Parts is parts!

I spoke today with an Infosec guy from one of the global restaurant chains. The chain has restaurants in over half of the countries around the world. It's one of the big ones.

While duly impressed with the alliance, portal, comms, and the fusion reports, he says to me at the end of the demo 'you don't seem to have any other companies like ours in the Alliance'. Then I thought... so let me take a crack at understanding your concerns as an Infosec guy in a big company...

1. You probably handle a ton of card transactions and are worried about even small losses caused by card fraud and theft.
2. You're probably worried about losses of ACH transactions destined for your supply chain.
3. You're probably worried about online e-commerce transactions (in fact, this company is at the top of the charts when it comes to online ordering!) 
4. Last, you're probably worried about shipping and logistics, with the right stuff ending at the right place, every time. 

So, do we have other restauranteurs in the alliance? No, but let's think about this for a moment.

1. Our members process a very high percentage of all credit card transactions in the world (and they understand the treats to payment systems companies!).
2. They transfer huge numbers of ACH transfers, from and to, nearly every country in the world (as does every company in the alliance today).
3. Every one of our companies relies on the internet. While perhaps not relying on the net for the number of transactions, they all rely heavily on e-commerce. 
4. And shipping and logistics? Every company that I work with today picks something up somewhere, and puts it down somewhere else.

Regardless of industry, all of our members have these four things in common. Add to that targeted attackers aggressively chasing them, and competitive pressures of both legitimate competition and economic/corporate cyber espionage. All of the stories are true. These guys are busy. They're all in the same boat, and beyond chasing espionage threats to intellectual property, they ALL chase (big) cyber threats to (big) money movement, supply chain, logistic losses, and automation and supply chain movement of something.... every single one.

So tell me, do you worry about these issues Mr. Restauranteur? What about you Ms. Retailer? Mr. Attorney? I kinda joke.. when we're all standing around with our pants down, at least half of us are going to have the same parts. Sizes, shapes and colors may differ, but parts is parts.

BT BT

There's a ton of stuff happening around Red Sky Alliance these days. 

• This week we released our 49th Fusion report detailing a new malware variant from a known actor. Analysis of the related infrastructure revealed two hosting networks which have been linked to a variety of APT activity. 
• On the portal side, things are looking up; our user adoption rate peaked last week with the participation level reaching an all-time high! Additionally, we're getting inputs from non-members who are experiencing APT events. Our referral rate is growing too!
• We authored and published our 10th intel report this week, detailing activities of another group of actors (no, not APT1.. that's been done already).
• Last, our CIO attended the NIST framework discussions in Pittsburgh all week. He's coming home spent, but says it was a productive week.

And in the Lab? 

• Our beta version of our "Whois Recon" application is open to the security community! Send Chris an email if you are interested in beta-testing.  
• We've built, and are beta testing a new chat engine built for our portals. So far, so good!

Until next time, have a great week!
Jeff

Holes you could drive a truck through

How many truly great Linux gurus do you know? You know the guys I mean. They build their build starting from the bottom of the kernel up, rather than stripping extra services out. They'd never touch a commercial version of Linux unless forced by enterprise mandates. I'll help...  I know a lot of really great Linux guys, but only two I'd trust to build a security device. One lives on a farm, hates cellular telephones, and (I bet a dollar) he's got tinfoil lining in every of his hats. He introduced me to the second. Another really smart, really nice guy --the kind you don't often let out of the closet. You slide pizza under the door until the box is built, then you escort him to the networking closet or data center where the box will be installed and don't ever let him come in contact with uninitiated coworkers. They just wouldn't understand.

So I'll ask the question in a different way --How many of our Linux based security devices are built by these truly genius engineers? I'm thinking very few.

Why would I raise such a topic? I commented in a white paper about ensuring your security devices have good security. Last week I ate my own dog food. It taste like sh*t! Red Sky is a small business. We have a large membership, but we're a small business.  We have a physical location, but are largely virtual. We rely on others for the security of our systems --cloud providers of applications, hosting companies, managed security service providers, colo-facilities, etc. I'd be shocked however if others in our 'small business' class of companies have the wherewithal to ensure that their vendors, supply chains, and IT providers have the ability to adequately protect their data. Not to mention attempting to do it themselves. I was especially shocked when I saw this in Forbes this morning:

"According to a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology, nearly 20% of all cyber attacks hit small businesses with 250 or fewer employees. Roughly 60% of small businesses close within six months of a cyber attack." (Source: Forbes)

This is an amazing statistic. It's something we've been talking a lot about it our local Manchester, NH area. Having just opened our lab in April, we've been doing our networking. For the last several years, I've been working in and with large enterprise, global in scope corporations --both as an employee, and as a government Infosec worker. This, mostly based from the Baltimore-DC area, but now, participating in the local New England ISC2 meetings and talking with the owners of local businesses instead of the CISOs of large companies, I've come to the realization that our government (at least DoD) really has no idea just how bad it is for small and medium sized companies. I had a conversation with a global CISO who told me that nearly 60% of their critical suppliers were companies with less than 25 employees!

