Red Sky Weekly: Welcome to the new normal.

A few weeks ago my new VW Touareg broke down in the parking lot of the dealer as I drove it in for an unexpected service. As it turns out, the thing stalled, once in traffic and once in the parking lot because of a bum fuel pump. Evidently the fuel pump in today’s new high tech cars are located inside the tank, thus leaving me driving a Passat for two days while the dealer dug out and replaced the pump. In the end, the car, with new pump, runs great, but the dealer never re-calibrated the fuel gage. So now, even when the pump handle clicks and the tank will take no more, the needle on the fuel gauge lands just over three quarters --annoying the hell out of me.  How exactly does a fuel pump in a relatively new car go bad? Why would the needle not be recalibrated? Why is it that tires get over-inflated during routine VW service (they did, and the rear tires were badly worn as a result!). I’ve come to a conclusion...  today’s automotive technicians just don’t all have the education and/or experience --or attention to detail, to deal with the new technologies that are embedded in today’s cars! Not only did they need two days to find a guy who could actually do the job, the guy never took the last step and recalibrated my gas gauge! Education or lazy? Maybe both.

Why am I talking about cars? Because there’s a concerning parallel between these guys and CIOs and CISOs.

Targeted distributed denial of service, cyber corporate espionage, and computers as a [competitive] weapon in the corporate landscape... Welcome to the new normal.

You see, we just wrapped our quarterly threat day at Arbor Networks. The presentations were OUTSTANDING. The first was about routinizing APT Incident Response, followed Anatomy of APT Attacks, DDoS Malware Analysis and Attribution, Rooting and backdooring Android Mobiles (and other cool stuff!), and finally, a Threat Brief from one of our most active members... and you know what conclusion I came to? If you’re an IT worker or an Infosec pro, and you’re not talking about this stuff, learning lessons from others, sharing information, and CONSTANTLY seeking updated gouge; if you’re not analytically curious and actively scratching that itch, you’re being left behind --and fast. --Education. motivation, and high levels of situational awareness are all required to live in today’s changing cyber landscape.

I feel pretty confident in my understanding of the current cyber environment. This by no means is a complete picture, nor that of the incident responder that I used to be, but I understand what it means to know that there isn’t a CISO out there that’s going to keep up with the crop of determined attackers that we all face today. Botnets with names I’ve never heard before; DDoS networks rented by the hour; sleepers living in your networks waiting for the right trigger before they begin connecting home. And past defenses, while still required, are becoming less and less effective against these new attackers, attacks, and threats. I dare say, don’t give up your antivirus or firewalls just yet --they’re required to keep the old stuff out. Code Red and Nimda are still out there and will infect your network if you’re using old versions of IIS or Internet Explorer, but at the same time, you need to build on that foundation. Agility in defense, the ability to capture and act on intelligence sources and indicators of compromise learned from others, having your gamebooks built, practiced and ready to go --your incident response team should never have to think about what to do next during an event.

The risk is real:

• Cyber is real. Southwest Airlines was on WMUR this morning for a stand-down related to a computer glitch. Even if not malicious, a “computer glitch” caused the temporary shutdown of Southwest Air! What would it take for an attacker to create such a “glitch”?
• During the Gartner event two weeks ago, I sat through a talk on HIPAA --our private information in medical records. An analyst told us that out of 60 sampled healthcare providers, 59 had HIPAA computer related privacy violations!
• Systemic risks against our banking/financial environments are VERY real. With Managed Service Providers handling the IT for smaller banks using standard images, common gateways, and shared virtual servers, even one small targeted event has the ability to affect thousands of banks --all at one time.
• Attacks targeting less sophisticated companies in the supply chain are being targeted for access to critical components. Heck, we did it during WWII. Remember bombing ball bearing companies? We did this to keep our adversary from building new airplanes. I pass a ball bearing company in NH at least once a week. They produce miniature and precision ball bearings, and are owned by a larger ball bearing company in California. The company boasts 1400 employees, but I can’t find a CISO in their website. I’m hoping he’s just shy.
• HHS last week issued a report saying that 60% of small businesses that suffer a cyber event will be out of business in six months. Why? These companies will have no idea what hit them. Nor will will they know how to respond.

