Are We Ready for Systemic Infections?

I'm NSA'd out. My daily morning reads includes RSS feeds from TechDirt, Foreign Policy, SlashDot, ARS Technica, and a couple of others, who have all been covering NSA all day every day. Bottom line is this.. right or wrong, whatever your opinion, cyber infections are systemic --at every level of computing. I've been asked a few times what I think about the NSA issues, but I have only two thoughts.. first, I worked for this smart guy that used to say "assume noble intent"... and I do. Noble intent.. good idea, bad execution? Perhaps. That's yet to be sorted out by others. The second thing I'll say is that cyber exploitation is completely and totally systemic... we've lost our lost privacy in cyberspace... the bell's been run and can't be un-rung. We live now in an untrusted environment that includes cyberspace. Better get used to it. It isn't going to get any better...  

BT BT

When I go through TSA, I almost always ask them (as they are returning my ID and boarding pass) "What's my name? Where do I live" (it's WAY fun to see the expressions of pure horror on their faces when they have no idea who's ID they just checked!)... I was reminded of this when one of our guys posted a blog on our Wapack Labs site that he authored while sitting in Logan waiting for his flight to some remote location where he'll be spending the weekend shooting a LOT of guns. Matt is a personal safety guy and a gun enthusiast; a far cry from when I met him years ago when we worked together at Cisco. Matt talks a lot about personal safety, giving out information, and the idea that we are giving our personal information to perfect strangers in an airport, losing your identity online, and simply doing business on wireless networks that nobody knows are safe to actually do business on. He also talks about the fact that TSA doesn't bat an eye when you carry two Level III+ body armor plates through the checkpoint. In reading his blog, of course my mind was racing.. it always does, but think about this…

We spend a TON of money on physical security at the airport to protect from physical threats to airplanes resulting from humans carrying nail clippers onboard. We're forced to give our personal information to perfect strangers. Our bags get inspected and x-rayed, we walk through metal detectors (and worse) to ensure we have no metal objects or bombs in or on our body. When we get through security, guys with dogs are often times walking around... plenty of guns (except mine!) are holstered hot, and once we do get on the airplane, there's probably an air marshall onboard.

But with all of this physical security in place, are we really more protected?

We spend a ton of money on physical threats that might occur that day, but only a fraction of that money on cyber events that will occur that day.

With all the money spent on physical security, how well do we protect those very same planes from attacks --from inception of the idea through final delivery and flight?

Are we thinking about the systemic risk thats we face as security professionals? Are we ready if (when) it happens?

So I wanted to run a test. I ran a simple Google query for "Aviation Supply Chain". Google yields (as you might expect) quite the haul, but one company in particular stood out... a supply chain company who (according to their website) was founded in 2000, is owned by a consortium of the large airlines in the world, and sells through EDI and online. The site talks about its ability to do EDI with the companies, and apparently is an exchange of parts, services, and supplies for an enormous number of suppliers and most of the OEMs.

Here's what surprises me (it probably shouldn't come as a surprise), but the CEO is an MIT grad, the CIO is a PhD, and the VP for product management is a software guy. Something's missing. Where’s the CISO?

This is a company who built a supply chain business helping airplanes get off the ground and fly to maximum profit. They offer brokered repair services, parts, even some manufacturing, yet there's no CISO to be seen, nor anyone with security experience. As surprising to me is knowing that the supply chain industry is probably the weak link in the development of any major product --including airplanes, and looking at their conference agenda for 2012, and their upcoming 2014 (2013 isn't posted for some reason), there's a ton of information about production, supply chain management, efficiency, etc., but not even one mention of protecting data in this critical infrastructure supply chain to the aviation industry.

So here I sit, preparing my slides for the upcoming Nordic Security Conference in Iceland next week. My topic? "Seven Common Processes that companies use to protect themselves from advanced threats - How great companies survive (thrive) in today’s threat landscape” and then I shift gears back over to do some cursory research for my blog I find this supply chain exchange company (did I mention they were built and owned by the major carriers) doesn't have a CISO mentioned in their leadership page, doesn't mention security at all in their web page, and their annual conference includes a volleyball tournament, but no mention of how companies will keep components and airborne networks safe from hackers onboard with pineapples, or protect the internet-attached CVS repositories where the chips are built before they're loaded into cockpit gear, mess with schematics for the autopilot, or even more simply, protect from reroute and confusion in the ordering process by gaining EDI access at an unsuspecting mom and pop shop who happens to manufacture critical components (yes, small companies make important stuff for big companies all the time!).

