Red Sky Weekly - 11/17/12

It was another busy week. This Thursday we saw more malware submissions to the portal -- the most we have received in a single day. While many submissions stop at automated analysis, many also undergo human analysis by either Red Sky or members of the Alliance. One of the pieces submitted on Thursday included an unknown variant for which we performed same-day protocol analysis. This resulted in a tailored signature for identifying the encoded communications. 

This week:

• Fusion Report 31 was released and details a new variant of a previously observed downloader. The report provided analysis on probable targeting requirements for the actors and included four new snort signatures for detecting the unique user agents generated by the malware.  This was a really good example of what we’re trying to do in Red Sky Alliance and in the Beadwindow portal. Hit with malware --we handled it nicely --our MAG device is supposed to be able to process up to 40K pieces per day.. we’ve not exercised that yet but maybe someday. FR-31 was tipped off by malware, but the report offered a number of new indicators and what we believe the actor was actually trying to find in the network. If you knew ‘where’ you needed to protect as well as ‘how’ you could protect it, wouldn’t that be of value? Of course!
• This week we attended FedCyber. It was great running into folks I'd worked with in the government. Thanks to Bob Gourley for the invite!
• Red Sky attended SAGE in Portland, ME and Vistage in Boston. Vistage is a CEO group, but SAGE is a security group and resulted in several requests for Red Sky Alliance introductions.

Last, we’re honoring our Founding Member prices through the end of this year. After that, they’re gone. While most will not be brought into the Advisory Board, the price holds through 12/31. We’re accepting full members and associate (vendor) members at 2012 prices. Don’t wait.

Until next week.
Jeff

Red Sky Weekly - New TTP detected by Beadwindow member!

This week will mark two milestones --our active user-adoption is at an all time high and Fusion Report 30 is about to be released. As with every social network, there are ebbs and flows, however this week the flow has hit a record rate. We hope the momentum will continue. Saturday will see the release of our 30th fusion report which will detail a previously unobserved TTP and C2 protocol. To date we have reported on over 10 different threat actors and have built out a solid profile of several of the more active groups.

If you haven’t been able to tell, I’m really excited! I haven’t been this excited about a major success in one of the portals since earlier this year. We’ve had a ton of ‘wins’ but this week one of our government members posted early indicators and pcap of a TTP shift in the Beadwindow portal. That information generated incredibly active discussions in the portal --crowdsourcing. Everyone brought a piece to the table until in the end, the new TTP was validated and shared.

So major activity this week:

• Beadwindow was on fire with activity surrounding a TTP shift. The information was shared with the private portal, prompting several of them to jump into the conversation on Beadwindow
• Red Sky received a submission from a non-member which lead to the discovery of more activity utilizing Windows Credential Editor to steal Windows creds (does anyone know when this will be fixed in Windows?)
• A piece of malware that our folks have struggled with for the last couple of weeks finally broke and gave up the booty --a previously unknown (at least by us) TTP and C2 protocol

Interestingly enough, this stuff really demonstrated what I think is the value of Beadwindow. Our submitter is a state government guy who used our Norman MAG2 malware analysis tool, bounced findings and ideas off of our Red Sky Alliance technical lead and analyzed the targeted cyber events by interacting directly with the mature, APT-hardened information security teams in large private companies --and they’re helping him protect his networks --and he’s given them something to protect theirs. This is exactly how Beadwindow is supposed to work.

Before I forget, if you’ve not been mailed directly, we’re honoring our Founding Member prices through the end of this year. After that, they’re gone. While most will not be brought into the Advisory Board, the price holds through 12/31. We’re accepting full members and associate (vendor) members at 2012 prices. Don’t wait.

Until next week. Hopefully I’ll see some of you at FedCyber!
Jeff

Epic week in Red Sky!

Despite the storm, it was very busy in the portal this week. Red Sky staff and member analysts participated in crowd-sourcing various targeted malware. We also posted relevant details on two ongoing large-scale Blackhole campaigns which were sourced by our Beadwindow members and are now being corroborated by the private member analysts. Fusion Report 29 will hit the press this weekend and describe a highly targeted incident which leveraged a backdoor that was specifically tailored for the target environment. The malware is not a known variant so the report will include a detailed analysis for future mitigation and correlation.