We issued Fusion Report 17 this week. FR13-017 offered an analysis of a piece of malware that is only detected by five out 45 antivirus vendors. It was picked up and submitted to us by a member who found it without AV and submitted the sample for our review. We authored the analysis, and passed out a snort signature (to find it early in the kill chain --before infection), a yara rule to help find the file in bulk examination, a look at the jar files used during infection, and the command and control it communicates with as it’s stealing your information or money.

...One report; five different places to protect against it provided in a temporally format.

Is Kill Chain perfect? Our reporting? Not by any means. Does it give you the ability to STOP attacks proactively? Absolutely. And if you can’t instrument your network, FR13-017 gave you four other places in your network where you can stop this tool. Anyone can write an IPS rule --but if you can’t, we did it for you.

You need information. We have it. Private information sharing and intelligence collaboration; Public | Private for those who don’t care as much about the privacy; forensic and lightweight managed security services to help figure out how to move forward in your now untrusted networks.

Drop us a note. We can help.

Until next time,

Have a great week!
Jeff

It's about the GOUGE!

We had the opportunity to finally sit with the Director of IT for a great American company. These guys represent all that IS American business. Hard working, salt of the earth types who come to work in the morning, and leave when the whistle blows --and like everyone else, their network is under constant attack. The Director of IT and his team work hard, fighting the fight on a daily basis, but struggle to keep their head above water. It's not because of a lack of skill, and certainly not because of a lack of trying or a a bad work ethic. They simply have never been exposed to the cyber ills known so well by those of us who’ve dealt with cyber espionage for the last several years. These guys needed someone to walk them through the problem. When we left, we took with us roughly 130,000 file samples, and are now analyzing malware that we'll be able to go back to him with, and help him through the rough spots.

Some people talk on the golf course. Others do it in bars. A new friend in NH bought a high end gym membership --all to create networks and build trust. Why? People matter. You can’t do business without them, and you can’t solve complex problems without information gathered from many sources. Our complex cyber environment --not just risk, threats and attackers, but also foundational complexities introduced by mobile, cloud, virtualization, VoIP, and dozens more, have caused us to build bridges on sandy unstable shores.  Simply connecting technologies to the bridge won’t make that shoreline any more stable. It requires an engineer who’s worked on sand before. Smart people matter. To solve problems with as many variables as we deal with on a daily basis, people have to talk --share notes; in the Navy we called it “the gouge”. Tell me what I need to do to make sure I pass my next inspection. You get the gouge by asking guys who’d been through it already.

Cyber is no different. Getting the gouge is about relationships. It's about talking one on one. It's about people trusting strangers with their worst problems and after a cup 'a Joe in the local diner, and then having the ability to talk openly. My IT Director would probably feel intimidated as hell talking to current Red Sky Alliance members about what he’s seeing --because he doesn’t yet understand that everyone else is having the same problems, and that there are others who’ve been there before him. But once the ice is broken, and we've taken him through the process, my bet is you'll be seeing them in one of the portals soon, building his own relationships, passing along his own gouge!

Gouge isn't what the press says. It's not what the government says. It's not what that slick new security tool salesman tells you. It's about good information that can help you avoid the lumps of trial and error. And there are very few places to get the good stuff --and only one that I know of with peer review of submitters so you know who to listen to and who not to listen to. Only one that I know of where large enterprise companies from dozens of industries aren't afraid to help others figure out what to do next --without judgement --because they've all been there. They know exactly what it feels like.

The membership of Red Sky Alliance has been dealing with APT, advanced criminal problems, and all of the emerging threats, and guess what.. many of them started out with one guy watching a log, who got a phone call from the government or one of the consulting companies telling them they have a problem. I know. That’s where it started for me. That’s where it started for almost everyone I know in this business. We were three guys from three companies sitting around a table comparing notes. We signed NDAs and started talking. Then we brought others in, sharing information -lump avoidance, lessons and indicators... and they got better too. We all built our own individual processes for dealing with the new issues, and at some point, the APT became just another problem.. the new normal. We passed the gouge.

Red Sky Alliance members have good gouge. Not just indicators, but the gouge... the good stuff.  

We've connected people who aren’t afraid to pass the gouge in a peer reviewed environment... and everyone benefits... at a fraction of the price of a new threat intelligence subscription.

