Zero Day on the Mountain

Last week, I attended a lecture by Robert O’Harrow, a reporter on the Investigative Unit of the Washington Post.  The topic of Rob’s presentation was “Zero Day:  The Threat in Cyberspace.”  The presentation was held in a concert hall that held 560 people and it was standing room only.  This may not appear out of the ordinary for an INFOSEC group, but this event was held in Steamboat Springs, CO.  There were no INFOSEC professionals in the audience, only very interested people, who took time off from recreational pursuits to learn about what is threatening their personal computers and email accounts.

I had already purchased Rob’s book ($2.99 for the Kindle edition) and read it before his lecture.  His talking points followed his chapters and he geared his presentation to the audience.  What amazed me, was here were over 560 people who gave up their late afternoon time to learn about a topic that is threatening all aspects of their lives from their personal bank accounts to whether the local electric utility could lose control of their systems and services.  When the presentation and Q & A session was over (Questions like “why you should not use your cat’s name as your password”), I listened to members of the audience exchange personal experiences of what attempts had been made to harvest their personal and financial information.

What I was hearing was a microcosm of what we are doing for our members at Red Sky Alliance every day. People who knew each other from the community were asking questions and informing each other of the attempts that had recently targeted them.  We see these in our email accounts every day, and I was elated to see a group of informed computer users sharing their information with others.

BT BT

Jeff is on vacation this week, but he still held a prospective member presentation with me on Tuesday morning.  We had another one scheduled for tomorrow and I didn't him him to a third one on Wednesday morning.  He needs some well-deserved time off.  Even though it is the peak of summer vacation time, we are still receiving requests from leading corporations to learn more about our alliance. 

On a daily basis, another group is gearing up again and again to attack another industry segment that affects our daily lives, why not join our team share in the information that our members already know.

Until next week,

Jim McKee

Correction...

It was brought to our attention this week that we'd inadvertently infringed on a trademark registered and owned Counterpane (now British Telecom) in the use of Socrates mark. This use of Socrates by Red Sky was done after a trademark search of the USPTO database, TESS, but if searched, one will quickly understand that TESS is not completely user friendly, and you will understand just how easy it is to inadvertently use trademarked material.

To that, Wapack Labs, a Red Sky company, will discontinue any use of the term Socrates, and continue operating as Wapack cSOC, Wapack's cyber security operations center.

Thanks,
Jeff Stutzman

Enlightenment, Dirtbags, and Scumbags

An old friend used to tell me that in the landscape of failed entrepreneurial CEOs (he was really active during the boom), there are two kinds of failed CEOs --dirtbags and scumbags.

• Dirtbags are failed CEOs who simply don't know that they've done wrong. They spend money without a plan, had no real roadmap, and basically (ahem) urinate the money away.
• Scumbags are failed CEOs who know the end is coming, yet they continue to spend investor or stockholder equity right up to the end. They willfully spend money, knowing full well they'll never return profits. Scumbags could have returned angel or VC funding, but chose to spend until there's nothing left. 

In the last two years of Red Sky Alliance, this message rings through my head on nearly a daily basis -- not because I don't want to ever be looked at as either a dirtbag or scumbag, but because many of the CIOs and CISOs that I talk with on a regular basis could also fall into one of these categories.

Many, many, of the IT workers I talk to on a regular basis lean forward, do their best work, know how to persuade leadership for needed budget and are actually very effective in doing what they do. Others however either have their heads in the sand, or simply have no clue. They lack the ability to operate at the executive level, can't persuade, hide truths, or, as we used to say in the Navy --they're on the ROAD program --Retired On Active Duty.

.. a real downer huh?

Here's a good story: In the last week, we signed up a new member, presented to another who will likely become a new member, and, while on vacation next week, I've got three more membership presentations. The company I spoke with last night indicated they not only wanted the membership for their global SOC, but have their own informal network of companies they talk to that they want to introduce to Red Sky as well. We love being introduced to other companies by our members. In fact, that's probably one of the biggest drivers of membership growth for us! We like that!  I call these guys 'Enlightened'. They know when to ask for help... and they come to a strong membership in Red Sky to help them along. One of these companies was starting from a clean slate, building their SOC. They've got a new CISO, new team, hired a dozen and a half new folks in the last three weeks. To them I say Bravo Zulu (Navy for GREAT JOB)!