Beyond that, membership continues to grow! We picked up four new global members this week --a gas and oil company, a large player in the networking community, a new financial institution, and another global internet provider! Data is moving nicely as we round out the last quarter of our first year in operation. 

We’re in planning mode for 2013. Membership projections are looking good. We've got bookings already staged for next year, and we're looking for member feedback on several new features that might include full mobile access, real time encrypted communications, unified messaging, and semi-automated analytics to help reduce some of the manual burden of farming, correlation, and repetitive tasks.

Last, but certainly not least, our intern is preparing to fly the coop. He’s our first, and has ranked out in the top 10% of our peer reviewed analysts since starting with us in March. As a result, he’s currently listed as provisionally “Red Sky Certified” (RSc)*, and will qualify for one year certification in March if he sticks around that long. He graduates in December, and as promised, we’ve referred him into two member companies, and to make sure we align with his long term goals, we introduced him into a third, non-member company. I’ll let you know where he finally lands, but this is very exciting. We’ve narrowed down next year’s crop of interns to four, and will be working them through a filtering process over the next couple of weeks. Interested in learning cyber analytics in the APT space? Drop our Academic Director a note.

Until next week!
Have a great weekend!
Jeff

* Red Sky certified (RSc) is granted provisionally after two quarters of ranking in the top 10% of all peer reviewed analysts in Red Sky. Four consecutive quarters of top 10% peer reviews earns one year of Red Sky Certification. Three years certified makes it permanent.

Beadwindow is growing!

We kicked off our "Beadwindow" portal a couple of months ago with the idea that we could give government participants a place to quietly share notes with the private sector companies in the Red Sky Alliance.  While participation isn't as strong as we see on the Red Sky private portal, we are seeing growth as a result of a couple of new features:

• Beadwindow users enjoy access to our Malware Analyzer: Imagine working in an information security shop and not having access to a malware analyzer! One of our top community analysts has probably pushed 150 malware samples through our MAG2, and tells us it saves him a ton of time every day. In an average processing time of less than a minute, he learns very quickly, which code, URLs, or documents are bad, and if so, how he can block the C2 before losing any more data. He then takes the analysis from our analyzer and starts looking for other instances of the same code in his network. 59 second average triage malware analysis time and expert assistance from our back-end team if needed. Where else can he go to get that?
• Cross portal communications: As of today Beadwindow users can now tag a question to be posted to the Red Sky private portal. This is especially useful when comparing notes between the two. We've had a couple of cases, even in this short period of time, where activities in one also targeted folks in the other. The benefits have been incredible. A direct result of this is two new Red Sky private portal users have requested (and were given) accounts on the Beadwindow portal. 
• Beadwindow users get the same direct access to Red Sky analysts as the private portal -this means full length unclassified Fusion Reports based on actual cases you're talking about in the portal, with easy to use, high confidence actionable indicators that can be cut and pasted directly into your own sensors.

Join the conversation! Federal, State, Local, or tribal, we don't care. Take advantage of the Beadwindow analytic capabilities and embed Beadwindow into your daily routine and incident response processes. We've created special rate plans for government and academic users who would like to participate in Beadwindow. So, if you'd like to 'poll the audience' all you have to do is ask!

Last, looking for training?  Are you an analyst with training in another discipline who's just jonesing to get into cyber but can't seem to catch a break?  We've got three interns signed up for 2013 and one more possibly on the way, but we're always looking for wounded warriors or other folks who might have crazy m4d research, analytic and writing skills but need to be taught cyber. Red Sky and Beadwindow are now offering a training program for those who are willing to commit and study hard. Once completed, if you do well, we'll introduce you to our membership for your next job. Our first Intern is going through the process as we speak. Interested? Drop me a note or contact our Director of Academic Services directly.

Jeff

In their own words... “Red Sky Rocks!”