• In the private Red Sky portal, companies talk to companies. The environment is very active, and information is shared daily on current happenings.
• Beadwindow is a public | private portal. Smaller companies, academics, and government users can purchase reduced rate memberships in Beadwindow and both talk amongst themselves, and ask questions of members of the private portal. And, many of the private Red Sky corporate users also have accounts on the public | private Beadwindow portal.
• Wapack Labs has taken on a smaller company feel. We started with forensic services in April, but have since grown into a lightweight, low cost managed security, analytic and intelligence analysis service.

Red Sky has good gouge. Join us. We're happy to share!

Drop us a note and we'll get you going!

BT BT

We didn’t publish a fusion report this week but by no means was it slow in the portal.

• We are looking at several new APT incidents and brought in a number of participants from two new members.
• On Monday we are starting training for two new interns. They have a tough act to follow from our last intern however we have high confidence that they will add value to our community.
• We introduced two new members to the Alliance, and sent a membership kit to that restaurant chain we mentioned last week. Wuhoo!
  
  

Have a great week!

Jeff

Parts is parts!

I spoke today with an Infosec guy from one of the global restaurant chains. The chain has restaurants in over half of the countries around the world. It's one of the big ones.

While duly impressed with the alliance, portal, comms, and the fusion reports, he says to me at the end of the demo 'you don't seem to have any other companies like ours in the Alliance'. Then I thought... so let me take a crack at understanding your concerns as an Infosec guy in a big company...

1. You probably handle a ton of card transactions and are worried about even small losses caused by card fraud and theft.
2. You're probably worried about losses of ACH transactions destined for your supply chain.
3. You're probably worried about online e-commerce transactions (in fact, this company is at the top of the charts when it comes to online ordering!) 
4. Last, you're probably worried about shipping and logistics, with the right stuff ending at the right place, every time. 

So, do we have other restauranteurs in the alliance? No, but let's think about this for a moment.

1. Our members process a very high percentage of all credit card transactions in the world (and they understand the treats to payment systems companies!).
2. They transfer huge numbers of ACH transfers, from and to, nearly every country in the world (as does every company in the alliance today).
3. Every one of our companies relies on the internet. While perhaps not relying on the net for the number of transactions, they all rely heavily on e-commerce. 
4. And shipping and logistics? Every company that I work with today picks something up somewhere, and puts it down somewhere else.

Regardless of industry, all of our members have these four things in common. Add to that targeted attackers aggressively chasing them, and competitive pressures of both legitimate competition and economic/corporate cyber espionage. All of the stories are true. These guys are busy. They're all in the same boat, and beyond chasing espionage threats to intellectual property, they ALL chase (big) cyber threats to (big) money movement, supply chain, logistic losses, and automation and supply chain movement of something.... every single one.

So tell me, do you worry about these issues Mr. Restauranteur? What about you Ms. Retailer? Mr. Attorney? I kinda joke.. when we're all standing around with our pants down, at least half of us are going to have the same parts. Sizes, shapes and colors may differ, but parts is parts.

BT BT

There's a ton of stuff happening around Red Sky Alliance these days. 

• This week we released our 49th Fusion report detailing a new malware variant from a known actor. Analysis of the related infrastructure revealed two hosting networks which have been linked to a variety of APT activity. 
• On the portal side, things are looking up; our user adoption rate peaked last week with the participation level reaching an all-time high! Additionally, we're getting inputs from non-members who are experiencing APT events. Our referral rate is growing too!
• We authored and published our 10th intel report this week, detailing activities of another group of actors (no, not APT1.. that's been done already).
• Last, our CIO attended the NIST framework discussions in Pittsburgh all week. He's coming home spent, but says it was a productive week.

And in the Lab? 

• Our beta version of our "Whois Recon" application is open to the security community! Send Chris an email if you are interested in beta-testing.  
• We've built, and are beta testing a new chat engine built for our portals. So far, so good!

Until next time, have a great week!
Jeff

Holes you could drive a truck through

How many truly great Linux gurus do you know? You know the guys I mean. They build their build starting from the bottom of the kernel up, rather than stripping extra services out. They'd never touch a commercial version of Linux unless forced by enterprise mandates. I'll help...  I know a lot of really great Linux guys, but only two I'd trust to build a security device. One lives on a farm, hates cellular telephones, and (I bet a dollar) he's got tinfoil lining in every of his hats. He introduced me to the second. Another really smart, really nice guy --the kind you don't often let out of the closet. You slide pizza under the door until the box is built, then you escort him to the networking closet or data center where the box will be installed and don't ever let him come in contact with uninitiated coworkers. They just wouldn't understand.