At the same time, I had two other conversations with executives from two other companies --neither of which do I expect to become Red Sky members. In both cases, their senior leadership has had incident responders onsite, and in both cases, asked them to leave. In both cases, the companies have struggled with cyber problems. One (apparently) clearly APT; one probably not. In neither case were the breaches reflected in their 10K. We looked. One of our Red Sky guys is a professional IT Auditor. The 10K was the first place he looked.

Two companies.. one public one private, building their team, looking for ways to gain strong situational awareness. The public company taking steps to protect their stockholders from intellectual property losses. The private company building equity, creating jobs, taking care of the local economy... they've become enlightened.

Two other companies.. both public.. neither reporting cyber issues in their 10Ks, hiding the breaches, executive management onboard the whole way. IT folks know there's a major issue; both spending money on incident response and/or spinning their wheels chasing attackers or simply hiding their heads in the sand. Dirtbags or scumbags? You tell me.

BT BT

From a profile perspective, our membership, while mostly larger enterprise companies (100K+ computers per company) brought in a company this week with 250 employees, but a significant player in the Internet infrastructure space. This makes me happy on a couple of fronts --we're growing, but also attracting companies that are not only large, but have something to offer the other members. These guys are small, smart, and growing. I'm going to have to quit telling people we do large enterprise!

• This week, after announcing our intent to service only IT workers in the federal government, we received several requests for information from ISSOs around the government. The response has been quite strong. 
• Our first healthcare gig was apparently a success. We received great feedback from the client at a social last night. We're told they've decided to move forward with our Wapack's Cyber Security Operations Center Monitoring (Wapack cSOC) service. 
• Last, but certainly not least, we released two new reports in the portal this week.. one detailing a 0-day, and one priority intelligence report focused on forward-thinking analysis. 

Checking out. Back in two weeks. I'll give you a break from reading my rants next week.

Looking forward, I'm not going to be at Blackat, although we're sending Alison Choquette. She's a spitfire. You'll have a hard time missing her!

I'll see some of you in NYC on August 6th and then off to Iceland for the Nordic Security Conference at the end of the month!

Jeff

The Three F’s of Good Intelligence

To quote the great Adam Carolla - 

"Any restaurant is only three crappy meals away from failure". 

If you go to your favorite restaurant on any given day and are served a crappy meal, you will likely go back again because it’s your favorite restaurant and they may have just had an off-day. You're willing to cut them some slack.

Let’s say you go back again after your first lousy meal and you get another one. You may still be willing to forgive because you have had so many great meals there over the years. But after that third crappy meal, you probably will never go back again.

So why are we talking about restaurants in a security blog? Substitute meals with reporting and intelligence. No matter what your previous track-record, you are only as good as your last three reports. With the time sensitive nature of threat-intelligence, this becomes even more important. This is the reason we take our reporting so seriously at Red Sky. Ask any Red Sky member and there is a good chance they will tell you the same.

Don't get me wrong, we are not the para-militaristic "Hell’s Kitchen" of the threat intelligence, but we take pride in our work and we don't think that’s such a bad thing.  If asked for the ingredients in the recipe for a report that is relevant to today’s persistent threats, I would argue that it’s the same three every time… for the incident responder working on his eighteenth hour of slogging through pcap, pulling images, searching through running memory dumps for the needle in the stack of needles, there are three things running through their head… the three F’s:

·       Who the F is it?

…and as the CISO heads for the CIO’s and CEO’s offices…

·       What the F do they want?

…and as the Incident Responder stares at his screen, with phones ringing off the hook and his/her inbox filling with reports of wide spread problems…

·       How the F do I stop them?