In their own words... “Red Sky Rocks!”

Analysis centers, CERTS, DCISE --we all go through periods where activities slow. Summer, holidays.. we all go through it. Summer for us was no different. The portal could have been more active, but started coming back right after Labor day, and grew steadily through September and October. We’re full-out busy now. While we knew it’d get busy again, it still makes me nervous. I try my best to keep my finger on the pulse of the membership. Are we doing ok? Have members stopped seeing value? Where is everybody? So we asked the question... are we doing ok? We received some really nice responses that I thought I might share:

“Good stuff happening here.  Red Sky Rocks!”

“We’ve decided to make a commitment. We love the analysis and reporting!”

“I’m not much for words. I will say this. Beadwindow makes me a better analyst.  Red Sky makes me a faster analyst.  Having access to the MAG2 creates a repeatable triage process for our Abuse, Malware, and Threat Intelligence. The MAG2 is my go to tool for exploring malware, suspected phishing attempts, and researching new threats.  I suck every bit of intel I can out of the reports provided from the portal and information from the MAG2. Having access to the tools and expertise (Chris H.) provides me a level of comfort that I have only experienced professionally when I was at DHS SOC.  As my organization moves forward with our 24/7 capabilities I can only see us asking (begging) for more users to help augment our staff at the State of M....”

“Without a doubt the SOM [sic] is safer today (and tomorrow) because of membership and participation in Beadwindow from RedSky.”

In my last job, I’d tell my boss and team that I like to deliver body blows. What’s that mean? In boxing, a knockout punch might be delivered in one out of every fifty blows (or more). Body blows have the same effect (winning) but are easier to deliver, provide a larger target, and have an amazing effect when delivered consistently, time and time again... They just take a little longer. Knockouts require one good punch. Body blows require focus, persistence and patience, and while the first blow might not feel so bad, they wear the opponent down over time until, finally, the opponent succumbs. Red Sky and Beadwindow are delivering body blows.

We focus on doing one thing right, over and over and over, while talking with our members to ensure we’re delivering value --over and over and over. We bring in great companies who have mature infosec teams who’ve developed processes for dealing with the new threats; we encourage conversations during incident response; we offer tools to help with analysis, and then we boil those conversations down into fast-turnaround analysis reports with highly relevant, actionable information that can be cut and pasted out of the report and straight into your defense-in-depth. Others coming in maybe aren’t so mature, but seem to be hungry and ask questions. That’s great too! We WANT you to learn how to defend yourself. And when you don’t know what to do with the information, just ask. All of our members are peer reviewed. It’s about delivering high quality products every time, every day, over and over and over. Body blows.

It’s funny. I’m sitting here typing this as I discuss with my daughter if she’s going to the Halloween dance. The only thing running through my mind right now is “Don’t be a wallflower!” I’d say that to all of you who’ve been standing by the sidelines waiting to see if Red Sky was going to work. While we’re not doing Founding member certificates anymore, we are honoring Founding member pricing through the end of the year. Don’t be a wallflower. Drop us a note. Schedule a demo.

Until next week, have a great weekend... and please, if you’re in the path of Sandy, stay safe!

Jeff

Red Sky Weekly - From the users perspective...

From the users perspective...

This week we released Fusion Report 27. FR12-027 contains analysis on the Citadel Banking trojan to include details on how the malware encrypts communications and behaves differently in a virtual environment. While this activity was not targeted in nature, the malware appeared to be widespread and affected users in both of our Red Sky and Beadwindow communities. This prompted me to thinking.. what does a typical user think about simple intrusions like this one?

To that, I took I the opportunity this week to have great conversations with users whose machines had been victimized during various events. I wanted to bring this back to a “human” perspective and write this week’s blog and talk a bit about how users react when their computer starts to act funny. These are great observations. Infosec folks should pay attention. This is important. Here are a couple of observations and thoughts:

Users are becoming numb

This user, deep in work, checked his email, never suspecting that simply previewing email might launch a host-side attack, allowing the attacker access. The problem started with the bluetooth being turned on on his computer without his taking any action. The user simply closed the laptop assuming the operating system was acting up. Small issues, when noted on computers running multiple applications don’t mean much. One issue, when seemingly cleared up on reboot is far less trouble than contacting the helpdesk.