To the point... we're a small business. As a small business, we purchased a couple of security devices from two different vendors. One device is designed for large enterprise, one designed for use in small --the first device, an analysis machine built for large enterprise, allowed access via cURL (the new generation of wget for old unix guys like me) through a restful API without any credentials when every other access method requires them. Bad form. We're told it was by design.... bad design. We love the functionality of the machine. Heck, I'd bet it saved us from installing a half rack of other gear in our back end! The machine won't be going back online any time soon.. at least not without some serious enclaving.

To that, we purchased the second device-- a VERY popular, unified threat management (UTM) system made for small and medium sized businesses. During setup, we found it only processes two factor authentication by passing credentials unencrypted! We wanted to use the device as a proxy between other devices and the analysis machine mentioned above. This UTM is one you see at EVERY major security conference. They always have a flashy booth; lots of color; well dressed sales guys and engineers that'd make you believe they have the best machines on earth. I bought three of them to test. They look cool. Can you imagine my surprise when we tried to enclave the first box with the second, only to find this really popular machine will only pass unencrypted credential via PAP? Wow! This sexy, crazy popular device, meant for the masses, doesn't support anything newer? Really? 

Two devices, both Linux based, both insecure. 


In both cases we've informed, and are working with the vendors. We've protected the first box, and the second, well, we love the functionality and will continue to work with the company to ensure an upgrade is delivered soon.

So how does the SMB company protect itself when the devices they buy are likely inexpensive, Linux based, and are built for ease of deployment?

Red Sky does this in a couple of ways --we like having MSSPs in the Alliance. They provide security to large numbers of small and medium sized (SMB) companies that we probably will never have as alliance members. We also welcome vendors into the Alliance as associate members. Need to know what your customers are facing? Ask them in the portal.

In the mean time, test your security devices. Every one should be pen tested. If you can get through, so can others.

BT BT

It's been a good week. Two new pieces of analysis were posted to the portal.  Three new members are currently in front of the Advisory Board this week representing three different industries. We introduced a two new members into the portal, and have our first meeting next week with a global food company. Wow!

Until next week, have a great Memorial Day weekend!
Jeff

Cyber and Pareto's Law of the Vital Few

Have you ever met anyone working cyber security that said they were bored?  Me either.  Cyber security is an often unthanking and underappreciated grind.  Problem is we only have ourselves to blame, including me. There’s a difference between taking action and productivity. 

As humans, our lives cannot scale to meet the demands the threat actors throw at us on a daily basis. Throw in a few meetings with vendors, the folks in the C-Suite, sprinkled with one or two HR matters, the week dries up pretty fast.  More importantly, it doesn’t allow much time for doing what we’re supposed to be doing – fighting the good fight!  

Italian economist Vilfredo Pareto observed that roughly 80% of the effects came from 20% of the causes.  This principle is known as the “80-20 rule” or the “law of the vital few”.  This law can be observed in many ways, business for example – typically 80% of profits come from 20% of your customers.  Or in our realm, take the SANS “Top 20 Critical Controls” - the top four controls (20%) can mitigate much of the threat.  O.K. not perfect, but you get the point.  So think a minute, if only 20% of your work produces 80% of your results are your focusing on the correct 20%?  Would the last four controls of the Top 20, give you 80% protection?  Probably not!

Each of us works with a unique set of circumstances and constraints.  Despite the near-daily reporting of high profile attacks, budget shortfalls, inadequate staffing levels, and mission creep, are still ubiquitous in cyber security.   It is incumbent upon us, as cyber security experts, to make sure we get 80% of at least 20% of our investments.  The Pareto principle needs to be welded into our decision making process.  This is an absolute requirement if you’re an SMB!

At the end of each week, take time to review the actions you or your staff made and what the results of those actions were.  What could you have done better to make the result more productive?  Furthermore, did you take actions that produced low results or not “Pareto efficient”?   For example, did you spend 20% of your budget hiring a penetration tester when you could have used the money to replace your packet filtering firewall with an application layer firewall?  Which decision would give you an 80% return?

For those of us working with APT in an incident response capacity, not applying Pareto’s principle can be dangerous!  Incident response teams need precise, timely and detailed information like now, not tomorrow.  If an incident response team has to sift through mountains of indicators to get at the ones that are actionable, you quickly become Pareto inefficient! 