This aviation question is a great example, but one of many; it seems to be a question asked in other industries as well. It seems there are others...

• There was a great talk given at DEFCON about hacking the CAN in cars.. the CAN is the local controller area network that networks all of the sensors and computers in your car.
• We spoke with a security intelligence organization last week who told me see beaconing from smart devices in operating rooms --coincidently, I had the same conversation with a tech-savvy cardiologist just a few weeks earlier!
• Dozens of companies are in the news weekly --many manufacturing high end technologies. Can we assume that the machines that hold the code that's getting burned into chips destined for printers, copiers, medical devices, heck our refrigerators, won't phone home when turned on?
• CBS News reported on an overseas networking company building espionage capabilities into our networking gear.. the same gear our infrastructure is built on.

Supply chain and interconnectedness is important... REALLY important. In fact, it's critical. So how do we get the word out to all of these companies? Many of them small (like to our aviation supply chain company) must focus on sales and productivity. Security? It costs money. But these guys are the backbone of our economy!!  I'll ask the question again...

SO, WHERE'S THE CISO???

With so much riding on data availability, integrity and confidentiality; with the government writing DFARs mods on nearly a daily basis requiring companies to prove information security (and report cyber events to them when they occur); when a guy stands in front of a crowd and talks about hacking cars through their onboard networks, and you can’t swing a dead cat without hitting someone who’s threatening our privacy, the CISO becomes a major competitive differentiator.  

The CISO should be out front. "We have one, and he's (she's) brilliant!" "Yes, we care about our customers, and we've hired the very best."

BT BT

I know this is a long blog. I'll keep this short. We had great week.

• Our first Federal Agency joined Beadwindow (our private | public portal) this week. I’ve known these guys for a while. In fact, I used to use them to fact-check my DC3 team when we were just starting out! Welcome!
• We had two meetings with prospective members and brought one more private company (the CISO of a security company) into Beadwindow.
• Even with the team working nights supporting TIAD (our Threat Intelligence and Analysis Database) training overseas, we managed to continue developing cool tech, the portal is busier than ever, and now, heading into post-summer, the phones are starting to ring again! I was starting to feel a bit like Rip Van Winkle.. time to wake up, old man!
• Fusion Report this week but we're building out our linguist team --we got our first Romanian speaker onboard, a new Russian linguist and just posted three new priority intelligence reports (PIRs). PIRs are short pieces that we find interesting, and that offer fast turnaround analysis for instant situational awareness when something looks important.
  
  
• Defcon Talk on Car Hjacking - I LOVED this talk btw!
• Androit Malware
• Ministry of State Security's new Lhasa office

Our members will be reading these as we speak. You could be too. Call us.

Have a great week!

Jeff

Antitrust to cyber is like a wooden stake to a vampire...

Last night we posted an intelligence analysis report (IAR) in response to a question from a member of the Oil and Gas industry. What started with a simple question in the Red Sky portal, blossomed over the last two weeks into a full discussion with roughly half dozen of our other members and two of the Red Sky analysts, and then into a formal report, detailing the members of the group attacking the Oil and Gas companies, targeting associated with their activities, how they went about their business, and relative (or not) successes in their exploitative activities. In this case, the attackers had little success, but as we track them, we'll see the groups tactics change (likely get cleaner, more efficient and more effective). The Oil and Gas folks will already know them and be ready for them. And when the group decides to begin targeting other industries, our non-Oil and Gas company members will also be prepared.

This is the power of information sharing. 

Information sharing works, but only under specific circumstances:

Reform Cyber Antitrust. Antitrust to information sharing is like a wooden stake to a vampire.
I've been operating in this (information sharing) space since founding the Healthcare ISAC in 1999, and every company I've ever dealt with, when sharing information (above the 'doer level') worries about what their antitrust liabilities will be. Lawyers threaten of jail time when talking about sharing information with others, and when that information might lead to competitive advantage.