So I'll ask the question in a different way --How many of our Linux based security devices are built by these truly genius engineers? I'm thinking very few.

Why would I raise such a topic? I commented in a white paper about ensuring your security devices have good security. Last week I ate my own dog food. It taste like sh*t! Red Sky is a small business. We have a large membership, but we're a small business.  We have a physical location, but are largely virtual. We rely on others for the security of our systems --cloud providers of applications, hosting companies, managed security service providers, colo-facilities, etc. I'd be shocked however if others in our 'small business' class of companies have the wherewithal to ensure that their vendors, supply chains, and IT providers have the ability to adequately protect their data. Not to mention attempting to do it themselves. I was especially shocked when I saw this in Forbes this morning:

"According to a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology, nearly 20% of all cyber attacks hit small businesses with 250 or fewer employees. Roughly 60% of small businesses close within six months of a cyber attack." (Source: Forbes)

This is an amazing statistic. It's something we've been talking a lot about it our local Manchester, NH area. Having just opened our lab in April, we've been doing our networking. For the last several years, I've been working in and with large enterprise, global in scope corporations --both as an employee, and as a government Infosec worker. This, mostly based from the Baltimore-DC area, but now, participating in the local New England ISC2 meetings and talking with the owners of local businesses instead of the CISOs of large companies, I've come to the realization that our government (at least DoD) really has no idea just how bad it is for small and medium sized companies. I had a conversation with a global CISO who told me that nearly 60% of their critical suppliers were companies with less than 25 employees!

To the point... we're a small business. As a small business, we purchased a couple of security devices from two different vendors. One device is designed for large enterprise, one designed for use in small --the first device, an analysis machine built for large enterprise, allowed access via cURL (the new generation of wget for old unix guys like me) through a restful API without any credentials when every other access method requires them. Bad form. We're told it was by design.... bad design. We love the functionality of the machine. Heck, I'd bet it saved us from installing a half rack of other gear in our back end! The machine won't be going back online any time soon.. at least not without some serious enclaving.

To that, we purchased the second device-- a VERY popular, unified threat management (UTM) system made for small and medium sized businesses. During setup, we found it only processes two factor authentication by passing credentials unencrypted! We wanted to use the device as a proxy between other devices and the analysis machine mentioned above. This UTM is one you see at EVERY major security conference. They always have a flashy booth; lots of color; well dressed sales guys and engineers that'd make you believe they have the best machines on earth. I bought three of them to test. They look cool. Can you imagine my surprise when we tried to enclave the first box with the second, only to find this really popular machine will only pass unencrypted credential via PAP? Wow! This sexy, crazy popular device, meant for the masses, doesn't support anything newer? Really? 

Two devices, both Linux based, both insecure. 


In both cases we've informed, and are working with the vendors. We've protected the first box, and the second, well, we love the functionality and will continue to work with the company to ensure an upgrade is delivered soon.

So how does the SMB company protect itself when the devices they buy are likely inexpensive, Linux based, and are built for ease of deployment?

Red Sky does this in a couple of ways --we like having MSSPs in the Alliance. They provide security to large numbers of small and medium sized (SMB) companies that we probably will never have as alliance members. We also welcome vendors into the Alliance as associate members. Need to know what your customers are facing? Ask them in the portal.

In the mean time, test your security devices. Every one should be pen tested. If you can get through, so can others.

BT BT

It's been a good week. Two new pieces of analysis were posted to the portal.  Three new members are currently in front of the Advisory Board this week representing three different industries. We introduced a two new members into the portal, and have our first meeting next week with a global food company. Wow!

Until next week, have a great Memorial Day weekend!
Jeff

Cyber and Pareto's Law of the Vital Few

Have you ever met anyone working cyber security that said they were bored?  Me either.  Cyber security is an often unthanking and underappreciated grind.  Problem is we only have ourselves to blame, including me. There’s a difference between taking action and productivity. 

As humans, our lives cannot scale to meet the demands the threat actors throw at us on a daily basis. Throw in a few meetings with vendors, the folks in the C-Suite, sprinkled with one or two HR matters, the week dries up pretty fast.  More importantly, it doesn’t allow much time for doing what we’re supposed to be doing – fighting the good fight!  