C-suiters right now are scrolling right now in search of the ‘unsubscribe button’ but the incident responders, the analysts, the forensic folks and all of the other blue-collar geeks responsible for the long days of actually working at the brown end of the stick are laughing heads off right now!

Fortunately, there’s a ton of data available to answer these questions. Unfortunately, it’s located in disparate places, and you need to be able to sort the puzzles that have been dumped from their boxes, lay on the floor in front of you, and know how to pick the pieces to the puzzle you’re trying to put together right now. This puzzle (todays puzzle.. tomorrow’s will be different) is the same color are many of the others, and the size and shapes are only slightly different than the rest. You’ll need a keen eye.

When the puzzles are laying on the floor, all mixed up, and the CISO realizes his company is hemorrhaging data, and there’s not a damn thing he can do about it; when the CIO realizes that his network built for uptime, availability, and ease of use; when the CEO realizes he’s going to have to report the issue to the board and in a SOX material breach report (and the costs of responding will probably affect his bonus!); when all of these things happen and there’s no end in sight, and no way to stop the bleeding without completely disconnecting from the Internet –and you have no backup plan for operating without it, well, we called this (in our Annual Report) the ‘Oh Sh*t’ moment.

Companies have these every day, in every country in the world. If you’ve not had yours yet, you will. It’s just a matter of time. If you make something that someone else wants, if you sell to customers that others may want to exploit for their employment, if you build technologies that go into other things, you have probably had yours already. If not, your company may not be instrumented correctly to find it, may not have the skills in your Infosec team to know, or, like many companies I’ve talked with in pitching Red Sky membership, your CIO or Legal team believes that if they don’t know, they don’t have to report. If they don’t know, cyber doesn’t have to show up in your 10K as a risk to business operations.

Regardless of the category you find yourself in, you should demand the three F’s from any vendor. This is what makes it actionable... and good intelligence is only good if it helps with prioritizing your workload, or protecting you from wolves heading toward your sled. If you’re subscribing to a service, you should demand this tailored information in your intelligence service. If they cannot provide satisfactory answers, then it may be time to reach out to Red Sky.

In Red Sky, when we perform analysis, analytic rigor is key. We’ve defined Priority and Standing Intelligence Requirements (questions) that we answer on nearly a daily basis, privately inside the portal (where btw, membership costs are about half of your current subscription price!). We post PIR reports on nearly a daily basis, intent on pushing the information to the far left of the kill chain, almost to the point of reading tea leaves, but only reporting when we believe there’s an impetus for impending attack. Fusion Reports are more retrospective in nature, but if you’ve not seen an attacker coming after your crown jewels yet, then these fusion reports are proactive for you… they protect you from a group that has yet to be tasked with stealing your stuff… but they will soon, and you’ll be armed and ready.

Our PIR reporting is taken from open sourced reporting.. meaning we read the news, web pages, blogs, social media, IRC, whatever, and then add our own analytics to it. The stuff we read might be in Mandarin, Spanish, Portuguese, English, Russian, Arabic, or any one of a dozen others, but when we find something that might result in cyber consequences, we tell our members. The reports usually generate conversation in the portal, creating more information and a sharper focus on what might become the problem.. our members work together to help figure out what’s going on.. protect the guy next to you.

Interested in reading our PIRs? Set up an appointment for an introduction to the Red Sky Alliance. We’ll help you answer the Three F’s.

• Red Sky => Business to Business
  
• Beadwindow => Are you a government IT worker? You’re eligible too. 2210’s or other non-Law Enforcement or Intel IT workers can access our Beadwindow portal.
• Need more? Wapack Labs can do some of the work for you. The lab offers a full analytic, R&D and forensic capability, as well as a simple cyber security operations and monitoring monitoring (Wapack cSOC) solution to help look for APTs or targeted attacks in your network.

Drop us a note. Set up an appointment. Let us introduce you to our membership as the next member of the Red Sky Alliance!

Until next time,

Have a great week!
Jeff

3 Humans + 1 Computer = Best Prediction

For any of you who've known me professionally for more than a couple of years, you know two things about me..

1. I demand strong analytic rigor in thought and writing from my analysts.
2. I really love building operations to take on the hardest analytic challenges.