So here it is (Congress). We need to figure this out. Companies who share information about their cyber issues could face massive legal implications. Companies who don't, do face extinction.

Open and honest comms are a must. Anonymity doesn't work. 
In 1998, PDD-63 called out the US Critical Infrastructures. As a result of this new understanding of the critical infrastructures in the US and their susceptibility to cyber attack (we didn't call it cyber back then), Information Sharing and Analysis Centers (ISACs) were formed. The basic premise was this.. one company has a computer get attacked/breached. The company could take the lessons learned and anonymously submit those lessons learned and submit them to an aggregator who would perform triage level analysis and forward the results to the entire critical industry. ISACs popped up everywhere. I believe at the time, there were 13 critical infrastructures. A financial services ISAC was formed, water, energy, etc.  In fact, I founded the original Healthcare ISAC (here's a link to the wayback machine from the original post in 1999) on a suggestion by Alan Paller at the time.

In the early days, the idea of anonymity worked. Attacks occurring in member networks were not all that sophisticated (although at the time we thought that they were!) and anonymously sharing information about an attack on one system was simple to do. Today however, when one attack occurs, it's more sophisticated. Account takeover, stealing drilling data from our Oil and Gas folks, military fighter data from defense companies, breaking into a Mercedes dealer for their customer list... whatever the reason, attackers are employing tactics that simply weren't used in the mid 90s.. CISOs must understanding that an attack no longer effects just one machine, but potentially thousands, and that simply submitting an anonymous post to a list just doesn't work. One attack profile can be used in multiple ways depending on the circumstances. One piece of malware can be modified thousands of times, but it's still the same malware doing the same functionality as the very first.

Analysts need to be able to talk. Context must known to be able to troubleshoot and understand the cause-and-effect of the attack. It (context) must either be provided by the submitter or extracted through Q&A... And when context is extracted through open conversation, the results are amazing.

We must remove the mental barriers. Attackers collaborate. So must we.
Out of the (18?) ISACs today, only one that I'm aware of, has any kind of open conversation about cyber attacks --but it's not across the membership. It's across a very small subset (less than a couple dozen) of the very large membership (thousands). Why? Because the community, like others, has members with varying degrees of capability; because knowing about what's going on is very different than actually being able to do something about it... or even detect it; because members of afraid of anti-trust; because CISOs inherently don't like to talk; because if a regulator is in the room, they'll be an investigation; or worst of all, because simply being a member of the ISAC checks the block that shows you're doing due diligence.

There is hope. 
There are loads of CISOs who get it. Many of our Red Sky Alliance members are members of both an ISAC and Red Sky Alliance. They participate in multiple forums where information is exchanged -and they compare notes in our portal. They've seen how open discussions produce FAR better, more actionable results (and ROI on their membership fee) than simply sending and receiving anonymous submissions to an aggregator or participating in an email list where pseudonyms are used to hide member identities and operational security practices are always suspect. Why? They get the best of both worlds. They get the benefits of the anonymized ISAC submission process, government CIPAC interface (if they choose to use it), and from Red Sky they get full, detailed analysis and actionable information.

BT BT

Coming off the soap box, we're gearing up for the post-labor day workload. Summer is nearing a close and it's getting busy!

• We posted our latest Intel Report was posted (mentioned above).
• We posted a second analytic product, authored by one of our interns. She's a UT Austin student in her third year.. bilingual in Japanese and English and a dual major -computer science and journalism. She can really write! And when she's ready to graduate, we'll introduce her to the membership. She's very good and we love reading her analytic products!
• We've been working hard on some new tech. As our community grows, so does the need to capture backend information. Our folks are, as we speak, heading for Japan for the first unveiling and beta testing with one of our members. 
• And last, but certainly not least, we welcomed a new Forensic Examiner to Wapack Labs. Chris Wierda recently graduated from a BS program in Forensics at SUNY Erie County. He's an Army Vet and a Manchester native. We're glad to have him join the team!

Until next time,

Have a great week!
Jeff

What about Data INTEGRITY??

