risk. If data, data about data, or communications about data exist, and someone wants it, there’s a pretty good chance they’re going to get it. Today, malware isn’t necessarily required. There are companies out there who sell VPN services using legitimate (but stolen) credentials. Bad guys are in your network using your remote access user name and password. The only way to know about them and defend your networks, computers and intellectual property is to talk with someone else who’s gone through the pain of defending against it already. You mustn't be shy. Attackers work in well orchestrated teams, choose their targets, operate with precision, and get what they want. They only have to find one way in. You have to defend every way in. This is Sun Tzu upside down, so forget that lesson of 'best to have a defensive position' and start asking questions of others -before it's too late.


BREAK BREAK

Red Sky had another terrific week. Here goes:

• Fusion Report 25 released: FR12-025 discusses the PlugX malware leveraged in the recent IE 0 day attacks. The report included an in-depth analysis on the malware's functionality and capabilities. We also identified likely targets for the 0 day activity and provided information on related infrastructure that has a high-likelihood of being leveraged in the near future. The queuing for the analysis came from a private company member who wishes to participate to both portals. As a result, the report was published to both the Red Sky private portal, and the Beadwindow private/public portal where our current state/local members can also access it.

• Beadwindow “Hoot ‘n Holler” call: We held our first Hoot ‘n Holler conference call with our Beadwindow members. The call included members from the Red Sky team, one state government and the CSO from a major metropolitan city. During the call, we assisted the government users with understanding the new TTPs from this week's Fusion Report, explained what they actually meant, and talked about how to protect from them.

• New Members: This week we signed one new member and a second was invoiced and is now in legal review. The first is a high tech/defense company, with about a billion dollars in annual revenue. The company has already started contributing to the portal and will be attending our Threat Day next week. The second is going through legal review as we speak, and when they come into the portal, they’ll bring the management lessons and visibility of their three million computer environment. The company is diversified with majority holdings in global retail, technology, real estate and energy. We’re very happy to have both companies join us in the Alliance!

So for the last several months I’ve been keeping you up to speed on the progress, growth, and significant happenings in Red Sky Alliance. The other day I was asked during lunch to quantify our membership, our business, and where we are in relation to others entering the information sharing space. I’ve done this informally before and here’s what I tell people:

We began bringing members into our empty portal in mid-February. Since then the participation has been terrific.  While the numbers are an estimate based on an informal survey of the members, we believe they’re pretty close, and very telling of the community we’re growing:

• As of today Red Sky Alliance hosts 15 large enterprise, and four associate (analytic) members. Our current membership includes major telecom, several global banks, several high tech internet companies, one global engineering/construction company, and a couple of large enterprise diversified companies engaged in everything from airplane manufacturing to electronics to energy production.
• We have five companies currently in various stages of the membership process. When these companies complete the process, we estimate that these 20 member companies will control close to 20 million devices in over 140 countries in the world in dozens of industry segments, including a global energy production, retail, real estate, and managed IT and security services. (Yes, we like MSPs. They help us scale protection while at the same time maintain opsec.)
• Financial members in Red Sky process the vast majority of credit card transactions in the world today, and manage the lion's share of money moved between stock exchanges and their clearing houses.

On the Beadwindow side, in less than a month, we’ve added a couple of new members, and now include:

• Three major US cities
• One state government
• One global bank
• One  ISAC
• One global Internet company

So, Red Sky is cooking with gas. The portal activity is picking up again post-summer, and solid activity is coming out of it. Fall is always busy until around Christmas. We’re geared up to handle it.

The Beadwindow portal is also doing well. New members mean new education. State and local governments (my first impression.. I’m learning too) seem to have very small information security budgets and little organization around managing across agencies. One CSO told us that his (one) IT Security guy was just moved out from under IT, and that neither the IT folks or the city government departments will let him look at data to perform his analysis. Whew. That must be exhausting, and a real morale dumper for the guy who’s going to be held responsible when something really does hit the fan (and it will!). There’s a major learning curve coming for these poor guys! We’re on it. We’ll do our best to help.

That’s it for now. Have a great weekend!
Jeff