Italian economist Vilfredo Pareto observed that roughly 80% of the effects came from 20% of the causes.  This principle is known as the “80-20 rule” or the “law of the vital few”.  This law can be observed in many ways, business for example – typically 80% of profits come from 20% of your customers.  Or in our realm, take the SANS “Top 20 Critical Controls” - the top four controls (20%) can mitigate much of the threat.  O.K. not perfect, but you get the point.  So think a minute, if only 20% of your work produces 80% of your results are your focusing on the correct 20%?  Would the last four controls of the Top 20, give you 80% protection?  Probably not!

Each of us works with a unique set of circumstances and constraints.  Despite the near-daily reporting of high profile attacks, budget shortfalls, inadequate staffing levels, and mission creep, are still ubiquitous in cyber security.   It is incumbent upon us, as cyber security experts, to make sure we get 80% of at least 20% of our investments.  The Pareto principle needs to be welded into our decision making process.  This is an absolute requirement if you’re an SMB!

At the end of each week, take time to review the actions you or your staff made and what the results of those actions were.  What could you have done better to make the result more productive?  Furthermore, did you take actions that produced low results or not “Pareto efficient”?   For example, did you spend 20% of your budget hiring a penetration tester when you could have used the money to replace your packet filtering firewall with an application layer firewall?  Which decision would give you an 80% return?

For those of us working with APT in an incident response capacity, not applying Pareto’s principle can be dangerous!  Incident response teams need precise, timely and detailed information like now, not tomorrow.  If an incident response team has to sift through mountains of indicators to get at the ones that are actionable, you quickly become Pareto inefficient! 

We often hear that indicator feeds produce about 10%-15% of real actionable indicators yet it costs an analyst, or analysts, a lot of cycles to examine 100% of the data.  So in the best case scenario, you’re investing about 85% of your time for a 15% result – that’s important to note!  

I’m not suggesting that feeds are not worth it, I’m simply suggesting they’re not enough in of themselves.  If you’re spending $10,000 for a feed, which is a bargain by any stretch, and you’re only getting 15% results, it would tend to make one rethink the value proposition of the feed.  Then add the human time required for scrutinizing the indicators, the value drops off precipitously.

This is why when we at Red Sky are talking to potential members or simply educating people about the APT problem we stress threat intelligence has to be timely, contextual, and most importantly – accurate.  Every analyst in the Red Sky membership has to show their work. Each puts into context their findings that are then peer reviewed for accuracy.  We do this to ensure when a new member joins Red Sky, they have an abundance of rich and contextual indicators, Snort signatures, and Yara rules they can apply to their defense strategies on day one.  Add in the ability to work alongside and ask questions of some of the most experienced and intelligent incident responders from some of the world’s leading organizations fighting APT – it’s clear a membership in Red Sky would be a Pareto efficient decision!

BT BT

This week Red Sky released Fusion report 13-013, which was released on the 13th! No, that wasn't intentional!  This report described a new targeted malware variant which leveraged a previously unobserved TTP. Included were several new rules and indicators for proactive mitigation. Fusion report 13-014 should be published by this weekend and will provide analysis on yet another new variant observed in recent watering hole activity.

My last blog, “Time for some good news in Cyber Security”, was met with a lot of positive emails.  I was very pleased by those that took the time to email me to thank me for being uplifting.  And why shouldn’t we be?  We’re all doing really good things tackling a very hard and real problem.  Keep up the good work!

I encourage you to share your thoughts with me.  If you haven’t requested our whitepaper “How Great Companies Fight Targeted Attacks and APT”, please shoot me an email or visit our website www.redskyalliance.org

Keep fighting the good fight!

We're learning to fight submarines...

I get one of my daily information fixes via the DC3 Daily Dispatch. Kudo's to Jim and his outreach team!  While many of these lists contain great reads, I'm certain you, like me, can't read everything. I'll skim the list, find the good stuff, and then skim the article to see if it was worthy of the title. If not, I go back to the next most interesting topic on my list, maybe the one about iOS containing potential malware --ooops, and iOS app contains potential malware. Huge difference! The problem is, I just spent probably 15 seconds evaluating each of those two pieces. So here's the deal. I receive 40 articles from this one list alone. That's 10 minutes of pure evaluation time, assuming I don't stop to read the entire piece. This is just one list, and probably one of the few that I actually take the time to read. 