Whew. Just back from vacation and could easily have taken an other ten days! I hightailed it from Maine to Maryland on Monday, arriving after midnight following long delays on the NJ Turnpike, only to turn around on the train and head for NY on Tuesday for the SINET conference at the Columbia Faculty Club. Robert absolutely knows how to put on a conference!

I arrived a bit late, but sat in every presentation and panel all afternoon. And one thing I found most interesting --a theme -- "I just skate to where the puck is going to be, not where it has been" (Wayne Gretzky) [Note: I originally misquoted this. Thanks Lux! I stand corrected!] seemed to emerge as a theme in the first panel after lunch. Interestingly enough, the panel was four folks from the business development and sales side of the house at four large defense contractors all vying for the best non-pitch pitch to the government buyers possibly in the room. The thing I found most interesting was this.. when asked "where is the puck going?" we heard standard answers --one stated that he didn't expect to see desktops next year rather mobiles and pads (really?!). Another talked of more virtualization (genius!). Yet another talked about different things he thought he'd be selling to the government in a year or so. This is exactly what I'd hoped to hear.. out of the box thought from industry leaders! Visionaries!

Is this really where the puck is going?! This is an Infosec conference right?? I hate to think these MAJOR government contractors can't think more than a year or two out. Why do I say this?

Here's what I worry about:

Short term (next two years) - in (my) priority order:

• Unsuspecting supply chain companies unknowingly (or knowingly) being whacked. Hell, I'm not sure we've got any safe intellectual property left! If it's connected to the internet, you better start thinking about how you're going to replace it. The tube of toothpaste has likely (high probability) already been squeezed, and it ain't going back.
• Data integrity - I worry about this one the most. I think about it almost every day. We've lost confidentiality already. How will we make our data tamper-proof, or at least know when mods weren't made by legitimate users?
• Physical losses from data security breaches - Espionage has turned the corner to sabotage and availability. While not completely lost, availability and sabotage are hugely problematic. Ask any company who's computers are destroyed by a breach or a product who requires constant patching because of lost integrity. 
• The complexity driven effects, transitions, policy and legal consequences of BYOD forming, storming, norming and finally, performing. I'm not sure we've hit storming yet and BYOD challenges are hitting us square on the nose! 
• Cloud hacking - Why rob banks? That's where the money is! - Cloud is becoming a rich target. 

Longer term (2 years and out)

• Data integrity again. I used to be a Naval Officer working in Information Warfare (as it was called at the time).  Information Warfare was pretty straight forward.. make an adversary lose confidence in his data.  When data integrity is lost, and variances can't be measured, every chip, piece of code, and transaction will be suspect. Would you fly on an airplane if you thought the onboard computers were hacked? Would you drive a car? What happens when computer networked machines get bad instructions, or chips have bad code burned in because the production processes were compromised? It's not a pine cone that just bonked you in the head. This stuff is coming.
• The infrastructure is lost. Everybody has tools to monitor Windows machines and grab pcap, but what about the routers, call managers, printers, VoIP phones, etc.
• Service accounts to these devices, and those baked into domain crossing horizontals are the some of the hardest to protect for. 

This stuff is cancerous and systemic. It's what I worry about. Not rocket science, but it's where I believe the puck is going. 

How will you know? Great situational awareness. How do you get great situational awareness? You watch the radar, listen to the sonar, read every intel report, and you constantly compare notes with the picket fence set up by the rest of the fleet and joint forces you're connected to. You update your intelligence, and act on the risk.

How does this happen in cyber? You baseline your tools and infosec processes to give you the best chance at detection (and prevention). You train your staff to know what to do when... You subscribe, read, evaluate and act on as much as you can or need to. And you talk frequently to others in Red Sky or Beadwindow!

BT BT

It was a fairly slow week but productive as heck.

• Two Priority Intelligence Reports were posted to the portal --one discussed ATM hacking and another an APT group associated with the ATM hacking. Priority intel reports are what the IC might call IIRs. Red Sky analysts have a list of priority and standing collection/analysis requirements, and when we find new pieces of the puzzle, we publish them to our members. 
• A fusion report was posted earlier in the week. FR13-21 analyzed a previously reported backdoor, but with intelligence and good tech work by the team, we reported details of the infrastructure and a new version of the TTP in use and their associated indicators. 
• Beadwindow has reopened. We've realigned the portal for it's new mission, and have invited its first member --who's already filled out a profile! Beadwindow will be used to service individuals, small and medium sized business, and government IT workers (2210s). 
• And finally, in the lab, we're preparing to go into our next healthcare gig --an online pharmacy. 