We often hear that indicator feeds produce about 10%-15% of real actionable indicators yet it costs an analyst, or analysts, a lot of cycles to examine 100% of the data.  So in the best case scenario, you’re investing about 85% of your time for a 15% result – that’s important to note!  

I’m not suggesting that feeds are not worth it, I’m simply suggesting they’re not enough in of themselves.  If you’re spending $10,000 for a feed, which is a bargain by any stretch, and you’re only getting 15% results, it would tend to make one rethink the value proposition of the feed.  Then add the human time required for scrutinizing the indicators, the value drops off precipitously.

This is why when we at Red Sky are talking to potential members or simply educating people about the APT problem we stress threat intelligence has to be timely, contextual, and most importantly – accurate.  Every analyst in the Red Sky membership has to show their work. Each puts into context their findings that are then peer reviewed for accuracy.  We do this to ensure when a new member joins Red Sky, they have an abundance of rich and contextual indicators, Snort signatures, and Yara rules they can apply to their defense strategies on day one.  Add in the ability to work alongside and ask questions of some of the most experienced and intelligent incident responders from some of the world’s leading organizations fighting APT – it’s clear a membership in Red Sky would be a Pareto efficient decision!

BT BT

This week Red Sky released Fusion report 13-013, which was released on the 13th! No, that wasn't intentional!  This report described a new targeted malware variant which leveraged a previously unobserved TTP. Included were several new rules and indicators for proactive mitigation. Fusion report 13-014 should be published by this weekend and will provide analysis on yet another new variant observed in recent watering hole activity.

My last blog, “Time for some good news in Cyber Security”, was met with a lot of positive emails.  I was very pleased by those that took the time to email me to thank me for being uplifting.  And why shouldn’t we be?  We’re all doing really good things tackling a very hard and real problem.  Keep up the good work!

I encourage you to share your thoughts with me.  If you haven’t requested our whitepaper “How Great Companies Fight Targeted Attacks and APT”, please shoot me an email or visit our website www.redskyalliance.org

Keep fighting the good fight!

We're learning to fight submarines...

I get one of my daily information fixes via the DC3 Daily Dispatch. Kudo's to Jim and his outreach team!  While many of these lists contain great reads, I'm certain you, like me, can't read everything. I'll skim the list, find the good stuff, and then skim the article to see if it was worthy of the title. If not, I go back to the next most interesting topic on my list, maybe the one about iOS containing potential malware --ooops, and iOS app contains potential malware. Huge difference! The problem is, I just spent probably 15 seconds evaluating each of those two pieces. So here's the deal. I receive 40 articles from this one list alone. That's 10 minutes of pure evaluation time, assuming I don't stop to read the entire piece. This is just one list, and probably one of the few that I actually take the time to read. 

There are hundreds (thousands?) of these feeds that you could read daily. Do you read them all? Of course not. There are thousands of sources of tech intelligence. Do you read them all? Again, probably not. Do you aggregate them and mine them for nuggets? Some do, but probably not all of you. I know I've been through process of building a couple of these analytic systems. But you know what? Even if you aggregate that data, can you mine it for only non-false positive information, prioritize it by analytic confidence, sort it by what's useful to you, for your environment... Even if you could, would you know what to do with every piece of information received, aggregated, prioritized, sorted, and distilled? Many companies will say yes (I'd argue some are lying). Most companies will tell the truth --not a chance. In fact today, for much of the morning, I attended an ISC2 event. I was shocked (although I probably shouldn't have been) when the presenter asked the audience  

"Who in the room can actually implement indicators, even if you have them?"  

No hands went up. Not one.

So what's the answer?

Red Sky Alliance. Someone asked me the other day what the difference was between Red Sky, and all of the subscription based services. He was a guy writing a paper for his management, and needed accurate threat intelligence. When he came into Red Sky, on the first day, he asked a question. He posted a spreadsheet with all of the actors he'd been profiling --many defacers, etc., and asked for other information that people may be working on. On that same day, he received a bunch of information about criminal and espionage groups he'd never seen before. Not only that, analysts from at least a dozen companies welcomed him, and pushed him new information regarding some of the actors he'd listed. This was information he'd never seen before.  He's a pretty smart dude, but even the smartest, when working alone, end up with a limited set of eyes, and therefore a limited set of data. Red Sky connects people. The result of this connection was crowd-sourced analysis by some of the best companies in dozens of industry segments. Within a day, this guy had more new data than he'd compiled on his own in however long he'd been researching. And, he made friends in about a dozen companies with really mature infosec/threat intelligence shops around the world. How cool is that?!

