Announcing Wapack Labs!

I sat on a panel this week in Manhattan --a group of bankers, all very good at what they do. At the end of the panel, we were asked for one closing remark. I always offer the same bit... "We're learning to fight submarines." The intent is to say that (and you've read this before in my blog).. during WWI, we lost a ton of ships to German U-Boats. But by WWII, we not only got better at detecting them, but we had our own and fought back! The Air Force and Army guys could probably come up with their own analogy, but in my way of thinking, APT is just the new threat. We (the royal we) will learn how to better cope as we move up the learning curve.

During my drive back from NYC to New England, however, I came up with a new analogy... 

Think about this:

Imagine you, going to your office on Monday morning. Probably (I hope), you work in a nice building with lots of windows, new furniture.. comfortable, right?

What if that building was owned and controlled by your closest (and most aggressive) competitor? 

Cameras in the building are set to capture screens and documents. Every time you do work,  someone (a competitor) is looking over your shoulder, feverishly scribbling notes. The onlooker videotapes keystrokes, credentials, financials, work habits, documents, customer lists, etc. Now imagine that you've got only a small team of security guys,  unable to keep them out. They stand at the main entrance and do their best to block the competitors from entering. They stand in front of each desk and in every hallway, but alas, they look like everyone else... nice haircuts, good suit, shined shoes. Heck, their credentials work!... Security can't always spot them. They just keep finding ways into the building... You get the picture, right? 

How would you feel? Would you do anything differently? You'd probably be upset, guarded, feel like you've lost a bit of privacy, maybe afraid for your company's future?

What would you think if I told you this is exactly what happens when you are victimized during a targeted attack. If the attack is successful, most unprepared companies quickly lose control over their networks. That receptionist in the front office really thought those kittens were cute. She must have watched that video a hundred times when nobody was looking. She'd received it from someone else in the company via email. It must be OK, right? Immediately following her first click, a bug launches. Keystroke loggers are used to capture credentials. Remote access trojans (RATs) are installed and start phoning home. Once the attacker gets the call, he begins to capture documents and other work product. Various 'credential rich' sources are harvested for employee directories, and interesting employees are monitored routinely.  Those systems that are critical to the operation are rendered useless because of all of the bandwidth being used by the attacker. You've got only a small team of security guys (if any), often times they can't keep these guys out. Security monitors at the main entrance, the pipes leading to every computer, and every individual computer, but alas, the intruders look like everyone else. Heck, their credentials work!... Security can't always spot them. They just keep finding ways into the networks... 

Getting the picture? This is probably the most accurate analogy that I've come up with to describe what's happening in computing today.. and it's not just big companies. It's not just in the US. Every company I talk to today has 'virus' problems. Most believe that their  firewall will keep the networks safe. Even some of the biggest companies are blind to current happenings, but this is a global problem and it's getting worse. Every company in the supply chain of a larger is a target, and I'd say with high confidence, compromised and don't know it.

Who's at risk?


Are you a law firm, financial institution, OEM manufacturer (especially transportation - auto, air), chemical (pharma, oil & gas) company or IT? 

• Have you ever noticed your network connection slowing and didn't know why?
• Has your IT team found malware or viruses that have no, or very few results in VirusTotal or other online research sites?
• Have your nighttime computer routines failed or timed out (this may be an indicator of nighttime activity on your networks).

So what to do about it? Where do you find out what to do about it?

Join Red Sky Alliance today. If you're a private company, and need to know more about what's happening on your networks, or want to compare notes on technical analysis and intelligence with other really smart people in real time, Red Sky Alliance is for you.

Are you a smaller company? Federal civilian government agency? State? Local? Join Red Sky's Beadwindow Portal. Beadwindow offers the same level of service as Red Sky, but with slightly different views on who may participate at a lower price point, and best of all? Everything is UNCLASSIFIED! There's no need to find a SIPRNET (or worse) to download information from NTOC. Your folks don't need security clearances to access our Beadwindow Portal. And when you call, ask about Sequester pricing! Beadwindow costs WAAAYYY less than a week of White House tours!