One final note...

It's coming up on Labor Day --the end of summer; four months until years end. If you've been thinking of joining either Red Sky or Beadwindow, the time is now. In most cases, it takes 3-4 months to get checks paid by your accounts payable, and if you join us today, you'll get 2012 rates for your first year. Don't hesitate. Want to know what we do? This is our 42 second video...



Take advantage of the 2013 pricing. Contact us today. 

Until next time..

Have a great week!
Jeff

Zero Day on the Mountain

Last week, I attended a lecture by Robert O’Harrow, a reporter on the Investigative Unit of the Washington Post.  The topic of Rob’s presentation was “Zero Day:  The Threat in Cyberspace.”  The presentation was held in a concert hall that held 560 people and it was standing room only.  This may not appear out of the ordinary for an INFOSEC group, but this event was held in Steamboat Springs, CO.  There were no INFOSEC professionals in the audience, only very interested people, who took time off from recreational pursuits to learn about what is threatening their personal computers and email accounts.

I had already purchased Rob’s book ($2.99 for the Kindle edition) and read it before his lecture.  His talking points followed his chapters and he geared his presentation to the audience.  What amazed me, was here were over 560 people who gave up their late afternoon time to learn about a topic that is threatening all aspects of their lives from their personal bank accounts to whether the local electric utility could lose control of their systems and services.  When the presentation and Q & A session was over (Questions like “why you should not use your cat’s name as your password”), I listened to members of the audience exchange personal experiences of what attempts had been made to harvest their personal and financial information.

What I was hearing was a microcosm of what we are doing for our members at Red Sky Alliance every day. People who knew each other from the community were asking questions and informing each other of the attempts that had recently targeted them.  We see these in our email accounts every day, and I was elated to see a group of informed computer users sharing their information with others.

BT BT

Jeff is on vacation this week, but he still held a prospective member presentation with me on Tuesday morning.  We had another one scheduled for tomorrow and I didn't him him to a third one on Wednesday morning.  He needs some well-deserved time off.  Even though it is the peak of summer vacation time, we are still receiving requests from leading corporations to learn more about our alliance. 

On a daily basis, another group is gearing up again and again to attack another industry segment that affects our daily lives, why not join our team share in the information that our members already know.

Until next week,

Jim McKee

Correction...

It was brought to our attention this week that we'd inadvertently infringed on a trademark registered and owned Counterpane (now British Telecom) in the use of Socrates mark. This use of Socrates by Red Sky was done after a trademark search of the USPTO database, TESS, but if searched, one will quickly understand that TESS is not completely user friendly, and you will understand just how easy it is to inadvertently use trademarked material.

To that, Wapack Labs, a Red Sky company, will discontinue any use of the term Socrates, and continue operating as Wapack cSOC, Wapack's cyber security operations center.

Thanks,
Jeff Stutzman

Enlightenment, Dirtbags, and Scumbags

An old friend used to tell me that in the landscape of failed entrepreneurial CEOs (he was really active during the boom), there are two kinds of failed CEOs --dirtbags and scumbags.

• Dirtbags are failed CEOs who simply don't know that they've done wrong. They spend money without a plan, had no real roadmap, and basically (ahem) urinate the money away.
• Scumbags are failed CEOs who know the end is coming, yet they continue to spend investor or stockholder equity right up to the end. They willfully spend money, knowing full well they'll never return profits. Scumbags could have returned angel or VC funding, but chose to spend until there's nothing left. 

In the last two years of Red Sky Alliance, this message rings through my head on nearly a daily basis -- not because I don't want to ever be looked at as either a dirtbag or scumbag, but because many of the CIOs and CISOs that I talk with on a regular basis could also fall into one of these categories.

Many, many, of the IT workers I talk to on a regular basis lean forward, do their best work, know how to persuade leadership for needed budget and are actually very effective in doing what they do. Others however either have their heads in the sand, or simply have no clue. They lack the ability to operate at the executive level, can't persuade, hide truths, or, as we used to say in the Navy --they're on the ROAD program --Retired On Active Duty.