You probably also know that I'm an carnivorous reader of many things tech.  Beyond the online forums

Source: Harvard Business
Review, May '13

and blogs, I read (consume?) the Nook versions of Wired and Popular Science for mind expansion and idea generation. I read Entrepreneur and Fast Company to learn from others how to take those fun mind expanded products to market, and, I read the Harvard Business Review to understand bigger more strategic issues and how they might affect my business moving forward. Sadly of late I've fallen a little behind on my reading (building a company requires a LOT of time) but I got myself caught up last week, and during my reading of the May edition of HBR, I happened across a paper that I'd previously missed.

Two professors posted a short paper that underscores something I've been pounding into my analysts and preaching from my bully pulpit for years... In areas of new problems, with unknowns and no linear progression to solution, humans are better at predicting than computers [1].  Computers are great at crunching mechanical functions, numbers, and identifying solutions that can be derived through a logical, linear progression, but they don't understand thinks like innuendo, emotion, motivation, determination, opportunity and all of those other things that make humans human... all of those things that make smart human analysts highly valuable.  Even Watson (IBM's super computer that won Jeopardy) was programmed by humans, and threads billions and billions of linear thought. At some point, predicting computer failures as a result vulnerability exploitation as a result of external influencers (hackers) will be an automated function ...but not today. The sheer volume of variables are enormous and to the newly inducted, overwhelming.

This is the Red Sky Alliance value proposition --Humans tackle hard problems through shared thought; each member with a different perspective on the problem(s); each having opinions on the best way(s) to solution; with Red Sky professional analysts distilling the conversations into actionable reporting and farmed indicator lists that you can take and use to protect your own systems.

Through human interaction and facilitated crowd-sourcing, our members receive:

• High quality unclassified threat intelligence: Red Sky isn't the government. We don't have classified reporting. And we aren't LinkedIn. We don't simply repost open source reporting. Our Professional Red Sky team produces threat intelligence derived from the members, and some, derived for the members. For example, we just published a report that details the exploits of one very active guy, using 14 domains and 10 unique IP addresses. We believe this person will be targeting a specific industry --and company, very soon.
• Focused analytics and indicators: The indicator race is a cat and mouse game. Indicators are important.. very important, but knowing what to do with the indicators, which ones to implement first, and what to do when they fire is also important. Protect yourself from the wolves closest to the sled.. What will hurt you today? Read the analysis; ask questions of others; prioritize your protective strategy.
• Gain real context to data presented in your subscription service(s): Subscription indicator services and open source email lists don't give you a LOT of information. Most times they talk of discrete indicators and what it means, but rarely does it come in threaded context, and most all are retrospective in nature. One group that we watch actually operates in real time --it's great stuff. But if you need to know what to do with the information passed, or what they talked about six months ago and how it will affect you today, you're in real trouble. A company can quickly be overcome with data. One of our (more capable) members recently told me that his team processes only 7% of all 'security intelligence' received. But, they process Red Sky reporting first. They use every single one of the indicators Red Sky analysts publish, and read the analytics to understand how/where to use the information.
• Clean, actionable data: Big data doesn't necessarily mean good data. And (big) data is not intelligence. Data dropped into big cans in the cloud still need to be read out in a useable way. In fact, the 'cloud' is being littered with security vendor cans of indicators in a big way, but which one will you trust? And if your sensors are constantly running out the cloud to identify badness, how much bandwidth can you afford? When your company generates millions of lines of syslog and your IPS is constantly shagging flies, can you really afford to have your security devices hitting multiple repositories of big data in the cloud? If you download data from the cloud, how many cloud based cans of indicators can you load into your systems before inducing latency --this becomes especially important in VoIP users. Red Sky members receive weekly reporting with clean, readable, Kill Chain (Lockheed's version, not the bastardized version) formatted indicators, the story behind them, first and last seen information, and when we know it, attribution.
• Assistive tech: Malware Analysis: Most security folks don't need to know how malware works. They only need to know how to stop it, and then how to find it. Drop your malware in our portal's malware lab. You'll know in minutes how bad it is, who it calls home to, and the meta data that can be used to find it in your environment --get the benefit of the online malware analysis tools without publishing your data to the world. 