Agents on enterprise computers do funny things

When your computer slows down for no apparent reason, a typical user chalks it up to bad bandwidth, or all of the agents running on a computer. Antivirus slows performance, as do other agents running. Many applications fire up the webcam momentarily to gain situational awareness for later use, and contact lists are routinely updated, exported and interact with social networking sites --all creating small ‘glitches’ that are normal, but make real ‘gotchas’ seem normal too. Users can’t tell the difference.

Spearfishing and waterhole tactics are invisibile

Does the human have the advantage when identifying spearphished emails before they infect their computer? I’d argue not. What about waterhole attacks where frequently visited websites are poisoned in hopes users would stop by and become infected without knowing? Absolutely users are at a disadvantage. Users must take responsibility for their actions, but many, many of these attacks are designed to get past the user or infect their computer when they visit their favorite web page.

It’s easier to reboot or work through it

What’s more important, worrying about the obscure chance that someone is in your computer, or meeting the deadline? We work all hours day and night, and the inconvenience of something happening (for reasons known or unknown), simply mean a little extra work or inconvenience. The dedicated user works through it, waiting to see if it worsens. If so, they might contact the helpdesk or Infosec, but heck, we’ve got an Infosec team and they’re watching anyway, so if there’s really something wrong, Infosec will call.. right?

Bottom line: Users are learning to live with risk. Agents running on machines, the constant threat of bad email, and simple enterprise issues that arise daily are all causing users to work through the pain.

Users don’t know how to prioritize those risks that might really be stealing information, or how to recognize the symptoms. How do we reach them? I’m interested in your feedback and thoughts.

Thoughts?
Jeff

Suspected Palestinian malware? Why a Red Sky Associate Membership?

We sent folks to training in Vegas this week, one to Marine Corps drill weekend, another heading for a week off in Steamboat, and me holding down the fort. So, no published Fusion Reports this week. We did however have some interesting threads and analysis via the portal. We analyzed our first suspected Palestinian malware specimen which consisted of an open source RAT. While the malware was not unique, we did derive tailored mitigations to protect against future attacks from this tool. Additionally, an Associate member used their resources to help identify a substantial amount of related infrastructure which was reported out to the members.

… This is a great example of why Red Sky welcomes certain vendors to the table. We call them Associate Members, and we believe that they, if they can do what they say they can do, should be rewarded. When vendors bring great analytics to the table, like we mentioned above, and the membership sees the value in their offerings, they get rewarded -through peer reviews, networking in a great community, and exposure. We don’t allow active selling, nor do we tolerate ambulance chasing, but we do believe that vendors were probably operational security folks at one point too, but now they’re entrepreneurs in the infosec space. Just like turning management, we lose a little bit of our operational skill and situational awareness every day we’re not pounding a keyboard and scouring PCAP for the nuggets. Smart folks who chose the entrepreneurial path lose their edge as well. So in Red Sky, vendors get the benefit of being analytic members of the community. They pay a fee for membership, must pass the advisory board, and then play by the rules. In exchange they get to participate in a forum where some of the best minds in some of the best infosec teams are looking at some of the hardest problems. They participate like any other analyst, get peer reviewed like any other analyst, and are rewarded by showing off their wares. There is no better way to show what your products/services can do than to actually do it... and there’s no better way to buy, than to see what it can do first.

This week we observed our first occurrence of targeted activity which was independently reported from both Beadwindow and Red Sky members. This is to be expected and just goes to show that while we have two separate communities, the threat is sometimes the same. This activity will be detailed in an upcoming report to be released to both communities.