When I think back six or seven years ago, I was probably the first (and loudest) in the room, vowing never to give information away that might implicate the company I was working for at the time. We had tough attorneys and a CISO who made us all sign non-disclosure agreements. Everything about the activities we'd been fighting were kept in strict confidence, and on a need to know basis. Today, some of the biggest companies in the world share information about how they're being attacked, what they find, and how they fight it. In addition to Red Sky, others are sharing in their own circles -DSIE (defense companies have their own group), the Information Sharing and Analysis Centers have become popular again, and the government has no less than a dozen outreach programs to private industry (although they seem to have a rough time sharing between themselves!). Red Sky does things a little differently than the others, but still, information is moving. It's a great sign that things are getting better.

I'll close with this. I'm an old Navy guy, and I use the analogy "We're learning to fight submarines (in cyber space)." We lost a lot of ships to German U-boats during World War I. It resulted in the US Navy creating the 10th Fleet -- folks dedicated to creating our anti submarine warfare. The result? By World War II we not only could detect and kill enemy subs, but we had our own. Know what the Navy calls their cyber guys today? 10th Fleet.

It's getting better.

Until next week,
Have a great week!
Jeff

 

Time for some good news in Cyber Security

Why are there so few “feel good” stories about cyber security?  Almost daily, we’re warned about a new zero-day exploit or told of another organization that has been compromised by the bad guys.  We all have a tendency to wonder if we’ll ever get ahead?  We will and we are! There’s great things happening in cyber security and it’s time we focus on the good news!

To be fair, we’re in a profession where we keep the scoreboard hidden from the spectators.  Many of us in security live our professional lives behind closed doors and our day to day activities are cloaked in secrecy.  Often the only face time we get with those in the C-suite is when something has gone horribly wrong but here’s food for thought; for every high profile breach there are a thousand other organizations that thwarted one.  We are ever closing the gap as a more smart people enter the field and we identify and perfect our best practices. I take comfort see these numbers grow daily.

Cyber security professionals are doing amazing things and we ARE making incredible advances in protecting our networks from our adversaries.  Fact is, we got out of the gates really late and the competition has a wide lead on us but we’re learning every day and we're closing in.  We're learning, we're getting smarter, and we're going to catch up!

We have learned a lot about what not to do but we can, and do,  learn a great deal more from those who are doing things right.  By focusing on the positive and opening a new dialogue that includes the creative, intelligent, and resourcefulness of the many brilliant people on our side, we can focus our attention on what defensive measures really work and apply them where they are most effective. 

Red Sky asked organizations to share their good news with us and describe their successes so we could share them with others – the results were very compelling!  In our whitepaper, “How Great Companies Fight Targeted Attacks and APT” we documented the responses we received from organizations from very mature incident response teams.  There were many different approaches, but what we discovered was almost all had seven fundamental actions in common.  We concluded that if executed well, any organization can be equally effective in protecting themselves from the bad guys.  If you want to know how you stack up, see how to get a copy of this whitepaper below.

With full intention of focusing on the positive, we found that organizations were more eager to share their successes where they were more reluctant to share their failures.  Every day, I have the privilege of seeing the positive in action.  Whether it be one organization sharing threat intelligence with the Red Sky community or another organization lending assistance to a less experienced incident response team – I can’t help but seeing a tide of good news building in cyber security!    

I challenge you to take the time and focus on the positive things that are happening in cyber security.  What actions have you or your organization taken that has had positive results?  How can you build upon those successes and do you share them with others?  I bet if you do, you’ll find there is an abundance of good news!

If you’re interested in our whitepaper, “How Great Companies Fight Targeted Attacks and APT”, interested in the positive things we’re doing in Red Sky, or simply want to share your good news with our membership, please reach out to me at rgamache@redskyalliance.org  

BT BT

The response to our opening of Wapack Labs in Manchester, New Hampshire has been an extremely positive one!  Focusing on digital forensics, Wapack Labs is a fully functional data forensics laboratory specializing in computer, network, and cell phone investigations.

If you have a need for court admissible reporting and digital forensics work for employee misuse, non-compete violations, network intrusion, intellectual property theft, and copyright infringement cases please reach out to our lab’s lead forensics analyst, Derek Kirmes at dkirmes@wapacklabs.com or read his blog at http://wapacklabs.blogspot.com/ Derek has put together a really good post this week about the problems that may occur when an employee leaves your organization!

New Fusion Report; Intel Analysis; Go West Young Man!