.. a real downer huh?

Here's a good story: In the last week, we signed up a new member, presented to another who will likely become a new member, and, while on vacation next week, I've got three more membership presentations. The company I spoke with last night indicated they not only wanted the membership for their global SOC, but have their own informal network of companies they talk to that they want to introduce to Red Sky as well. We love being introduced to other companies by our members. In fact, that's probably one of the biggest drivers of membership growth for us! We like that!  I call these guys 'Enlightened'. They know when to ask for help... and they come to a strong membership in Red Sky to help them along. One of these companies was starting from a clean slate, building their SOC. They've got a new CISO, new team, hired a dozen and a half new folks in the last three weeks. To them I say Bravo Zulu (Navy for GREAT JOB)!

At the same time, I had two other conversations with executives from two other companies --neither of which do I expect to become Red Sky members. In both cases, their senior leadership has had incident responders onsite, and in both cases, asked them to leave. In both cases, the companies have struggled with cyber problems. One (apparently) clearly APT; one probably not. In neither case were the breaches reflected in their 10K. We looked. One of our Red Sky guys is a professional IT Auditor. The 10K was the first place he looked.

Two companies.. one public one private, building their team, looking for ways to gain strong situational awareness. The public company taking steps to protect their stockholders from intellectual property losses. The private company building equity, creating jobs, taking care of the local economy... they've become enlightened.

Two other companies.. both public.. neither reporting cyber issues in their 10Ks, hiding the breaches, executive management onboard the whole way. IT folks know there's a major issue; both spending money on incident response and/or spinning their wheels chasing attackers or simply hiding their heads in the sand. Dirtbags or scumbags? You tell me.

BT BT

From a profile perspective, our membership, while mostly larger enterprise companies (100K+ computers per company) brought in a company this week with 250 employees, but a significant player in the Internet infrastructure space. This makes me happy on a couple of fronts --we're growing, but also attracting companies that are not only large, but have something to offer the other members. These guys are small, smart, and growing. I'm going to have to quit telling people we do large enterprise!

• This week, after announcing our intent to service only IT workers in the federal government, we received several requests for information from ISSOs around the government. The response has been quite strong. 
• Our first healthcare gig was apparently a success. We received great feedback from the client at a social last night. We're told they've decided to move forward with our Wapack's Cyber Security Operations Center Monitoring (Wapack cSOC) service. 
• Last, but certainly not least, we released two new reports in the portal this week.. one detailing a 0-day, and one priority intelligence report focused on forward-thinking analysis. 

Checking out. Back in two weeks. I'll give you a break from reading my rants next week.

Looking forward, I'm not going to be at Blackat, although we're sending Alison Choquette. She's a spitfire. You'll have a hard time missing her!

I'll see some of you in NYC on August 6th and then off to Iceland for the Nordic Security Conference at the end of the month!

Jeff

The Three F’s of Good Intelligence

To quote the great Adam Carolla - 

"Any restaurant is only three crappy meals away from failure". 

If you go to your favorite restaurant on any given day and are served a crappy meal, you will likely go back again because it’s your favorite restaurant and they may have just had an off-day. You're willing to cut them some slack.

Let’s say you go back again after your first lousy meal and you get another one. You may still be willing to forgive because you have had so many great meals there over the years. But after that third crappy meal, you probably will never go back again.

So why are we talking about restaurants in a security blog? Substitute meals with reporting and intelligence. No matter what your previous track-record, you are only as good as your last three reports. With the time sensitive nature of threat-intelligence, this becomes even more important. This is the reason we take our reporting so seriously at Red Sky. Ask any Red Sky member and there is a good chance they will tell you the same.

Don't get me wrong, we are not the para-militaristic "Hell’s Kitchen" of the threat intelligence, but we take pride in our work and we don't think that’s such a bad thing.  If asked for the ingredients in the recipe for a report that is relevant to today’s persistent threats, I would argue that it’s the same three every time… for the incident responder working on his eighteenth hour of slogging through pcap, pulling images, searching through running memory dumps for the needle in the stack of needles, there are three things running through their head… the three F’s:

·       Who the F is it?