Just need help analyzing data? Need forensic services? Don't want to build your own team? Or maybe you just need someone to take some of the more routine forensic work off the shoulders of your already taxed Infosec guys.... Check out Wapack Labs! Wapack Labs is our newest addition to the Red Sky lineup. Wapack Labs is furnished, staffed, and set up. It'll open in the Historic Mills along the river in Manchester, NH on the first of April. Wapack Labs will initially handle non-criminal computer forensics, analysis and R&D projects. In fact, we've even had our first customer! A woman walked in on Thursday while we were setting up our furniture. She'd seen the 'coming soon' sign on our door and she wanted to know if we could recover her baby pictures and videos from a crashed 1Tb external drive... and you know what?  When you like to bootstrap (and we do!), mom's money is green, too!  It'll pay for the coffee pot and new Wii U (lab guys apparently, LOVE killing zombies).

Have a great week!
Jeff

Wapack Labs Contact info:

250 Commercial St., Suite 2013
Manchester, NH 03101 
(603) 606-1246  
dkirmes@wapacklabs.com
 


 

Threat Day Tampa! And thoughts about community…

I love my job! No, I’m not gloating that I've been able to spend time in the warmth of Florida, knowing its frigid cold back home in Maine! I seriously love my job.  I wonder how many people in the InfoSec space can say that. An official count tells me not many!  

Every quarter, Red Sky hosts a day-long briefing with our members. “Threat Day” is central in establishing lasting relationships between the members. These events, also establishes trust and fosters a sense of community.

We heard how an incident response team discovered a targeted attack and their smart, timely actions to thwart it, given a dossier on the cultural and political motivations of state sponsored ATP, and the creation of new tools that sifts through big APT indicators quickly and efficiently.

It was a very successful event and we are already looking forward to the next one!

A side topic of discussion this week was the observation that communities and information sharing environments are starting to pop up quickly.  These sharing environments are becoming prevalent because there’s real need to share data and solution providers have figured out that brand loyalty is as much human connection as it is providing a solution to a problem.

As the large InfoSec companies monetize the information sharing concept, I can’t help but think of some of the thoughts Red Sky’s lead analyst recently shared with me, which I think are spot on.  It is his conclusion that sharing communities fall into two categories – ad hoc or constructed.  Each of these community models has their pros and cons but before submitting your indicators, I ask you to consider the following.

The ad hoc community is the simplest to establish and are a result of necessity rather than by choice.  They may be loosely regulated and unstructured and sometimes lacking finished conclusions but these communities are fast moving, quick to respond, and provide a diversity of ideas, particularly deep technical evidence.  If you’re looking for a quick infusion of information, this may be the perfect community for you.

The constructed community is one which participation is purposeful.  Generally, membership is by request or invite only and governed strong bylaws. However, rigid rules and over governance can inhibit and even discourage sharing of information. On the upside, constructed communities reduce static, unnecessary and redundant information. When information is shared, its high fidelity, and you’re less likely to take a “wait-and-see” approach.

Red Sky is taking what is best from both community models and bringing them together in a single environment.  The strength of our community is equal to the strength of the relationships and trust between members. This is why we emphasize the value of our quarterly meetings!  This week’s Threat Day in Tampa is a reaffirmation of this belief. We work hard to bring smart people together, give them the tools to do their job efficiently, and provide them a content rich environment to share information, you can accomplish great things! 

In the future, when asked to join a group to share your information, ask yourself which type of community you’re being asked to  join, what do you expect to get in return for your information, and do you trust those on the receiving end?

If you’re interested in our Threat Day’s or want to join the conversation, email me directly at rgamache@redskyalliance.org

House is on Fire. Call 911? Do I have a choice?

If you were awakened in the middle of the night by the smell of smoke, would you call 911? Do you have a choice?