There are hundreds (thousands?) of these feeds that you could read daily. Do you read them all? Of course not. There are thousands of sources of tech intelligence. Do you read them all? Again, probably not. Do you aggregate them and mine them for nuggets? Some do, but probably not all of you. I know I've been through process of building a couple of these analytic systems. But you know what? Even if you aggregate that data, can you mine it for only non-false positive information, prioritize it by analytic confidence, sort it by what's useful to you, for your environment... Even if you could, would you know what to do with every piece of information received, aggregated, prioritized, sorted, and distilled? Many companies will say yes (I'd argue some are lying). Most companies will tell the truth --not a chance. In fact today, for much of the morning, I attended an ISC2 event. I was shocked (although I probably shouldn't have been) when the presenter asked the audience  

"Who in the room can actually implement indicators, even if you have them?"  

No hands went up. Not one.

So what's the answer?

Red Sky Alliance. Someone asked me the other day what the difference was between Red Sky, and all of the subscription based services. He was a guy writing a paper for his management, and needed accurate threat intelligence. When he came into Red Sky, on the first day, he asked a question. He posted a spreadsheet with all of the actors he'd been profiling --many defacers, etc., and asked for other information that people may be working on. On that same day, he received a bunch of information about criminal and espionage groups he'd never seen before. Not only that, analysts from at least a dozen companies welcomed him, and pushed him new information regarding some of the actors he'd listed. This was information he'd never seen before.  He's a pretty smart dude, but even the smartest, when working alone, end up with a limited set of eyes, and therefore a limited set of data. Red Sky connects people. The result of this connection was crowd-sourced analysis by some of the best companies in dozens of industry segments. Within a day, this guy had more new data than he'd compiled on his own in however long he'd been researching. And, he made friends in about a dozen companies with really mature infosec/threat intelligence shops around the world. How cool is that?!

When I think back six or seven years ago, I was probably the first (and loudest) in the room, vowing never to give information away that might implicate the company I was working for at the time. We had tough attorneys and a CISO who made us all sign non-disclosure agreements. Everything about the activities we'd been fighting were kept in strict confidence, and on a need to know basis. Today, some of the biggest companies in the world share information about how they're being attacked, what they find, and how they fight it. In addition to Red Sky, others are sharing in their own circles -DSIE (defense companies have their own group), the Information Sharing and Analysis Centers have become popular again, and the government has no less than a dozen outreach programs to private industry (although they seem to have a rough time sharing between themselves!). Red Sky does things a little differently than the others, but still, information is moving. It's a great sign that things are getting better.

I'll close with this. I'm an old Navy guy, and I use the analogy "We're learning to fight submarines (in cyber space)." We lost a lot of ships to German U-boats during World War I. It resulted in the US Navy creating the 10th Fleet -- folks dedicated to creating our anti submarine warfare. The result? By World War II we not only could detect and kill enemy subs, but we had our own. Know what the Navy calls their cyber guys today? 10th Fleet.

It's getting better.

Until next week,
Have a great week!
Jeff

 

Time for some good news in Cyber Security

Why are there so few “feel good” stories about cyber security?  Almost daily, we’re warned about a new zero-day exploit or told of another organization that has been compromised by the bad guys.  We all have a tendency to wonder if we’ll ever get ahead?  We will and we are! There’s great things happening in cyber security and it’s time we focus on the good news!

To be fair, we’re in a profession where we keep the scoreboard hidden from the spectators.  Many of us in security live our professional lives behind closed doors and our day to day activities are cloaked in secrecy.  Often the only face time we get with those in the C-suite is when something has gone horribly wrong but here’s food for thought; for every high profile breach there are a thousand other organizations that thwarted one.  We are ever closing the gap as a more smart people enter the field and we identify and perfect our best practices. I take comfort see these numbers grow daily.

Cyber security professionals are doing amazing things and we ARE making incredible advances in protecting our networks from our adversaries.  Fact is, we got out of the gates really late and the competition has a wide lead on us but we’re learning every day and we're closing in.  We're learning, we're getting smarter, and we're going to catch up!

We have learned a lot about what not to do but we can, and do,  learn a great deal more from those who are doing things right.  By focusing on the positive and opening a new dialogue that includes the creative, intelligent, and resourcefulness of the many brilliant people on our side, we can focus our attention on what defensive measures really work and apply them where they are most effective. 