So here's the deal. We have two portals and one service offering:

Red Sky Alliance's private portal is medium and large companies. Our smallest company is a defense contractor with roughly 2500 employees. Our largest is probably a tie between a global Oil and Gas and a Financial Institution.. both boast roughly 350,000 employees. This is private, and exclusive. You must be voted on the island and can be voted off the island if you break a trust. The membership price is roughly half the annual cost of a good subscription service but you get full interactivity with others who can help you immensely in a private, non-confrontational, non-threatening environment.

Beadwindow is more open and can include public or private organizations, including government focused IT personnel (in the Fed, this means GS-XX-2210 or their supporting contractor personnel). Beadwindow currently hosts state, local, and private company personnel. Red Sky members automatically get Beadwindow access. We use Beadwindow for more open sharing, and for coordination during Wapack Labs operations. Pricing starts at $495 per year for individual, small company members.

Wapack Labs is our for-fee cyber operations, forensic and analysis shop located in Manchester, NH. The lab offers a full forensic capability (computers and mobiles), a lightweight cyber security operations center (think US-CERT Einstein with more dynamic capability and live, on-the-fly enterprise wide forensic capabilities), and tailored reporting for your security intelligence needs. Our Wapack Cyber Security Operations Center (Wapack cSOC) monitoring service utilizes data from the portals to protect small and medium sized companies. When we find information that might help them, we push those indicators into the portals... One detection is everyone's prevention. Wapack cSOC starts at $1495 per year per sensor, and with it you also get access to our Beadwindow Information Sharing portal. (Note: Wapack Labs is perfect for small and medium companies facing new cyber regulations.. HIPAA Omnibus which takes effect in September, and for small and mid-sized defense contractors and supply chain companies who will be required (very soon) under the 2012 NDAA to report cyber events to the Federal Government.  Let Wapack Labs handle your monitoring, and government reporting.) 

It's a great time to be a Red Sky member! Interested in joining us? Drop us a note! Set up a demo time.

Until next time,
Have a great week!
Jeff



[1] http://hbr.org/2013/05/3-humans-1-computer-best-prediction/

Hoping you had a great long weekend!

I'm wrapping up a reload of my MacAir with it's new 460G SSD (it works great btw) after my 120G SSD finally choked, not allowing me to open spreadsheets or other fun business related stuff anymore.

I didn't post a blog this weekend, intending to allow readers (and me) a long weekend over the 4th of July to enjoy the peace and quiet.

It's Saturday about 11:30EST, and I'm going to sign off (now that I know the new SSD is working properly) and leave you with this... a couple of days late, but since it's a long weekend, I'm thinking it still counts!

Happy Birthday America!

Until next week!
Have a great 4th of July weekend!
Jefv

Red Sky Weekly: Justifiable shooting

I love NH. This morning WMUR ran a new piece about a justifiable shooting in Manchester. Evidently a pair of midnight raiders were checking out a place. The owner and his wife were in bed. When the raiders kicked in the door to the couple’s apartment and charged in, the awakened owner opened fire with a handgun that he kept in his bedroom. One of the raiders fled. The other was fatally wounded. He died on the scene after the owners brought him to the kitchen and called the Manchester PD. Authorities are not pressing charges. “Justifiable shooting”.

I live in the “Live free or die” state. We take that pretty seriously. We pay really low taxes, have no sales tax, no state income tax, and when threatened, we can fire back.

The question is this.. and it’s been pretty hotly debated on the boards of late --when attacked in cyberspace, should we be allowed to shoot back?