One of our members posted data that lead to the discovery of a previously unobserved command and control (C2) infrastructure. What struck me was a call I received from (this very smart and strikingly handsome ;) member late Thursday afternoon... right after we published our Fusion Report. Evidently he'd turned in his pcap samples to Red Sky, the FBI, and a third analytic group. Red Sky did a full workup on the data, crowdsourced pieces as needed, and published (to the group) a Fusion Report with a full analysis and a list of Kill Chain formatted indicators. As of Thursday night, neither of the other groups had responded.  

On the membership side of the operation, we sent out membership packages to a bunch potential members and welcomed our latest newcomer into the Alliance.

• Two Federal Civilian Agencies are evaluating membership -both currently in legal review, one DoD organization invoiced, and one more DoD organization finalizing paper. Just this week, a third Federal Civilian Agency contacted us for membership information, telling us they can't get good unclassified information elsewhere. We've heard this before. So we're hoping that within the next month, Beadwindow will see an infusion of new federal government analysts. 
• On the Red Sky side of the house, we sent three new members to the Advisory Board to offer thumbs up/down before we go any further with them (all of our members are vetted through our Advisory Board before being offered membership). One was a referral from an old friend; another was a referral from a current member. We love referrals!
• One new member was invited into the portal this week. The first guy from this credit card company's information security team needed high quality intel --stuff they're not able to get anywhere else. I'm sure they'll find it in Red Sky. In fact, we had one of our best analytic weeks going with two reports published this week. 

This weeks reporting: 

• Fusion Report 13-011 published: A Red Sky member submitted details from an incoming spear phish. In the posting he included the email header and attachment. He's a smart guy. The attachment exploited a vulnerability from last year,  but the payload initiated and connected to a previously unobserved C2 infrastructure. 
  
• As well, we published Intel Analysis Report 13-007, which drew comparisons between three RAT families and profiled one of the authors.

BT BT

On top of the crazy pace this week, Jim announced at our weekly staff meeting that he's sold "World Headquarters" in St. Louis and is moving to Colorado! Our president (and his World Headquarters) HAS be closer to high quality fly fishing and great skiing. I'm keeping my fingers crossed hoping for my own wing! More importantly, this means we've now got representation in Denver, Colorado Springs and after next week, Steamboat. I had a great trip out to AFCEA a few months ago and can't wait to host our first booz'n and brainstorm'n at elevation in the Rockies! 

RE the Lab? We're in full swing looking for business.  Our first major gig was a RAID rebuild/restore..An IT consultant sent us a set of drives from a RAID array that they'd tried several times to fix. Their customer's entire business was located on these disks; one, a database full of customer information. We were able to identify, carve and rebuild almost all of the data, sending the results back to the consultant yesterday. While it's not sexy APT work, data restoration projects seem to be coming to us, and heck, the works good and the money is green, so we'll take it. We're expecting a 12Tb project this week. So for now, if you're looking to take the strain off of your already over-worked forensic shop, we'll happily take some of it off your plate. If your incident responders/forensic guys are swamped with HR, internal legal, restorals, send some of it our way. Those guys are busy enough with APT. We'll happily take some of the routine cases for you!

OK folks, until next time.
Have a great week!
Jeff

 

 

Red Sky is observing a week of silence...

Having been a runner (50 pounds and 10+ years ago), I can't imagine the feelings going through the runners on the field at such massive devastation --the lack of completion, the sheer shock and horror of being in the mind of a long distance run,  having dreams shattered as quickly as it happened, and the families of the those killed and 100+ injured.

Red Sky Alliance and Wapack Labs are observing a week of silence in support of our neighbors in Boston, and all of those affected by this horrific event.  Our hearts and prayers go out to those killed or injured at the finish line, and to their family and friends, of the Boston Marathon.

A few things to consider before you buy the next hot commodity.

With Jeff on the road making his way up the east coast in yet another wet and soggy commute, I’ve been handed the digital pen for this week’s blog.  

This week, I was having a beer with a couple of colleagues and the discussion turned to the “commoditization” of security.  We all know that security is one of the hottest market spaces on the planet.  Security firms are selling firewalls and IDS/IPS boxes at a breakneck pace to keep up with the growing security threats and to be fair, the demands for these solutions are growing as well.  But what happens when the supply outweighs the demand?  You look for new things to commoditize!

In my opinion, there is more demand for knowledge and expertise than there is for the next firewall.   In fact, I predict that by the end of 2013, the emerging hot commodity in security will be security related communities where people collaborate and share information in a trusted and secure environment.

You’re already seeing many of the big players and security vendors hanging communities off the solutions they are already providing – “Buy our Incident Response service and you have access to our community.”  This demand for communities is nothing new for us at Red Sky. We’ve been supplying this demand for well over a year and half now.  