Those of you who know me know I’m a ‘keep it simple stupid’ kinda guy. All the data in the world, even when aggregated smartly, should never be implemented in your network without evaluating it first. So while aggregated security data may look great on paper, it still needs evaluation locally before implementing --locally meaning by your infosec team. How much time does it take to validate indicators in a security aggregation feed? My personal opinion is this... I’d rather ask someone smarter than me if the data was useful to them before I implement. I’d like to know what others found and of any lessons learned. There are two companies I’ve seen who I believe do aggregation well -they come at it from different perspectives. One is malware as the tripwire for aggregation and the other begins the process with browser-based data. Both offer real good perspectives on hard problems, but, there is a lot of malware out there, and there’s a lot of host based badness out there. Can you implement a steady stream potentially hundreds of thousands of indicators on your network and in your host based IPS in near real time? Could you evaluate all of the data coming from them? How much labor would that cost? Me? I’d rather ask someone else how they did it, and then do it my way using their lessons. That’s what Red Sky and now Beadwindow are all about.

Why do I mention this?

I had a call this week with a large enterprise company -pretty typical of the companies that we work with on a daily basis. This company had been an ‘anchor’ in another information sharing environment. The guy I talked to told me he’d dropped his membership in this other group, and asked what Red Sky does differently. It was interesting to me to hear about this one group. The claim (as they all seem to be) is aggregation of the meta-data associated with APT activities. I like to call this “Utopia” (I didn’t come up with this, a friend did), but here’s what I know. I’ve been tracking Utopia for many, many years. So far it doesn’t seem to exist. Me? I’m going to use my phone-a-friend. And yes, this company will continue to be attacked, and continue to receive aggregated open and premium sourced (ahem) security intelligence feeds, and yes, *I believe* we’ll be seeing that ‘anchor’ company joining Red Sky soon.

It’s not always about tech. Sometimes it’s about people.

Have a great weekend!
Jeff

Red Sky Weekly: What lies behind the DDoS?

Interestingly enough, I’ve got folks now sending me inputs for the portal, but they’re not members. Their management probably doesn’t know that they’re sending me good information, but they (the practitioner level) know they need help and one of the best ways to get help is to ask.

This week I received a call from a large credit card company wanting to know what Red Sky knows about the DDoS attacks. While we don’t much track DDoS, we do track activity going on in the noise. So one thing I can tell you is this.. while the DDoS got the press because of potential geopolitical connections, the real story is what was going on behind the noise. So let’s try this:

1. Major changes in the way one fairly prolific (economic espionage focused) group does business ---and a resulting uptick in their activity during the DDoS activities.
2. Two others (both non-members) wanted to know what we knew about malware used to steal accounts and money from banks. Evidently there was an uptick there too.
3. Did anyone else find it interesting that the DDoS attacks seemed to go quiet during a Chinese Golden Week?
4. This week we released Fusion Report 26 which details a new variant of downloader leveraged by a known threat group. The report also included information on the potential targeting of 13 additional entities ranging from  government organizations to defense contractors. We provided a targeted analysis on the inner workings of the new malware and a tailored signature for identification of it on the wire. FR12-026 provided over 60 new indicators and artifacts for proactive defense.

Our answers to those questions resulted in two new membership packages being sent out, and two new applications both now in legal review of our terms and conditions. This is exciting stuff. What’s even more exciting is that at least three CISOs that have moved to new positions are buying Red Sky accounts almost immediately upon arrival at their new jobs. One of them (who just left a defense contractor) told me he’d made it a condition of his employment! How freakin cool is that!?

I’ve got a bunch of consulting work this week, and will be attending DARPA’s Plan X and then the i4 Conference in DC next week, so I’m hitting the road today. I’ll be driving for about nine hours, so if you want information about Red Sky, Beadwindow, or our Research Service, give me a call. It’s a long drive!

Until next week,
Jeff

Red Sky Weekly - Which CISO would you rather be?

If you were breached...

Would you rather be in the press, or silently (but completely) p0wned and gutted?

In the last two weeks I’ve told stories of breaches into a billion dollar company and a large research library. You’ve learned that attackers can, and do come back regularly for data updates or things they’ve missed. Neither of these attacks have shown up in the press, but the effects are devastating.

Which CISO would you rather be?