Personally, I’m not convinced that any company on their own could win this fight... not even some of the largest (although their morning television commercials and the radio ads we hear on WTOP in the DC market would likely claim otherwise). When well funded governments and non-government organizations (NGOs) and coordinated unsponsored hives of actors decide to clean out and/or destroy a company, their available resources to do so can be overwhelming. Smaller countries hire outside. Others have capabilities of their own, and then there are the patriots that jump into the fray unasked, but (seemingly) often welcomed by the attacker. Anonymous, Lulzsec, crime gangs, leaks, and unhappy insiders have SOOO much more access to tools than they used to. Companies will be forced to operate within confines of pre-determined, likely government defined rules. Attackers will not. Attackers do not. So at what point does passive defense turn into active defense, and then to offense --and are you prepared to suffer the legal, political, and cyber consequences of that? As a contractor hired to do this for another, is your employer prepared? What will you do when your personal bank accounts are emptied and your name slandered in an asynchronous cyber death match with an unknown? What happens when you hit the wrong target? What if there are multiples? I think the questions should be carefully examined by your corporate attorney before even thinking about exercising your second amendment rights in cyberspace!

Live free or die!

BT BT

Fun week in Manchester. We added two new membership kits to our internal engine, proposing them with the members.

The portal has been pretty busy this week, even with AFCEA going on and summer vacation cruising into high gear. All but one of us are back from travel, and best of all, we got our first two customers in the new lab operation.

As a bit of a refresher, we’ve partnered with a couple of great tech firms and have turned the lab into a bit of a small company SOC. We called it our Cyber Security Operations Center, or Wapack cSOC service --think “Socratic methods” --cross reference everything, verify sourcing and go deep. We’ve set up a pretty cool gig. Red Sky has been going really well. We have a TON of data. MSSP members are allowed to use Red Sky data in devices that they manage. Wapack’s cSOC gathers data at the host and network level, brings it in, and checks it against the things we know about. When we find new indicators, they get rolled back to the Red Sky members.

We believe there’s an untapped information source in the small and medium sized business segment. Some of that information is being gathered, but I’m not convinced it’s making it to mainstream information sharing or analytic shops. Even in the ISACs, the smallest companies -banks, healthcare, supply chain, water, etc. are more consumers of the information and not necessarily robust suppliers. We’re going to try and change that!

So today we got a call from an attorney who asked if we could do an incident response onsite at a medical facility. We’ve been chomping at the bit to drop sensors in a HIPAA location, so this is perfect. We already know they’ve got something going on, and by next week we should be rolling new data back to the Red Sky members. A second call of the day was a hedge fund who needs immediate forensic support.

Our focus?

Red Sky Alliance => Analytics, information sharing, threat intelligence

Wapack Labs => Analytics and information sharing but more hands on, focused on helping small and medium companies.

Until next time,

Have a great week!

Jeff

Red Sky Weekly: Welcome to the new normal.

A few weeks ago my new VW Touareg broke down in the parking lot of the dealer as I drove it in for an unexpected service. As it turns out, the thing stalled, once in traffic and once in the parking lot because of a bum fuel pump. Evidently the fuel pump in today’s new high tech cars are located inside the tank, thus leaving me driving a Passat for two days while the dealer dug out and replaced the pump. In the end, the car, with new pump, runs great, but the dealer never re-calibrated the fuel gage. So now, even when the pump handle clicks and the tank will take no more, the needle on the fuel gauge lands just over three quarters --annoying the hell out of me.  How exactly does a fuel pump in a relatively new car go bad? Why would the needle not be recalibrated? Why is it that tires get over-inflated during routine VW service (they did, and the rear tires were badly worn as a result!). I’ve come to a conclusion...  today’s automotive technicians just don’t all have the education and/or experience --or attention to detail, to deal with the new technologies that are embedded in today’s cars! Not only did they need two days to find a guy who could actually do the job, the guy never took the last step and recalibrated my gas gauge! Education or lazy? Maybe both.

Why am I talking about cars? Because there’s a concerning parallel between these guys and CIOs and CISOs.

Targeted distributed denial of service, cyber corporate espionage, and computers as a [competitive] weapon in the corporate landscape... Welcome to the new normal.