What drives this demand?  It’s pretty simple.  The large companies have the incident response teams to deal with APT but don’t have enough actionable information to act upon and the small companies are lost somewhere between buying solutions, outsourcing functions, and an uneasy feeling that they are not seeing everything they should – that sinking feeling they’re missing something.  Sadly, they are.

Like any hot commodity, your inboxes will be inundated with offers to join such a community.  The costs can range from free, as a value add to an existing product, and be as high as many hundreds of thousands of dollars.  To help navigate your inbox, I wanted to share with you what I believe should be some of the important things you should consider when choosing which community you partner with:

1. Do I trust this community? – You have to have TRUST with whom you are sharing your most sensitive vulnerability data. Do you know the identities of the other contributors?  If you don’t have trust that your information will remain private, you won’t use the community or get the most of your investment.
2. Can I count on this community when I need them most? – In time of crisis, when your Incident Response Team is fully engaged, can you lean on someone for help?  Do you have a lifeline that will help you or find the resources that can?
3. Is the information vetted? – Make sure the information you’re receiving form the community is vetted. If the information you’re receiving is invalid or inaccurate, you’re going to waste a lot of time going back fixing things you shouldn’t have to.
4.  Is the community moderated? – Or is it a free for all? Moderation is important.  An un-moderated community is a time killer.  No one wants to sift through pages of chatter to get to actionable information.
5. Is there any context to the information I’m receiving?  – Is the information you’re consuming in a context you understand?  No one wants to take action and not understand as to why the action being taken is important.
6. Cost? – You get what you pay for.  If you opt for a no-cost community, you may not get quality information or too much data.  If you opt for the most expensive, you may see high turnover of membership or little return on investment.

These are just a few. There are several other things you should consider, but this is a good starting point.  We at Red Sky have a clear vision of how a security community should work and we’re continually improving on our strong foundation, growing our competencies, to sustain our leadership position before the big companies unleash their armies of salespeople!

Red Sky has built a highly trusted, cost effective, and content rich sharing environment to help solve the APT problem by putting together some of the most advance Incident Response Teams in the world.  If you’re looking for such a community and you’re asking yourself the question of how Red Sky can help you, please email me at rgamache@redskyalliance.org 

Red Sky Weekly: “woshihaoren” (我是好人)

“woshihaoren” (我是好人)

I LMAO'd last night when one of the members told me this story, so I had to pass it along. I'm going to clean up his language a bit. I'm crusty, and he's crusty, and the story was conveyed over a beer and cigar at local watering hole. I know some of the color might be lost, but here goes anyway...

This guy (I'll call him Jack), is the CISO of a company that does about a billion per year in sales, and although I won't tell you what the company makes, I'll say they're a high tech.

Jack has a problem. APT actors basically live in their network. Heck, they come to work nightly when Jack isn't there, stick around for an eight hour shift, and log in and out as they need to capture new information. It's bad. Jack is good.. very good.. but has a small team and although they work very hard to keep actors out, sometimes it just doesn't work out that way.

So one day, Jack gets pissed. He knows the actors use a tool to capture passwords from machines and when they do, they have free reign to do what they want. Worse yet, they capture credentials all the way back to last reboot. So Jack --a really pissed Jack, knows someone is going to read his (what should be private) password. So Jack changes his password, leaving a message for his attacker. You won't be able to translate this in Google, and for those of you who know me, I don't usually pull these punches, but in writing, on a blog, I'm doing my best.

The CISO's taunting new password:

Limp [insert sailor slang for 'Male Sexual Organ'] [insert ‘Racial Slur’]

The password, after the next ‘shift’ (24 hours later) was changed to:

“woshihaoren” (我是好人) --Spaced out Wo Shi Hao Ren means "I am a good person."

So this tells me two things. First, yes, someone is living in the networks and not afraid to interact directly with this (incredibly technical) CISO and his team, and second, OPSEC isn't always a concern --especially when they know they've got you and have free range of movement in your networks.

This isn't the first time I've heard about attackers living in a network, and I'm sure it won't be the last. This guy has been sharing some of the best intel on attackers that I’ve ever seen. While it’s true he’s got a real mess, it’s also true that he knows how to capture data, record actions, and repel when he does find them. Unfortunately he can’t be cloned (yet), and can’t work 24/7, but without a doubt, Jack is one of the best and he isn’t afraid to show others what he’s got going on, or help them with their own problems.

This is what Red Sky is about --neighbors helping neighbors.

BT BT

Now some really cool stuff. We published two reporta --a Fusion Report (FR13-009), and our version of an Intelligence Information Report, an Intel Analysis Report (IAR13-004).