I’ve been talking and working with several organizations lately who for whatever reason, chose not to call 911. Worse, some (most all) either don’t have smoke detectors or the batteries have died, they don’t get tested annually, and aren’t even wired to a place that will let them be heard when they go off in the middle of the night.

So, what happens when there’s a fire and the owner is awakened by the smell of smoke? Maybe he’ll grab a fire extinguisher or buckets of water. Within a short time, the fire grows. Grab the garden hose!.... the whole time, as the neighborhood gathers to watch his house burn to the ground, little by little, he forbids the neighbors from calling the fire department.

Get the picture? We’re not talking about smoke. We’re not talking about fire at all. We’re talking about the stubbornness of IT directors and CIOs with emotional connections to the idea that whatever happens in the networks that they built; whatever happens, they can fix it. Let’s think...

• The fire smoldering deep in their networks is largely undetectable by their current smoke detectors. Those things were installed years ago, and even though they auto-update, they might detect the old stuff, but can’t detect the new.
• The team is all fairly new, and while they know tools exist on the network, they have no idea how to use them.
• “The IT guy has been with the us for years. He’s never let us down before. We’ll cut him some slack.. just a few more months.”

Sound familiar?

So here’s the thing. In the last 30 days I’ve talked with at least three companies in this exact situation. One has started submitting information to Red Sky without actually joining. Another has a CSO and an IT director, but the IT guy doesn’t trust the CSO and thinks he can do it on his own. The third isn’t a corporation... but I could write a series of posts on government information security!

So let me pose a couple of thought questions...

Should IT security fall under the CSO when IT has no security organization? What responsibility is held by the CSO when no Infosec organization exists? If not the CSO, then who? In many of the companies I talk to, they have a CSO who’s responsible for physical security. The CSOs usually have no IT experience, but is the only security guy in the many of the companies. So what is their responsibility? If not the CSO, then who?

At what point do you call for help? Who do you call? FBI? Police? Consultant? When IT spends months playing ‘whack-a-mole’, when should IT be required to get outside assistance? How much of the budget should be allowed to be spent before IT is required to blow the whistle? When that occurs, who should they call?

Last, what role does the board play? When IT is unable to stop the intrusions, how much time/money should be spent before senior management reports to shareholders?  When a company refuses to ask for help, how much time (money) should be spent before liabilities fall to the board and senior management for not acting sooner? Is there a liability to the board for not notifying shareholders and requiring management to seek assistance?

BREAK BREAK

I haven’t done a Red Sky update in a couple of weeks. We have a lot going on...

• This week we’re gearing up for our 5th quarterly threat day (in Tampa). We are really looking forward to a first time face-to-face with several members and to further building out the trust relationship which is so important in our space.
• Two new Fusion Reports were released to our community. The latest introduced a new threat group to our list of tracked adversaries and provided detailed analysis on the leveraged protocol as well as mitigation recommendations. The second report provided additional analysis and attribution on a recent highly-publicized compromise.
• We’ve added a new member to Beadwindow. Our newest member is a state level organization for higher education. We really like working with the city, state and local governments!
• Last, we’ve just taken possession of the space in the Manchester mills. The new company (a Red Sky Alliance company; this one incorporated in NH) is called Wapack Labs, and we’re bootstrapping this one with contract security intelligence work, a bit of R&D, and some research.

I’m looking forward to talking with more of you in the future. We’re giving two more threat briefs, I’ll be presenting heading for Dallas this week, speaking at a McKinsey event in New Jersey and then headed for New York for another panel discussion with the financial community. We’re busy and doing great!

Enough for now.
Have a great week!
Jeff

MAGIC BOXES and the RSA CONFERENCE

What an awesome week for me and for Red Sky at the RSA conference!  It was a privilege to be able to speak to some of the smartest people in the business and equally as flattering when they would see my shirt and say, “You’re with Red Sky?  I’ve heard of you guys.”  What an easy way to strike up a conversation and I’m leaving here with a renewed confidence that we are getting it right when it comes to the challenges we all face with APT and our adversaries.