You see, we just wrapped our quarterly threat day at Arbor Networks. The presentations were OUTSTANDING. The first was about routinizing APT Incident Response, followed Anatomy of APT Attacks, DDoS Malware Analysis and Attribution, Rooting and backdooring Android Mobiles (and other cool stuff!), and finally, a Threat Brief from one of our most active members... and you know what conclusion I came to? If you’re an IT worker or an Infosec pro, and you’re not talking about this stuff, learning lessons from others, sharing information, and CONSTANTLY seeking updated gouge; if you’re not analytically curious and actively scratching that itch, you’re being left behind --and fast. --Education. motivation, and high levels of situational awareness are all required to live in today’s changing cyber landscape.

I feel pretty confident in my understanding of the current cyber environment. This by no means is a complete picture, nor that of the incident responder that I used to be, but I understand what it means to know that there isn’t a CISO out there that’s going to keep up with the crop of determined attackers that we all face today. Botnets with names I’ve never heard before; DDoS networks rented by the hour; sleepers living in your networks waiting for the right trigger before they begin connecting home. And past defenses, while still required, are becoming less and less effective against these new attackers, attacks, and threats. I dare say, don’t give up your antivirus or firewalls just yet --they’re required to keep the old stuff out. Code Red and Nimda are still out there and will infect your network if you’re using old versions of IIS or Internet Explorer, but at the same time, you need to build on that foundation. Agility in defense, the ability to capture and act on intelligence sources and indicators of compromise learned from others, having your gamebooks built, practiced and ready to go --your incident response team should never have to think about what to do next during an event.

The risk is real:

• Cyber is real. Southwest Airlines was on WMUR this morning for a stand-down related to a computer glitch. Even if not malicious, a “computer glitch” caused the temporary shutdown of Southwest Air! What would it take for an attacker to create such a “glitch”?
• During the Gartner event two weeks ago, I sat through a talk on HIPAA --our private information in medical records. An analyst told us that out of 60 sampled healthcare providers, 59 had HIPAA computer related privacy violations!
• Systemic risks against our banking/financial environments are VERY real. With Managed Service Providers handling the IT for smaller banks using standard images, common gateways, and shared virtual servers, even one small targeted event has the ability to affect thousands of banks --all at one time.
• Attacks targeting less sophisticated companies in the supply chain are being targeted for access to critical components. Heck, we did it during WWII. Remember bombing ball bearing companies? We did this to keep our adversary from building new airplanes. I pass a ball bearing company in NH at least once a week. They produce miniature and precision ball bearings, and are owned by a larger ball bearing company in California. The company boasts 1400 employees, but I can’t find a CISO in their website. I’m hoping he’s just shy.
• HHS last week issued a report saying that 60% of small businesses that suffer a cyber event will be out of business in six months. Why? These companies will have no idea what hit them. Nor will will they know how to respond.

We issued Fusion Report 17 this week. FR13-017 offered an analysis of a piece of malware that is only detected by five out 45 antivirus vendors. It was picked up and submitted to us by a member who found it without AV and submitted the sample for our review. We authored the analysis, and passed out a snort signature (to find it early in the kill chain --before infection), a yara rule to help find the file in bulk examination, a look at the jar files used during infection, and the command and control it communicates with as it’s stealing your information or money.

...One report; five different places to protect against it provided in a temporally format.

Is Kill Chain perfect? Our reporting? Not by any means. Does it give you the ability to STOP attacks proactively? Absolutely. And if you can’t instrument your network, FR13-017 gave you four other places in your network where you can stop this tool. Anyone can write an IPS rule --but if you can’t, we did it for you.

You need information. We have it. Private information sharing and intelligence collaboration; Public | Private for those who don’t care as much about the privacy; forensic and lightweight managed security services to help figure out how to move forward in your now untrusted networks.

Drop us a note. We can help.

Until next time,

Have a great week!
Jeff

It's about the GOUGE!