FR13-009: This week we released FR13-009, our 9th in-depth fusion report this year. FR13-009 is an analysis of our "APT1". Granted its not the Mandiant "APT1", but it's number one our list. As always, our report included roughly 15 pages of analysis, including detailed analysis of a widely used remote access trojan and its infrastructure. The report include several pages of indicators, and gave members two new Yara rules and a snort signature to drop into their defenses.

IAR13-004 is an unfinished intel report summarizing yet another VPN service linked to hackers. This paper was provided for situational awareness in an effort to provide Red Sky Alliance with the ability to monitor and warn against future threats and provide data to compare with past intrusion analysis.

Our first Intern graduates to employment! Our first intern is now employed with one of the best companies going. Bruno got hired as a Regional Intelligence Analyst with a global payment processing company in Wilmington, DE. He started on the first of April and so far, so good. I've been told by the CISO of another member company that he'll take as many of our interns as we can give him (they’d made an offer too). In fact, I've got a good Marine coming off active duty that I'm probably going to refer to him soon, but for now, Bruno had some really nice things to say about his experience with Red Sky. Bruno peer reviewed in the top 10% of our membership, rated by folks in a group of mature infosec teams dealing with some of the hardest problems. If you’re a student, want to learn to be an analyst, and think you can contribute and rank out in peer reviews, drop us a note.

That’s it for now!
Have a great week!
Jeff

Red Sky Weekly - 3/29/13

Wapack Labs setup is nearing completion. There’s a bit of painting left to do, but we’re ready to open the doors on Monday. Wapack has already had a couple of folks walk through the doors, including the Data Security Partner for one of the largest law firms in New Hampshire, and a mom who wanted to know if we could restore pictures from a broken disk. We won’t be doing any criminal work yet, but have solid processes and capabilities in host and network based forensic analysis, cellular/mobiles/Pads and malware analysis. I’ll be in Tokyo, but Rick will be in the lab with the team. So if you’re local to the Manchester Historic Mills area, we’re in the Waumbec Mills (250 Commercial St., Suite 2013) right next to the UNH campus.  

SecureWorld Boston: On top of getting payment systems set up, building furniture, and buying trash cans (I think I have swiper's elbow.. and I can't tell you the workouts I've endured just running my Amex through so many times!), I spent two days at SecureWorld Boston. I had probably two dozen people come up and tell me they’d heard of Red Sky Alliance! Our friend Al Koch, from Norman was there with a former coworker of mine from my days at DC3, as were Red Sky's friends from Solutionary. This was my first SecureWorld, but it won’t be my last. I enjoyed reconnecting at a local level. Boston is a blast, and the security community is on fire. I’ll be giving a threat presentation at the next ISC2 Boston Chapter meeting on May 9th, and have begun reconnecting through ISSA and Boston Infragard. It’s funny. I participated in these groups years ago, and now I’m running into many of the same folks that I knew from then. I ran into two old coworkers from my PwC days (they're not kids anymore!), several folks from the local FBI office, and I've got a half dozen new companies that want to talk about joining Red Sky!

STIX! We had the long-overdue opportunity to reconnect with Mitre this week. We’ve been wanting to do a bit more with STIX but hadn’t really had the resources to do it. Mitre has been doing a lot of work in development of STIX, and was gracious enough to offer assistance in “STIX-ifying” Red Sky. This will be welcome addition, as some of the members already started heading that way. We’ll remain on Kill Chain, but we promised Richard and Tom at DHS that we’d work to support STIX, so we’ll do our part.  

New Members: We sent membership kits out to two new incoming members --one Federal Agency and a new large enterprise mid-west Chemical Sector company. Our second year renewals have started to roll in, and so far so good. No drops!

Analytics: This weekend we will be releasing our 8th fusion report for 2013. FR13-008 will be our second infrastructure focused report and will detail two related subnets that have been linked to a wide range of APT activity; and we been working hard developing our third Intel Analysis Report to assist one of our members with a bit of tailored reporting. We had a question asked. It was interesting, and pulling the thread lead to some interesting observations. I hope the community likes the reporting!

Easter Egg: This is to see who's paying attention! The Easter Bunny has a special treat for you! WhoisRecon is coming soon from Wapack Labs.  Want to be an early adopter user?  Want to get on the pre-release list? Just send the Easter Bunny a note and ask.

It’s been a great week!

...off to Tokyo!
Jeff

Announcing Wapack Labs!

I sat on a panel this week in Manhattan --a group of bankers, all very good at what they do. At the end of the panel, we were asked for one closing remark. I always offer the same bit... "We're learning to fight submarines." The intent is to say that (and you've read this before in my blog).. during WWI, we lost a ton of ships to German U-Boats. But by WWII, we not only got better at detecting them, but we had our own and fought back! The Air Force and Army guys could probably come up with their own analogy, but in my way of thinking, APT is just the new threat. We (the royal we) will learn how to better cope as we move up the learning curve.