Telvent is company that manufactures remote administration and monitoring tools to the energy sector --remote administration for SCADA computers. Telvent this week showed up in Brian Kreb’s blog where Brian describes an APT event targeting Telvent.  Press references to the “APT attack” suffered by Telvent are largely non-existent, other than secondary reporting of Brian’s work (this completely amazes me!). To ensure continued secure operations, Telvent had to author new procedures for their customers to use to connect. According to Krebs, their products are used in every Fortune 100 Energy producer. Their products are used for remote administration of their SCADA systems. The system believed breached tied older controllers to new systems. I’d bet a dollar that the effects are more widespread. Regardless, how can it be that a cyber event of such potential magnitude, reaching DEEP into a global critical infrastructure had less coverage in the press than a denial of service attacks on banks.

Wanna know why?

• Denial of service is easy. Any reporter can understand, and therefore easily communicate the pain of a denial of service attack. When consumers can’t get to their banking websites, reporters can easily tell a story of cranky consumers (like my partner) who were denied access.
• Telling the story of a group with a foriegn name, and posting warnings on pastebin is sexy. Reporters like sexy.
• Journalists write well, and likely have strong education in journalism, but the important cyber stories -those having to do with hard to understand techniques, motivated by espionage, with potentially devastating effects are really hard to understand (or even believe) if you’ve not been immersed. The story is hard to write. Journalists largely don’t have technical backgrounds, and most infosec people are not journalists.

Reporting on espionage or cyber attacks is hard...

Telvent manufactures remote administration and controllers for SCADA systems. SCADA --those systems used to turn on and off nearly every motor, pump, generator, or switch in a way which makes the generation and movement of electricity smooth and efficient. Think about it like this.. the fuel delivery system in your car could be thought of as a SCADA system. When you push down on the gas pedal, the car’s onboard computer controls the mix of fuel and air that gets delivered to the engine. Another part of the computer tells the spark plugs to fire, thereby generating energy that move the pistons up and down in a cylinder, generating force that’s then transferred throughout the car to the tires.  In energy plants, computers control (turn on, turn off, and regulate) devices (generators, switches, pumps, motors, etc.) to ensure the most efficient and correct distribution of power, fuel, water, etc., and to ensure energy output and distribution across the country to consumers who need it.

What strikes me odd is that the press in general can’t seem to figure out that DDoS renders companies inaccessible for as long as the attacks continue... and then they stop. APT events, botnets, and targeted attacks steal information that will leave a company with a hell of a lot less capability to operate, even long after the attack... but it’s hard to report. Only the most tech savvy of the bunch (like Brian) understand the devastation that occurs (silently) during an APT event.

As an aside, Red Sky analysts, based on indicators taken from Kreb’s blog, believe the symptoms match with a TTP shift in a fairly prolific and highly skilled group. A significant shift in this group’s TTPs occurred approximately two months ago and information in Kreb’s blog match directly with the resultant change in the group’s infrastructure. We issued the information as Fusion Report 16. I suspect Red Sky isn’t the only organization to warn their members, but many CISO’s haven’t been enlightened to the very positive effects of information sharing yet.

BREAK BREAK

As always, here’s the happenings in Red Sky this week:

We had a small, but great Threat Day. We’d expected to do it in NYC, but never got the coordination done with the member, so we did a short notice event in Washington DC. The presentations were outstanding (slides are posted in the portal).

• Jay Healey came in from the Atlantic Council and spoke on Cyber Conflict history and futures, including parallels in what we say ‘then’ versus now.
• Our Red Sky Tech Analysis Lead did a great talk on the different facets of a highly skilled APT actor set.
• We received a brief from one of the members who specializes in looking at bad guys in other countries. It was a non-tech brief, but talked about the who and why, with pictures.
• Last, but absolutely not least, we talked with another member about his discovery of an old tool being used for new tricks. Windows Credential Editor is being used extensively by attackers in his network to dump Windows credentials (through Windows 7) from unencrypted running memory... all of them back to the last reboot. Apparently there are no fixes in sight. Yikes.

That’s it for now.
Have a great weekend!
Jeff