We had the opportunity to finally sit with the Director of IT for a great American company. These guys represent all that IS American business. Hard working, salt of the earth types who come to work in the morning, and leave when the whistle blows --and like everyone else, their network is under constant attack. The Director of IT and his team work hard, fighting the fight on a daily basis, but struggle to keep their head above water. It's not because of a lack of skill, and certainly not because of a lack of trying or a a bad work ethic. They simply have never been exposed to the cyber ills known so well by those of us who’ve dealt with cyber espionage for the last several years. These guys needed someone to walk them through the problem. When we left, we took with us roughly 130,000 file samples, and are now analyzing malware that we'll be able to go back to him with, and help him through the rough spots.

Some people talk on the golf course. Others do it in bars. A new friend in NH bought a high end gym membership --all to create networks and build trust. Why? People matter. You can’t do business without them, and you can’t solve complex problems without information gathered from many sources. Our complex cyber environment --not just risk, threats and attackers, but also foundational complexities introduced by mobile, cloud, virtualization, VoIP, and dozens more, have caused us to build bridges on sandy unstable shores.  Simply connecting technologies to the bridge won’t make that shoreline any more stable. It requires an engineer who’s worked on sand before. Smart people matter. To solve problems with as many variables as we deal with on a daily basis, people have to talk --share notes; in the Navy we called it “the gouge”. Tell me what I need to do to make sure I pass my next inspection. You get the gouge by asking guys who’d been through it already.

Cyber is no different. Getting the gouge is about relationships. It's about talking one on one. It's about people trusting strangers with their worst problems and after a cup 'a Joe in the local diner, and then having the ability to talk openly. My IT Director would probably feel intimidated as hell talking to current Red Sky Alliance members about what he’s seeing --because he doesn’t yet understand that everyone else is having the same problems, and that there are others who’ve been there before him. But once the ice is broken, and we've taken him through the process, my bet is you'll be seeing them in one of the portals soon, building his own relationships, passing along his own gouge!

Gouge isn't what the press says. It's not what the government says. It's not what that slick new security tool salesman tells you. It's about good information that can help you avoid the lumps of trial and error. And there are very few places to get the good stuff --and only one that I know of with peer review of submitters so you know who to listen to and who not to listen to. Only one that I know of where large enterprise companies from dozens of industries aren't afraid to help others figure out what to do next --without judgement --because they've all been there. They know exactly what it feels like.

The membership of Red Sky Alliance has been dealing with APT, advanced criminal problems, and all of the emerging threats, and guess what.. many of them started out with one guy watching a log, who got a phone call from the government or one of the consulting companies telling them they have a problem. I know. That’s where it started for me. That’s where it started for almost everyone I know in this business. We were three guys from three companies sitting around a table comparing notes. We signed NDAs and started talking. Then we brought others in, sharing information -lump avoidance, lessons and indicators... and they got better too. We all built our own individual processes for dealing with the new issues, and at some point, the APT became just another problem.. the new normal. We passed the gouge.

Red Sky Alliance members have good gouge. Not just indicators, but the gouge... the good stuff.  

We've connected people who aren’t afraid to pass the gouge in a peer reviewed environment... and everyone benefits... at a fraction of the price of a new threat intelligence subscription.

• In the private Red Sky portal, companies talk to companies. The environment is very active, and information is shared daily on current happenings.
• Beadwindow is a public | private portal. Smaller companies, academics, and government users can purchase reduced rate memberships in Beadwindow and both talk amongst themselves, and ask questions of members of the private portal. And, many of the private Red Sky corporate users also have accounts on the public | private Beadwindow portal.
• Wapack Labs has taken on a smaller company feel. We started with forensic services in April, but have since grown into a lightweight, low cost managed security, analytic and intelligence analysis service.

Red Sky has good gouge. Join us. We're happy to share!

Drop us a note and we'll get you going!

BT BT

We didn’t publish a fusion report this week but by no means was it slow in the portal.

• We are looking at several new APT incidents and brought in a number of participants from two new members.
• On Monday we are starting training for two new interns. They have a tough act to follow from our last intern however we have high confidence that they will add value to our community.
• We introduced two new members to the Alliance, and sent a membership kit to that restaurant chain we mentioned last week. Wuhoo!
  
  

Have a great week!

Jeff