Red Sky asked organizations to share their good news with us and describe their successes so we could share them with others – the results were very compelling!  In our whitepaper, “How Great Companies Fight Targeted Attacks and APT” we documented the responses we received from organizations from very mature incident response teams.  There were many different approaches, but what we discovered was almost all had seven fundamental actions in common.  We concluded that if executed well, any organization can be equally effective in protecting themselves from the bad guys.  If you want to know how you stack up, see how to get a copy of this whitepaper below.

With full intention of focusing on the positive, we found that organizations were more eager to share their successes where they were more reluctant to share their failures.  Every day, I have the privilege of seeing the positive in action.  Whether it be one organization sharing threat intelligence with the Red Sky community or another organization lending assistance to a less experienced incident response team – I can’t help but seeing a tide of good news building in cyber security!    

I challenge you to take the time and focus on the positive things that are happening in cyber security.  What actions have you or your organization taken that has had positive results?  How can you build upon those successes and do you share them with others?  I bet if you do, you’ll find there is an abundance of good news!

If you’re interested in our whitepaper, “How Great Companies Fight Targeted Attacks and APT”, interested in the positive things we’re doing in Red Sky, or simply want to share your good news with our membership, please reach out to me at rgamache@redskyalliance.org  

BT BT

The response to our opening of Wapack Labs in Manchester, New Hampshire has been an extremely positive one!  Focusing on digital forensics, Wapack Labs is a fully functional data forensics laboratory specializing in computer, network, and cell phone investigations.

If you have a need for court admissible reporting and digital forensics work for employee misuse, non-compete violations, network intrusion, intellectual property theft, and copyright infringement cases please reach out to our lab’s lead forensics analyst, Derek Kirmes at dkirmes@wapacklabs.com or read his blog at http://wapacklabs.blogspot.com/ Derek has put together a really good post this week about the problems that may occur when an employee leaves your organization!

New Fusion Report; Intel Analysis; Go West Young Man!

One of our members posted data that lead to the discovery of a previously unobserved command and control (C2) infrastructure. What struck me was a call I received from (this very smart and strikingly handsome ;) member late Thursday afternoon... right after we published our Fusion Report. Evidently he'd turned in his pcap samples to Red Sky, the FBI, and a third analytic group. Red Sky did a full workup on the data, crowdsourced pieces as needed, and published (to the group) a Fusion Report with a full analysis and a list of Kill Chain formatted indicators. As of Thursday night, neither of the other groups had responded.  

On the membership side of the operation, we sent out membership packages to a bunch potential members and welcomed our latest newcomer into the Alliance.

• Two Federal Civilian Agencies are evaluating membership -both currently in legal review, one DoD organization invoiced, and one more DoD organization finalizing paper. Just this week, a third Federal Civilian Agency contacted us for membership information, telling us they can't get good unclassified information elsewhere. We've heard this before. So we're hoping that within the next month, Beadwindow will see an infusion of new federal government analysts. 
• On the Red Sky side of the house, we sent three new members to the Advisory Board to offer thumbs up/down before we go any further with them (all of our members are vetted through our Advisory Board before being offered membership). One was a referral from an old friend; another was a referral from a current member. We love referrals!
• One new member was invited into the portal this week. The first guy from this credit card company's information security team needed high quality intel --stuff they're not able to get anywhere else. I'm sure they'll find it in Red Sky. In fact, we had one of our best analytic weeks going with two reports published this week. 

This weeks reporting: 

• Fusion Report 13-011 published: A Red Sky member submitted details from an incoming spear phish. In the posting he included the email header and attachment. He's a smart guy. The attachment exploited a vulnerability from last year,  but the payload initiated and connected to a previously unobserved C2 infrastructure. 
  
• As well, we published Intel Analysis Report 13-007, which drew comparisons between three RAT families and profiled one of the authors.

BT BT

On top of the crazy pace this week, Jim announced at our weekly staff meeting that he's sold "World Headquarters" in St. Louis and is moving to Colorado! Our president (and his World Headquarters) HAS be closer to high quality fly fishing and great skiing. I'm keeping my fingers crossed hoping for my own wing! More importantly, this means we've now got representation in Denver, Colorado Springs and after next week, Steamboat. I had a great trip out to AFCEA a few months ago and can't wait to host our first booz'n and brainstorm'n at elevation in the Rockies! 