…and as the CISO heads for the CIO’s and CEO’s offices…

·       What the F do they want?

…and as the Incident Responder stares at his screen, with phones ringing off the hook and his/her inbox filling with reports of wide spread problems…

·       How the F do I stop them?

C-suiters right now are scrolling right now in search of the ‘unsubscribe button’ but the incident responders, the analysts, the forensic folks and all of the other blue-collar geeks responsible for the long days of actually working at the brown end of the stick are laughing heads off right now!

Fortunately, there’s a ton of data available to answer these questions. Unfortunately, it’s located in disparate places, and you need to be able to sort the puzzles that have been dumped from their boxes, lay on the floor in front of you, and know how to pick the pieces to the puzzle you’re trying to put together right now. This puzzle (todays puzzle.. tomorrow’s will be different) is the same color are many of the others, and the size and shapes are only slightly different than the rest. You’ll need a keen eye.

When the puzzles are laying on the floor, all mixed up, and the CISO realizes his company is hemorrhaging data, and there’s not a damn thing he can do about it; when the CIO realizes that his network built for uptime, availability, and ease of use; when the CEO realizes he’s going to have to report the issue to the board and in a SOX material breach report (and the costs of responding will probably affect his bonus!); when all of these things happen and there’s no end in sight, and no way to stop the bleeding without completely disconnecting from the Internet –and you have no backup plan for operating without it, well, we called this (in our Annual Report) the ‘Oh Sh*t’ moment.

Companies have these every day, in every country in the world. If you’ve not had yours yet, you will. It’s just a matter of time. If you make something that someone else wants, if you sell to customers that others may want to exploit for their employment, if you build technologies that go into other things, you have probably had yours already. If not, your company may not be instrumented correctly to find it, may not have the skills in your Infosec team to know, or, like many companies I’ve talked with in pitching Red Sky membership, your CIO or Legal team believes that if they don’t know, they don’t have to report. If they don’t know, cyber doesn’t have to show up in your 10K as a risk to business operations.

Regardless of the category you find yourself in, you should demand the three F’s from any vendor. This is what makes it actionable... and good intelligence is only good if it helps with prioritizing your workload, or protecting you from wolves heading toward your sled. If you’re subscribing to a service, you should demand this tailored information in your intelligence service. If they cannot provide satisfactory answers, then it may be time to reach out to Red Sky.

In Red Sky, when we perform analysis, analytic rigor is key. We’ve defined Priority and Standing Intelligence Requirements (questions) that we answer on nearly a daily basis, privately inside the portal (where btw, membership costs are about half of your current subscription price!). We post PIR reports on nearly a daily basis, intent on pushing the information to the far left of the kill chain, almost to the point of reading tea leaves, but only reporting when we believe there’s an impetus for impending attack. Fusion Reports are more retrospective in nature, but if you’ve not seen an attacker coming after your crown jewels yet, then these fusion reports are proactive for you… they protect you from a group that has yet to be tasked with stealing your stuff… but they will soon, and you’ll be armed and ready.

Our PIR reporting is taken from open sourced reporting.. meaning we read the news, web pages, blogs, social media, IRC, whatever, and then add our own analytics to it. The stuff we read might be in Mandarin, Spanish, Portuguese, English, Russian, Arabic, or any one of a dozen others, but when we find something that might result in cyber consequences, we tell our members. The reports usually generate conversation in the portal, creating more information and a sharper focus on what might become the problem.. our members work together to help figure out what’s going on.. protect the guy next to you.

Interested in reading our PIRs? Set up an appointment for an introduction to the Red Sky Alliance. We’ll help you answer the Three F’s.

• Red Sky => Business to Business
  
• Beadwindow => Are you a government IT worker? You’re eligible too. 2210’s or other non-Law Enforcement or Intel IT workers can access our Beadwindow portal.
• Need more? Wapack Labs can do some of the work for you. The lab offers a full analytic, R&D and forensic capability, as well as a simple cyber security operations and monitoring monitoring (Wapack cSOC) solution to help look for APTs or targeted attacks in your network.

Drop us a note. Set up an appointment. Let us introduce you to our membership as the next member of the Red Sky Alliance!

Until next time,

Have a great week!
Jeff