If you’ve never been to the RSA conference the best way to describe it would be a 10,000 square foot shopping mall called the “Expo” shoehorned between overcrowded classrooms.   A place where almost everyone dooms their inboxes with eternal spam in exchange for a $20 remote control helicopter – if you’re lucky enough to win it!  No thanks.  A place where the line to have your picture taken with Darth Vader is fifty-feet long and the line to have your picture taken with the 49’rs cheerleaders is non-existent.  And no, I’m not making this up!

And all the while I was walking through the Expo, I kept listening to the vendor sales pitches and I got to thinking; all this technology being sold exists for one reason – to prevent or limit the damage to humans caused by humans.  No wonder we can’t secure our networks. We’re looking in the wrong place!  We’re taking devices that are programmed to act rationally and asking them to protect us from irrational human behavior.  Stop me if you've heard this before "Hmm….I think I’ll disable this anti-virus software because it’s making my streaming video slow!"

There is not a single device, yet, that can predict WHY someone will act in the manner they do.  And until one is programmed to understand the stresses of losing a job, or a client, greed, or the want to be famous or notorious, the concept of dropping a device in your network and thinking you’re protected is a losing proposition.  I’m not suggesting we don’t need firewalls, IDS, IPS, and DLP systems but what I am saying is simply this;  in all the hype about the next magic box that will save us from ourselves, the real force multiplier in solving this problem is often forgotten – people.  Simple right?  Let me give you an example.

At the end of a long day at the conference, I struck up a conversation with the IT manager of a mortgage clearing house with several billions, with a “B”, dollars on the balance sheet.  After a while, and when he felt comfortable talking, he shared with me that his network had been targeted, breached, and was most likely still leaking information.  His purpose for being at the RSA conference was to find a solution, a “magic box”, to make his troubles go away.  To be fair, not HIS troubles, but his boss’s troubles!  No wonder we’re losing the cyber war; unfortunately, this story is all too common.

Now, I could have sold him on what we do at Red Sky and gone into my elevator pitch etc. but what he really needed in that moment was the comfort in knowing that he isn’t alone, a sympathetic ear to listen to his problem and tell him that there are others in the same place he finds himself.  I told him very simply, “Take a deep breath. Break the problem down into small pieces. And put your plan to paper. And act.”  I handed him my card and told him if he ever had any questions to call.  Will he, maybe, not sure, but he wasn’t looking to buy anything and I wasn't selling.  He was looking for someone who would listen and who he could trust.  Besides, Red Sky doesn’t sell new bosses but we can make the smarter!

When I say people are the only way we’re going to solve this problem, this is exactly what I’m talking about.  Sometimes, you have to look beyond the sale by listening to the problem and offering your advice.  That’s not to say selling isn’t important, but at Red Sky, we believe people come first.  You build trust through communication, integrity, and genuine care for others. Do this first and the sales will take care of themselves.  How many vendors do this, listen to their customers as humans with real problems that need to be solved?  Many say they do, but think for a minute.  How do you build trust through the persistent and overwhelming noise on the floor of the RSA Expo?  Simple answer – you can’t.  This is why I can predict with overwhelming confidence that you’ll never see a Red Sky booth at a trade show!

Which leads me to a few closing thoughts. 

The leading principal we at Red Sky live by is first and foremost, we are a community. When people ask what Red Sky is all about, I always start by saying, “Red Sky is a community of really smart people with diverse backgrounds, talents, and expertises, helping one another solve the APT problem.” 

If we all know we can’t solve our problems with a magic box, isn’t it equally true that we cannot solve our problems on our own?  Sure, you can go it alone, but the point is, you don’t have to.  However, if you do and you solve the APT problem?  Well, now that’s a sales pitch I would pay to hear! 

If you’re interested in being part of the community or if you demand photographic proof that the 49’rs cheerleaders were being neglected, please feel free to email me directly: rgamache@redskyalliance.org

APT is hard, but not impossible

When Jeff asked me to write this week’s blog, I jumped at the opportunity.  What an incredibly busy week not only for Red Sky but for the security world as a whole!  As many of us were getting prepared and turning our eyes to San Francisco and the RSA conference, on Tuesday Mandiant shook things up and released their controversial “APT1” report!  The conference will be all abuzz!  More on Mandiant's report in a bit.