RE the Lab? We're in full swing looking for business.  Our first major gig was a RAID rebuild/restore..An IT consultant sent us a set of drives from a RAID array that they'd tried several times to fix. Their customer's entire business was located on these disks; one, a database full of customer information. We were able to identify, carve and rebuild almost all of the data, sending the results back to the consultant yesterday. While it's not sexy APT work, data restoration projects seem to be coming to us, and heck, the works good and the money is green, so we'll take it. We're expecting a 12Tb project this week. So for now, if you're looking to take the strain off of your already over-worked forensic shop, we'll happily take some of it off your plate. If your incident responders/forensic guys are swamped with HR, internal legal, restorals, send some of it our way. Those guys are busy enough with APT. We'll happily take some of the routine cases for you!

OK folks, until next time.
Have a great week!
Jeff

 

 

Red Sky is observing a week of silence...

Having been a runner (50 pounds and 10+ years ago), I can't imagine the feelings going through the runners on the field at such massive devastation --the lack of completion, the sheer shock and horror of being in the mind of a long distance run,  having dreams shattered as quickly as it happened, and the families of the those killed and 100+ injured.

Red Sky Alliance and Wapack Labs are observing a week of silence in support of our neighbors in Boston, and all of those affected by this horrific event.  Our hearts and prayers go out to those killed or injured at the finish line, and to their family and friends, of the Boston Marathon.

A few things to consider before you buy the next hot commodity.

With Jeff on the road making his way up the east coast in yet another wet and soggy commute, I’ve been handed the digital pen for this week’s blog.  

This week, I was having a beer with a couple of colleagues and the discussion turned to the “commoditization” of security.  We all know that security is one of the hottest market spaces on the planet.  Security firms are selling firewalls and IDS/IPS boxes at a breakneck pace to keep up with the growing security threats and to be fair, the demands for these solutions are growing as well.  But what happens when the supply outweighs the demand?  You look for new things to commoditize!

In my opinion, there is more demand for knowledge and expertise than there is for the next firewall.   In fact, I predict that by the end of 2013, the emerging hot commodity in security will be security related communities where people collaborate and share information in a trusted and secure environment.

You’re already seeing many of the big players and security vendors hanging communities off the solutions they are already providing – “Buy our Incident Response service and you have access to our community.”  This demand for communities is nothing new for us at Red Sky. We’ve been supplying this demand for well over a year and half now.  

What drives this demand?  It’s pretty simple.  The large companies have the incident response teams to deal with APT but don’t have enough actionable information to act upon and the small companies are lost somewhere between buying solutions, outsourcing functions, and an uneasy feeling that they are not seeing everything they should – that sinking feeling they’re missing something.  Sadly, they are.

Like any hot commodity, your inboxes will be inundated with offers to join such a community.  The costs can range from free, as a value add to an existing product, and be as high as many hundreds of thousands of dollars.  To help navigate your inbox, I wanted to share with you what I believe should be some of the important things you should consider when choosing which community you partner with:

1. Do I trust this community? – You have to have TRUST with whom you are sharing your most sensitive vulnerability data. Do you know the identities of the other contributors?  If you don’t have trust that your information will remain private, you won’t use the community or get the most of your investment.
2. Can I count on this community when I need them most? – In time of crisis, when your Incident Response Team is fully engaged, can you lean on someone for help?  Do you have a lifeline that will help you or find the resources that can?
3. Is the information vetted? – Make sure the information you’re receiving form the community is vetted. If the information you’re receiving is invalid or inaccurate, you’re going to waste a lot of time going back fixing things you shouldn’t have to.
4.  Is the community moderated? – Or is it a free for all? Moderation is important.  An un-moderated community is a time killer.  No one wants to sift through pages of chatter to get to actionable information.
5. Is there any context to the information I’m receiving?  – Is the information you’re consuming in a context you understand?  No one wants to take action and not understand as to why the action being taken is important.
6. Cost? – You get what you pay for.  If you opt for a no-cost community, you may not get quality information or too much data.  If you opt for the most expensive, you may see high turnover of membership or little return on investment.

These are just a few. There are several other things you should consider, but this is a good starting point.  We at Red Sky have a clear vision of how a security community should work and we’re continually improving on our strong foundation, growing our competencies, to sustain our leadership position before the big companies unleash their armies of salespeople!

Red Sky has built a highly trusted, cost effective, and content rich sharing environment to help solve the APT problem by putting together some of the most advance Incident Response Teams in the world.  If you’re looking for such a community and you’re asking yourself the question of how Red Sky can help you, please email me at rgamache@redskyalliance.org