During my drive back from NYC to New England, however, I came up with a new analogy... 

Think about this:

Imagine you, going to your office on Monday morning. Probably (I hope), you work in a nice building with lots of windows, new furniture.. comfortable, right?

What if that building was owned and controlled by your closest (and most aggressive) competitor? 

Cameras in the building are set to capture screens and documents. Every time you do work,  someone (a competitor) is looking over your shoulder, feverishly scribbling notes. The onlooker videotapes keystrokes, credentials, financials, work habits, documents, customer lists, etc. Now imagine that you've got only a small team of security guys,  unable to keep them out. They stand at the main entrance and do their best to block the competitors from entering. They stand in front of each desk and in every hallway, but alas, they look like everyone else... nice haircuts, good suit, shined shoes. Heck, their credentials work!... Security can't always spot them. They just keep finding ways into the building... You get the picture, right? 

How would you feel? Would you do anything differently? You'd probably be upset, guarded, feel like you've lost a bit of privacy, maybe afraid for your company's future?

What would you think if I told you this is exactly what happens when you are victimized during a targeted attack. If the attack is successful, most unprepared companies quickly lose control over their networks. That receptionist in the front office really thought those kittens were cute. She must have watched that video a hundred times when nobody was looking. She'd received it from someone else in the company via email. It must be OK, right? Immediately following her first click, a bug launches. Keystroke loggers are used to capture credentials. Remote access trojans (RATs) are installed and start phoning home. Once the attacker gets the call, he begins to capture documents and other work product. Various 'credential rich' sources are harvested for employee directories, and interesting employees are monitored routinely.  Those systems that are critical to the operation are rendered useless because of all of the bandwidth being used by the attacker. You've got only a small team of security guys (if any), often times they can't keep these guys out. Security monitors at the main entrance, the pipes leading to every computer, and every individual computer, but alas, the intruders look like everyone else. Heck, their credentials work!... Security can't always spot them. They just keep finding ways into the networks... 

Getting the picture? This is probably the most accurate analogy that I've come up with to describe what's happening in computing today.. and it's not just big companies. It's not just in the US. Every company I talk to today has 'virus' problems. Most believe that their  firewall will keep the networks safe. Even some of the biggest companies are blind to current happenings, but this is a global problem and it's getting worse. Every company in the supply chain of a larger is a target, and I'd say with high confidence, compromised and don't know it.

Who's at risk?


Are you a law firm, financial institution, OEM manufacturer (especially transportation - auto, air), chemical (pharma, oil & gas) company or IT? 

• Have you ever noticed your network connection slowing and didn't know why?
• Has your IT team found malware or viruses that have no, or very few results in VirusTotal or other online research sites?
• Have your nighttime computer routines failed or timed out (this may be an indicator of nighttime activity on your networks).

So what to do about it? Where do you find out what to do about it?

Join Red Sky Alliance today. If you're a private company, and need to know more about what's happening on your networks, or want to compare notes on technical analysis and intelligence with other really smart people in real time, Red Sky Alliance is for you.

Are you a smaller company? Federal civilian government agency? State? Local? Join Red Sky's Beadwindow Portal. Beadwindow offers the same level of service as Red Sky, but with slightly different views on who may participate at a lower price point, and best of all? Everything is UNCLASSIFIED! There's no need to find a SIPRNET (or worse) to download information from NTOC. Your folks don't need security clearances to access our Beadwindow Portal. And when you call, ask about Sequester pricing! Beadwindow costs WAAAYYY less than a week of White House tours!

Just need help analyzing data? Need forensic services? Don't want to build your own team? Or maybe you just need someone to take some of the more routine forensic work off the shoulders of your already taxed Infosec guys.... Check out Wapack Labs! Wapack Labs is our newest addition to the Red Sky lineup. Wapack Labs is furnished, staffed, and set up. It'll open in the Historic Mills along the river in Manchester, NH on the first of April. Wapack Labs will initially handle non-criminal computer forensics, analysis and R&D projects. In fact, we've even had our first customer! A woman walked in on Thursday while we were setting up our furniture. She'd seen the 'coming soon' sign on our door and she wanted to know if we could recover her baby pictures and videos from a crashed 1Tb external drive... and you know what?  When you like to bootstrap (and we do!), mom's money is green, too!  It'll pay for the coffee pot and new Wii U (lab guys apparently, LOVE killing zombies).

Have a great week!
Jeff

Wapack Labs Contact info:

250 Commercial St., Suite 2013
Manchester, NH 03101 
(603) 606-1246  
dkirmes@wapacklabs.com