Living in Northern New England, I often talk to organizations, banks, and companies on the small side.  Interestingly, one bank CISO described his bank as one such “small” bank with nearly a billion dollars in assets!  To be fair, relatively speaking, that is probably a small bank, but who wouldn’t want 1% of what is considered “small”?! I digress…  And like Northern New England, there is a sense of security that comes with living here.  The pace is slow and crime is low and all too often this tranquility results in what I call “cyber complacency” or the “I’m too small to own” syndrome.  Unfortunately, cyber criminals are not bound by the same societal values of the communities where their targets reside. 

I’ve had many conversations with good security people and CISO’s that do not see them as ever being the target of APT because simply put, and quoting, “We’re too small. There are bigger fish to fry before they ever get to us.”  Oh, really?  I can’t entirely blame some people for holding this attitude, APT is hard, not only understand for many of the decision makers but also extremely hard to defend against when you’re outgunned and understaffed.

These conversations generally lead me into a story I often tell about a small defense contractor working on a very niche project for the defense department.  When asking what measures they were taking against the APT threat, the response was, “APT is too hard to deal with. Besides, were too small. No one cares what we’re doing.” Unfortunately, someone did care and this small company was gutted of its intellectual property.  Result: Aside from the hundreds of thousands of dollars worth of intellectual property lost, the company lost its competitive advantage in the market space and we, as a nation, may have lost our competitive advantage on the battle field.

When I tell this story the climate in the room often dramatically changes from “We’re too small to get owned” to “We know we are exposed but we’re spending a ton on security already and we don’t even know where to start with APT.”  Again, APT is hard, but can you afford to ignore it?  The adversary knows this and those that wish to steal from you are not doing it alone. They have teams of people targeting you, which brings me back to Mandiant. 

Mandiant’s release of the APT1 report has been met with both strong applause and strong criticism. In my opinion, I think there are merits in the arguments on both sides.  Whether you agree with Mandiant’s decision or not, the release of the report pushes the APT problem and “APT1”, lurking in the shadowy corners of cyberspace into the light for everyone to see.  Mandiant has thrust the conversation about the APT problem, its tenacity, and its effects, light years forward and I myself can only see the positives in that.

To me, there are two take aways from the Mandiant report that should raise the hairs on any CISO as well as anyone in the C-Suite.  One is something we all know – Once you’re the target, they’re coming in whether you like it or not.  They will outspend you in both time and money, and when they do get in, and they will, they’re there to stay!   The second take away and a more subtle one – The adversary is working in teams. Not only in teams of highly trained people in the technical trades but people trained in linguistics, cultural attitudes, human intelligence, and economics.  Can you afford a team equal in size and expertise?  Probably not.

APT is hard.  Red Sky members know this very well.  Red Sky is made up of multiple mature incident response teams from some of the largest Fortune 500 companies sharing information, assisting one another, and working together to solve the complex APT problem.  Red Sky members form a team of very smart analysts and technical experts from a widely diverse number of industries and disciplines.  

As a Red Sky member, these groups of professionals, facing the same threats as you, become a part of your team and you become part of theirs.  The point is your adversaries number in the hundreds if not thousands.  You can’t ignore that and you’re going to eventually have to start somewhere – Mandiant has made that abundantly clear. You can go about it alone but you don’t have to – ask for help and join the conversation!

For all of you traveling to the RSA conference, I wish you very safe travels.  If you’re like me, you’re leaving early to avoid the storm working its way eastward!  If you’re interested in speaking with me about Red Sky and how our members can help you, please feel free to reach out to me at rgamache@redskyalliance.org.

It’s going to be a great event and I’m looking forward to the presentations and the good people who are working in the trenches every day.

See you in San Francisco!

Rick